GraphVision Logo

GraphVision

Legal

Data Processing Agreement (DPA)

Last updated: December 17, 2025

This DPA applies when GraphVision processes personal data on behalf of the customer.

1. Definitions

Data Controller: Customer

Data Processor: GraphVision AI

Personal Data: As defined in GDPR

Tenant-Level Encryption: A security architecture where unique cryptographic keys are generated and assigned to each specific user (tenant) to isolate their data at rest.

2. Roles

Customer acts as Data Controller.

GraphVision acts as Data Processor.

3. Processor Obligations

GraphVision agrees to:

  • Process data only according to controller instructions
  • Protect data with appropriate security measures, including encryption
  • Maintain confidentiality of staff
  • Assist with GDPR rights (access, deletion, export)
  • Notify the controller of data breaches without undue delay
  • Delete or return data after the contract ends

4. Scientific Manuscripts & Encryption Architecture

Ephemeral Processing: By default, input text is processed in ephemeral memory and is not written to persistent storage in plaintext.

Encryption-at-Rest: When project data is stored, GraphVision utilizes Tenant-Level Encryption:

  • Data is encrypted server-side using a unique key generated specifically for the Data Controller (User) before being written to the database.
  • This unique key is further encrypted using a master security key.
  • This ensures cryptographic isolation between different customers.

Crypto-Shredding: Upon termination of the service or account deletion, the unique encryption key associated with the Data Controller is destroyed, rendering the stored manuscripts technically and permanently unrecoverable.

5. Sub-processors

GraphVision uses the following GDPR-compliant processors:

  • Supabase: Database hosting
  • Vercel: Application hosting
  • Cloudflare: Storage
  • Stripe: Payment processing
  • Google OAuth: Authentication services
  • Google Gemini: AI generation and semantic analysis (Data is transmitted via TLS and processed according to Google Cloud Data Privacy terms).

6. Data Transfers

No transfers occur outside the EU unless adequate safeguards (such as Standard Contractual Clauses) exist.

7. Duration

This DPA remains valid for the duration of the service.