Data Processing Addendum

Updated 2026-05-08

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Redline (“Processor”) and the customer (“Controller”) when the customer’s use of Redline involves the processing of personal data subject to GDPR, UK GDPR, or equivalent privacy laws.

1. Subject matter + duration

Redline processes personal data on behalf of the Controller solely to provide the Service: design-review hosting, comment intake, bug-tracking, and the integrations the Controller explicitly enables. Processing lasts for the duration of the active subscription plus the retention windows in §6.

2. Categories of data + subjects

  • Account holders (the Controller’s team): name, email, IP address, session metadata, audit-log entries.
  • External reviewers: identity name + email when supplied at comment time on a public share link, plus comment bodies and pin coordinates.
  • Reviewable content: URLs, snapshots, uploaded files. Treated as the Controller’s confidential material.

3. Sub-processors

Redline engages the following sub-processors. Each is bound by data-protection commitments at least as strict as this DPA. We’ll publish 30 days’ advance notice on this page before adding or replacing any of them.

  • Hetzner Online GmbH — hosting infrastructure (Falkenstein, Germany).
  • Cloudflare, Inc. — DNS + TLS termination.
  • Resend, Inc. — outbound transactional email.
  • Anthropic, PBC — invoked only when a member clicks the ✦ Digest action.
  • Swipe — payment processing for paid plans (no personal data beyond billing identity reaches Redline).

4. Technical + organizational measures

The measures inventoried at /security apply, including:

  • Encryption in transit (TLS 1.2+) for every public surface; encryption at rest at the storage layer.
  • Tenant isolation via mandatory studio_id scoping on every authenticated query.
  • Magic-link auth — no stored passwords. Session cookies signed, Secure, HttpOnly, SameSite=Lax.
  • Audit log of every mutation with actor + timestamp; exportable on request.
  • Nightly backups; weekly off-host copy.

5. Data subject rights

The Controller is responsible for responding to data-subject requests. Redline assists by providing access, rectification, deletion, and portability primitives in-product (studio export at /api/studio/export, account deletion from /settings). For requests Redline cannot fulfil through the product, email dpa@theredline.app.

6. Retention + deletion

  • Active studio data: kept while the subscription is active.
  • Operational logs: 30 days.
  • Email + payment records: 7 years for tax / legal compliance.
  • Studio deletion cascades to reviewables, comments, snapshots, share-links, and bugs. Soft-delete grace is 30 days for accidental-deletion recovery.

7. Cross-border transfers

Personal data is hosted in the EU (Hetzner Falkenstein). Sub-processors based outside the EU operate under Standard Contractual Clauses or equivalent transfer mechanisms.

8. Incident notification

Redline notifies the Controller of a personal-data breach affecting the Controller’s data without undue delay, and within 72 hours of becoming aware. Reach security@theredline.app for incident questions.

9. Acceptance

Use of Redline by the Controller after the date of last update constitutes acceptance of this DPA. Customers needing a counter-signed copy can email dpa@theredline.app with their legal-entity details.