Data Processing Agreement

Last updated July 2026

This summary describes how Skalpel processes personal data on your behalf. A full DPA is available for customers on request.

Roles

You are the data controller. Skalpel acts as your data processor and processes personal data only on your documented instructions.

Scope of processing

Skalpel processes usage metadata to meter, attribute, and reconcile AI spend. Prompt and response content is processed only if you enable the consent-gated content archive.

Subprocessors

Skalpel uses AWS for hosting, storage, and key management (KMS). A current list of subprocessors is available on request, and we give notice of material changes.

Security measures

Row-level-security tenant isolation, encryption in transit and at rest, KMS-custodied keys, least-privilege access, and audit logging.

International transfers

Where personal data is transferred across borders, Skalpel relies on Standard Contractual Clauses and equivalent safeguards.

Data subject rights

Skalpel supports access, export, and erasure requests, including Article 17 deletion propagated across analytical archives.

Term and deletion

On termination, Skalpel deletes or returns personal data in line with your instructions and applicable law.

Contact

For a signed DPA or questions, email [email protected].