Data Processing Addendum
Effective date: Feb 6 2026. This Data Processing Addendum ("DPA") applies when Obscura Document Redaction processes personal data on behalf of a Customer under the Terms of Service.
1. Parties
2. Processing details
- Subject matter: customer documents and associated metadata used for redaction.
- Duration: for the term of the service and for any retention period configured by the Customer.
- Nature and purpose: to provide document redaction, export, and related features.
- Categories of data: documents, images, text, metadata, account identifiers.
- Data subjects: customer employees, clients, and other individuals whose data is included in documents.
- AI/ML: Obscura does not use customer content to train AI or machine-learning models.
3. Processor obligations
- Process personal data only on documented instructions from the Customer.
- Ensure personnel are subject to confidentiality obligations.
- Implement appropriate technical and organizational safeguards.
- Assist the Customer with data subject requests where feasible.
4. Security measures
Obscura maintains reasonable safeguards designed to protect personal data in transit and at rest. A summary of measures is described in Appendix A.
5. Sub-processors
Obscura uses the following sub-processors:
- Netcup GmbH (hosting only; Manassas, VA data center).
- Amazon AWS SES (email delivery).
- Backblaze E2 (backup storage; US East).
- Stripe (payments; name and address for verification).
A current sub-processor list is available upon request.
Obscura will provide at least 30 days advance written notice of any material addition or replacement of sub-processors. Customers may object in writing during that notice period. If Obscura cannot reasonably accommodate the objection, either party may terminate the affected Services before the new sub-processor begins processing Customer Data, with a pro-rated refund of prepaid fees for any unused prepaid term.
6. International transfers
Data is stored and processed in the United States (Manassas, Virginia). If the Customer or its users access the Service from outside the United States, data will be transferred to and processed in the United States.
Standard Contractual Clauses (SCCs) are available upon request for EU/UK transfers.
7. Breach notification
Obscura will notify the Customer without undue delay after becoming aware of a personal data breach, and will provide information reasonably necessary for the Customer to meet its notification obligations.
8. Deletion and return
Upon termination, Obscura will delete or anonymize Customer Data within 30 days of account termination, unless retention is required by applicable law or configured by the Customer. Obscura will confirm completion of deletion in writing upon request.
Backup retention: backups are retained for 12 months by default. Longer retention is available by request.
9. Audits
Upon reasonable notice, the Customer may audit Obscura's compliance with this DPA. Audits are limited to once per year and must not unreasonably interfere with operations.
10. Contact
To execute this DPA or request sub-processor information, contact support@useobscura.com.
Appendix A: Security measures (summary)
- Access controls for production systems and least-privilege permissions.
- Encryption in transit (TLS) and at rest (application-level for uploaded files, plus infrastructure-level where supported).
- Logical isolation of customer data by account identifiers.
- Monitoring and logging for availability and security events.
- Backups and recovery processes to restore service availability.