Data Processing Agreement
Last updated: April 2, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SwiftIn ("Processor", "we") and the customer ("Controller", "you") who subscribes to the SwiftIn Team plan.
This DPA applies where and only to the extent that SwiftIn processes personal data on behalf of the Controller in the course of providing the Service, and such personal data is subject to data protection laws of the European Union, the European Economic Area, the United Kingdom, or Switzerland (collectively, "Applicable Data Protection Law").
1. Definitions
- •"Personal Data" means any information relating to an identified or identifiable natural person that is processed by SwiftIn on behalf of the Controller.
- •"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- •"Sub-processor" means any third party engaged by SwiftIn to process Personal Data on behalf of the Controller.
2. Scope and Purpose of Processing
SwiftIn processes the following categories of Personal Data on behalf of Team plan Controllers:
| Data Category | Purpose | Retention |
|---|---|---|
| Team member email addresses | Account management, team invitations | Until account deletion or team removal |
| Translation text (source & result) | Providing translation service; server-side history if enabled by team owner | Immediately discarded after delivery; history: 180 days if enabled |
| Usage data (character counts) | Billing, quota enforcement, per-member tracking | Current + 1 prior billing period |
| Team member names (optional) | Display in team management UI | Until account deletion or team removal |
3. Obligations of the Processor
SwiftIn shall:
- a)Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by law.
- b)Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
- c)Implement appropriate technical and organizational security measures, including: encryption in transit (TLS), encryption at rest, access controls, regular security audits, and incident response procedures.
- d)Not engage another processor (sub-processor) without prior written authorization of the Controller. The current list of sub-processors is provided in Section 5.
- e)Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within 30 days.
- f)Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach.
- g)Delete or return all Personal Data to the Controller at the end of the provision of services, and delete existing copies unless storage is required by law. Account data is deleted within 30 days of account deletion.
- h)Not use Personal Data for any purpose other than providing the Service, including: no training of AI models on user data, no selling or sharing of data with third parties, no profiling or automated decision-making.
4. Obligations of the Controller
The Controller shall:
- a)Ensure that it has a lawful basis for processing Personal Data and for instructing SwiftIn to process such data.
- b)Inform team members about the processing of their data in connection with the Service and obtain any necessary consents.
- c)Not submit sensitive or special category data (health, biometric, political opinions, etc.) to the Service unless explicitly agreed in writing.
5. Sub-processors
The Controller authorizes SwiftIn to engage the following sub-processors. SwiftIn will notify the Controller at least 30 days before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication | United States |
| Google AI (Gemini API) | Machine translation, text-to-speech | United States |
| Paddle | Payment processing | United Kingdom |
| Resend | Transactional email delivery | Ireland (EU) |
| NOWPayments | Cryptocurrency payment processing | Netherlands / Seychelles |
| PostHog | Product analytics (consent-based) | European Union |
6. International Data Transfers
Where Personal Data is transferred outside the EEA/UK to sub-processors in the United States, such transfers are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914) or equivalent safeguards. The Controller may request copies of the relevant transfer mechanisms by contacting legal@swiftin.dev.
7. Technical and Organizational Security Measures
- •Encryption: TLS 1.2+ in transit; AES-256 at rest (Supabase).
- •Authentication: JWT tokens with short expiry, bcrypt password hashing (cost factor 12), optional TOTP two-factor authentication.
- •Access control: Row-Level Security (RLS) on all database tables. Service role keys stored server-side only.
- •Input validation: Zod schema validation on all API inputs. Rate limiting on all endpoints.
- •Monitoring: Structured logging (Pino), abuse detection middleware, suspicious login alerts.
- •Data minimization: Translation text discarded immediately after delivery unless server-side history is explicitly enabled by team owner.
8. Data Breach Notification
In the event of a personal data breach, SwiftIn will notify the Controller within 72 hours of becoming aware, providing: (a) the nature of the breach, (b) the categories and approximate number of data subjects affected, (c) the likely consequences, and (d) the measures taken or proposed to mitigate the breach. SwiftIn will cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation.
9. Term and Termination
This DPA is effective from the date the Controller subscribes to the Team plan and remains in effect as long as SwiftIn processes Personal Data on behalf of the Controller.
Upon termination, SwiftIn will delete all Personal Data within 30 days, unless retention is required by applicable law. The Controller may request a data export before termination via legal@swiftin.dev.
10. Governing Law
This DPA shall be governed by the same law that governs the Terms of Service. Where the Controller is established in the EEA or UK, this DPA shall be governed by the laws of the Controller's country of establishment to the extent required by Applicable Data Protection Law.
Contact
SwiftIn
Privacy & Data Protection: legal@swiftin.dev
General Support: support@swiftin.dev
Jurisdiction: Georgia (country)