Legal

Data processing addendum

Last updated July 3, 2026

This addendum describes how ParityRail processes personal data on your behalf when you use the service. It is written in plain language and forms part of the agreement between you (the customer) and ParityRail. A countersigned copy is available on request from legal@parityrail.com.

1. Roles

For personal data contained in your Stripe account and application database, you are the data controller and ParityRail is the data processor. ParityRail processes that data only to provide the service and only on your documented instructions — which includes the configuration you set (integrations, mappings, rules, and repair approvals).

2. Scope and purpose of processing

ParityRail reconciles what your billing promised against what your app actually grants, and — when you approve a repair — corrects specific access columns. To do this it processes:

  • Billing data read from Stripe: customer identifiers and emails, subscription status, plans/prices, and entitlements.
  • Application data read from your database: the subject rows and access columns named by your mappings (for example plan, premium flag, trial end, and entitlement rows).
  • Account data for your ParityRail users: name, email, and authentication records.

Access to your systems is read-only by default. Writes occur only through a repair you approve, are limited to a single row within a column allowlist derived from your mappings, and are captured with before/after state in the audit log.

3. Duration

ParityRail processes personal data for as long as your workspace is active. State snapshots are retained on a rolling 90-day window; incident and audit records are retained for the life of the workspace so your Access Ledger stays complete. On termination or on request, ParityRail will delete or return the data as described in section 6.

4. Security measures

ParityRail maintains the following technical and organizational measures:

  • Encryption of credentials at rest with AES-256-GCM; TLS for all data in transit.
  • Read-only database access enforced with a SELECT-only role and default_transaction_read_only = on.
  • Strict tenant isolation enforced on every page, action, and API route.
  • A tamper-evident, append-only audit log enforced by database triggers.
  • Role-based access control and SHA-256-hashed, capability-scoped API keys.

A fuller description lives on our trust & security page. ParityRail is not SOC 2 certified at this time; see that page for our current posture and roadmap.

5. Subprocessors

You authorize ParityRail to engage the subprocessors below. We keep the list short and will post material changes here before they take effect.

SubprocessorPurposeRegion
VercelApplication hosting and serverless computeUnited States
Managed Postgres hostParityRail's own database — encrypted credentials, incidents, audit logUnited States
ResendTransactional and alert email deliveryUnited States

Stripe and your own database are systems you provide and control; they are the sources ParityRail reconciles, not ParityRail subprocessors.

6. Deletion and return

Deleting a project removes its configuration and connected credentials. On termination or written request to legal@parityrail.com, ParityRail will delete or return your workspace data within a reasonable period, except where retention is required by law.

7. Data subject requests & assistance

ParityRail will provide reasonable assistance so you can respond to data subject requests (access, correction, deletion) and meet your own security and breach-notification obligations. Because ParityRail reads from systems you control, most such requests are best fulfilled at the source; we will help where our records are involved.

8. Incident notification

If ParityRail becomes aware of a personal data breach affecting your data, we will notify you without undue delay and share what we know as the investigation proceeds. Report suspected issues to security@parityrail.com.

9. Contact

Questions about this addendum, or a request for a countersigned copy, go to legal@parityrail.com.