Legal
Data processing addendum
Last updated July 3, 2026
This addendum describes how ParityRail processes personal data on your behalf when you use the service. It is written in plain language and forms part of the agreement between you (the customer) and ParityRail. A countersigned copy is available on request from legal@parityrail.com.
1. Roles
For personal data contained in your Stripe account and application database, you are the data controller and ParityRail is the data processor. ParityRail processes that data only to provide the service and only on your documented instructions — which includes the configuration you set (integrations, mappings, rules, and repair approvals).
2. Scope and purpose of processing
ParityRail reconciles what your billing promised against what your app actually grants, and — when you approve a repair — corrects specific access columns. To do this it processes:
- Billing data read from Stripe: customer identifiers and emails, subscription status, plans/prices, and entitlements.
- Application data read from your database: the subject rows and access columns named by your mappings (for example plan, premium flag, trial end, and entitlement rows).
- Account data for your ParityRail users: name, email, and authentication records.
Access to your systems is read-only by default. Writes occur only through a repair you approve, are limited to a single row within a column allowlist derived from your mappings, and are captured with before/after state in the audit log.
3. Duration
ParityRail processes personal data for as long as your workspace is active. State snapshots are retained on a rolling 90-day window; incident and audit records are retained for the life of the workspace so your Access Ledger stays complete. On termination or on request, ParityRail will delete or return the data as described in section 6.
4. Security measures
ParityRail maintains the following technical and organizational measures:
- Encryption of credentials at rest with AES-256-GCM; TLS for all data in transit.
- Read-only database access enforced with a
SELECT-only role anddefault_transaction_read_only = on. - Strict tenant isolation enforced on every page, action, and API route.
- A tamper-evident, append-only audit log enforced by database triggers.
- Role-based access control and SHA-256-hashed, capability-scoped API keys.
A fuller description lives on our trust & security page. ParityRail is not SOC 2 certified at this time; see that page for our current posture and roadmap.
5. Subprocessors
You authorize ParityRail to engage the subprocessors below. We keep the list short and will post material changes here before they take effect.
| Subprocessor | Purpose | Region |
|---|---|---|
| Vercel | Application hosting and serverless compute | United States |
| Managed Postgres host | ParityRail's own database — encrypted credentials, incidents, audit log | United States |
| Resend | Transactional and alert email delivery | United States |
Stripe and your own database are systems you provide and control; they are the sources ParityRail reconciles, not ParityRail subprocessors.
6. Deletion and return
Deleting a project removes its configuration and connected credentials. On termination or written request to legal@parityrail.com, ParityRail will delete or return your workspace data within a reasonable period, except where retention is required by law.
7. Data subject requests & assistance
ParityRail will provide reasonable assistance so you can respond to data subject requests (access, correction, deletion) and meet your own security and breach-notification obligations. Because ParityRail reads from systems you control, most such requests are best fulfilled at the source; we will help where our records are involved.
8. Incident notification
If ParityRail becomes aware of a personal data breach affecting your data, we will notify you without undue delay and share what we know as the investigation proceeds. Report suspected issues to security@parityrail.com.
9. Contact
Questions about this addendum, or a request for a countersigned copy, go to legal@parityrail.com.