Data Processing Agreement

Effective date: March 22, 2026. Last updated: March 22, 2026.

This Data Processing Agreement ("DPA") is between Steel Motion LLC, operating as Styrby ("Processor", "we", "us"), and the entity subscribing to our Service ("Controller", "you"), together the "Parties".

This DPA governs the processing of personal data by Styrby when providing services to Controller under the Terms of Service. It supplements, and does not replace, the Terms of Service and Privacy Policy.

Zero-knowledge note: The content of AI agent sessions (prompts, code, responses) is end-to-end encrypted using TweetNaCl public-key authenticated encryption. Styrby relays encrypted ciphertext and cannot access plaintext session content. The personal data Styrby actually processes is limited to metadata: account information, session metadata, token counts, cost records, and audit logs.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
• "Data Protection Laws" means the EU General Data Protection Regulation (GDPR 2016/679), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable data protection legislation in force.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
• "Sub-processor" means any third-party engaged by Processor to process Personal Data in connection with providing the Service.
• "Data Subject" means an individual whose Personal Data is processed under this DPA.

2. Scope of Processing

Processor processes Personal Data only as necessary to provide the Styrby platform services. Processing activities include:

• Authenticating team members and managing user accounts
• Relaying AI agent session messages between CLI instances and mobile/web clients (as encrypted ciphertext only; Processor cannot read plaintext content)
• Tracking and displaying token usage and associated costs
• Delivering push notifications and transactional email communications
• Maintaining audit logs for security monitoring and compliance

Categories of Data Subjects

Team members and authorized users of Controller's Styrby account.

Categories of Personal Data

The following categories of personal data are processed. Session message content is excluded because Processor cannot access it.

• Email addresses and display names
• Authentication provider data (GitHub OAuth profile data, where used)
• Device identifiers and push notification tokens
• IP addresses (captured in server logs and audit logs)
• Session metadata: agent type, session start/end times, status, and any labels or summaries created by the user
• Token usage counts and calculated cost records
• Encrypted session message ciphertext: stored and relayed by Processor. Processor cannot decrypt or access this content.

Duration of Processing

Processor processes Personal Data for the duration of Controller's active subscription. Upon termination, data is deleted per Section 8 of this DPA.

3. Processor Obligations

Processor shall:

• Process Personal Data only as necessary to provide the Service, as described in this DPA, or as required by applicable law
• Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organizational security measures, including:
  • End-to-end encryption of session messages (TweetNaCl public-key authenticated encryption; zero-knowledge architecture)
  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Row Level Security on all database tables
  • Rate limiting and input validation on all API endpoints
  • Audit logging of security-relevant events (login, machine pairing, data export, API key operations)
• Provide reasonable assistance to Controller in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction)
• Notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Controller's data
• Upon termination, delete or return Personal Data as described in Section 8
• Upon reasonable written request, make available information necessary to demonstrate compliance with this DPA

4. Sub-processors

Controller provides general authorization for Processor to engage the sub-processors listed below. Processor will notify Controller of any intended changes (additions or replacements) to this list with reasonable advance notice. Controller may object to a new sub-processor on reasonable data protection grounds by contacting support@styrby.dev; if the parties cannot resolve the objection, Controller may terminate the Service.

5. Data Subject Rights

Processor provides self-service tools for the following Data Subject rights:

• Right to access and portability: Data export (JSON) is available at Dashboard, Settings, Export Data.
• Right to rectification: Profile editing is available at Dashboard, Settings.
• Right to erasure: Account deletion is available at Dashboard, Settings, Delete Account. Personal data is permanently deleted within 30 days of deletion request.
• Right to restrict processing: Contact support@styrby.dev. We will respond within 30 days.

Where Data Subjects contact Processor directly with rights requests that should be handled by Controller, Processor will forward the request to Controller promptly.

6. Data Breach Notification

In the event of a confirmed Personal Data breach, Processor shall:

• Notify Controller without undue delay and no later than 72 hours after becoming aware of the breach
• Include in the notification: the nature of the breach, categories and approximate number of Data Subjects affected, categories and approximate volume of records affected, likely consequences of the breach, and measures taken or proposed to address it
• Cooperate with Controller in fulfilling Controller's obligations to notify supervisory authorities and affected Data Subjects

Send breach notifications to: support@styrby.dev (subject line: "Data Breach Notification"). For urgent security matters, also email security@styrby.dev.

7. International Data Transfers

Personal Data is primarily processed in the United States by Processor and its sub-processors. For transfers from the EU/EEA or UK to the United States, Processor relies on:

• EU-US Data Privacy Framework certification of sub-processors where available (Vercel, Supabase are certified)
• Standard Contractual Clauses (SCCs) as approved by the European Commission, for transfers where the Data Privacy Framework does not apply

Polar, our payment processor, is incorporated in the European Union. Payment data processed by Polar does not leave the EU.

8. Term and Termination

This DPA remains in force for the duration of Controller's use of the Service. Upon termination of the Service:

• Controller may export all data via the self-service export tool before account deletion is finalized
• Processor shall delete Controller's Personal Data within 30 days of account deletion, except where retention is required by applicable law (for example, financial records required for tax compliance)
• Audit logs are retained for up to 90 days after account deletion for security investigation purposes, then permanently deleted
• Upon written request, Processor will provide written confirmation that deletion is complete

9. Contact

For questions about this DPA, data rights requests, or to execute a signed DPA for enterprise compliance purposes:

Steel Motion LLC
Email: support@styrby.dev

To request a countersigned copy of this DPA for your compliance records, contact us at the address above.

Related documents: Privacy Policy | Terms of Service | Security