Data Processing Agreement

Last updated: May 25, 2026

This DPA applies when Trefly processes personal data on behalf of an EU/EEA/UK customer (the "Controller").

1. Subject matter

Processing of personal data necessary to deliver the Trefly service to the Controller.

2. Categories of data subjects

The Controller's end users (where applicable), business contact information, and any personal data the Controller enters into the service.

3. Sub-processors

Supabase, Vercel, Stripe, Resend, Anthropic, Replicate. Current list maintained at trefly.io/sub-processors.

4. Security

Encryption at rest and in transit, access controls, regular reviews. Incident notification within 72 hours of detection.

5. Data transfers

Standard Contractual Clauses apply to transfers outside the EEA.

6. Term

This DPA remains in effect for the duration of the Controller's subscription.

7. Contact

hello@trefly.io

Placeholder content. This document is awaiting legal review. Do not rely on it for compliance until reviewed.

Data Processing Agreement · Trefly