Data Processing Addendum
Last updated: July 4, 2026
This Data Processing Addendum ("DPA") forms part of the SupaClone Terms of Service between the customer ("Customer") and Denvo LLC, 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, United States ("Denvo"). It applies whenever Denvo processes personal data on behalf of the Customer through connected Supabase projects, clone jobs, reports, and related support workflows.
This DPA reflects the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and applies automatically to all customers by using the service; no signature is required. In case of conflict between this DPA and the Terms of Service, this DPA prevails for data protection matters.
1. Roles and scope
The Customer is the controller for personal data contained in connected Supabase projects and in data selected for cloning. Denvo acts as processor when it processes that data to provide the service, and only on the Customer's documented instructions.
Denvo acts as an independent controller for account administration, billing, security, product operations, and legal compliance data relating to the Customer's own users of SupaClone. That processing is described in the Privacy Policy, not this DPA.
2. Subject matter, duration, nature and purpose
Subject matter: cloning of user-managed Supabase project structure, selected data, Storage assets, and Edge Function configuration from a Customer-controlled source project into a Customer-designated target project, including verification reports and support.
Duration: for the term of the Customer's use of SupaClone, until account deletion or termination, plus any period required by law. Nature and purpose: reading project metadata and selected content via the Supabase Management API and database connections authorized by the Customer, executing clone jobs, and generating reports and warnings for the Customer's review.
3. Categories of data subjects and personal data
Data subjects: end users and other individuals whose personal data the Customer stores in its connected Supabase projects. The categories of personal data are determined by the Customer and may include any data stored in the selected schemas, tables, and Storage objects.
Processed data may include Supabase project metadata, selected database schema metadata, table data selected for cloning where data clone modes are enabled, Storage bucket and file metadata/content where enabled, Edge Function code where enabled, clone reports, warnings, logs, and encrypted database credentials provided by the Customer.
SupaClone intentionally excludes Supabase-managed auth data (such as end-user accounts and sessions of the source project) and secret values from clone output. Customers should avoid selecting special categories of data (Art. 9 GDPR) for cloning unless they have a lawful basis and appropriate safeguards.
4. Processing instructions
Denvo processes Customer data only on documented instructions, including project connection, credential handling, clone job execution, report generation, support, security, abuse prevention, and account deletion. Instructions are given through product settings, clone configuration, support requests, this DPA, the Terms of Service, and any written agreement signed by both parties.
Denvo will inform the Customer without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection law, and may suspend execution of that instruction until it is confirmed or changed. Denvo may process data where required by applicable law; in that case Denvo will inform the Customer before processing unless the law prohibits it.
5. Confidentiality
Denvo restricts access to Customer data to personnel and systems that need it to operate, secure, support, or improve the service. All personnel authorized to process Customer data are bound by contractual or statutory confidentiality obligations that survive the end of their engagement.
6. Security (Art. 32 GDPR)
Taking into account the state of the art and the risks of the processing, Denvo implements appropriate technical and organizational measures, including: HTTPS/TLS encryption in transit; TLS certificate verification for connections to Customer databases by default; AES-256-GCM encryption at rest for stored integration secrets (OAuth tokens and database connection strings) with support for key rotation; server-side authorization checks; Supabase row level security; service-role access only in trusted server contexts; scoped worker processing; and audited account deletion flows.
Denvo may update these measures over time provided the overall level of protection is not reduced.
7. Subprocessors
The Customer grants Denvo general authorization to engage the subprocessors listed below to provide hosting, authentication, database storage, billing, monitoring, and project connection workflows. Denvo imposes data protection obligations on subprocessors consistent with this DPA and remains liable for their performance.
| Provider | Purpose | Data | Role | Location |
|---|---|---|---|---|
| Vercel | Hosting for the public website and Next.js web application. | HTTP requests, IP addresses, headers, logs, and deployment metadata. | Subprocessor / hosting provider | United States / global infrastructure |
| Supabase | Authentication, application database, row level security, Supabase OAuth integration, and connected project management workflows. | Account data, organization data, sessions, connected project metadata, encrypted integration credentials, clone jobs, reports, and billing state stored by SupaClone. | Subprocessor / application backend | East US (us-east-1) |
| Stripe | Checkout, subscriptions, customer portal, invoices, taxes, fraud prevention, and payment lifecycle webhooks. | Customer identifiers, email address where provided, billing metadata, subscription status, invoices, payment events, and payment method data handled by Stripe. | Independent controller for payments and subprocessor for billing operations | United States / global infrastructure |
| GitHub | OAuth sign-in for SupaClone accounts. | GitHub account identity data made available during authentication, such as user id, email address, name, avatar, and OAuth session metadata. | Independent controller / authentication provider | United States / global infrastructure |
| Supabase Management API | Project connection, project metadata reads, and selected project configuration clone workflows authorized by the customer. | Supabase project references, OAuth tokens, project metadata, selected configuration fields, Storage metadata, Edge Function metadata, and clone-operation responses. | External service controlled by the customer's Supabase account | Region depends on the connected Supabase organization and project |
| Sentry | Application error tracking and performance monitoring to detect, diagnose, and fix failures in the web application and clone workers. | Error and crash reports, stack traces, request metadata, IP address, browser and device information, and pseudonymous user identifiers included in error context. | Subprocessor / error monitoring provider | European Union (EU) |
| Google Analytics (Google LLC) | Usage analytics for the public website and application, loaded only after you give consent through the cookie settings. | Cookie identifiers, pseudonymous client id, truncated IP address, device and browser information, pages visited, and interaction events. | Subprocessor / analytics provider (consent-based) | United States / global infrastructure |
| Snaplet Snapshot / Copycat | Local worker tooling used only when structure + data clone modes are enabled, including anonymized data transforms. | Selected database schema metadata and selected table data during worker execution, only while a data clone mode is enabled. Data is processed inside the SupaClone worker environment and is not sent to Snaplet. | Software dependency used inside SupaClone worker | Worker deployment region |
Denvo will inform the Customer of intended additions or replacements of subprocessors at least 10 days in advance by updating this page and, for material changes, by in-app or email notice. The Customer may object on reasonable data protection grounds; if no solution is found, the Customer may terminate the affected service and delete the account.
8. Assistance and data subject requests
Taking into account the nature of the processing, Denvo will assist the Customer with appropriate technical and organizational measures in fulfilling the Customer's obligations to respond to data subject requests (Art. 12-23 GDPR), and with the Customer's obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), where the request relates to data processed by Denvo and cannot be handled directly by the Customer.
If a data subject contacts Denvo directly about data processed on behalf of the Customer, Denvo will forward the request to the Customer without undue delay and will not respond on the merits without the Customer's instruction, unless legally required.
9. Personal data breach notification
Denvo will notify the Customer without undue delay, and no later than 72 hours after becoming aware, of a personal data breach affecting Customer data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate volume of data and data subjects concerned, likely consequences, and measures taken or proposed. Denvo will cooperate with the Customer in investigating and remediating the breach.
10. Deletion and return
Clone output is written directly into the Customer-designated target project and remains under the Customer's control at all times. On account deletion, Denvo cancels in-flight clone jobs and deletes the organization's SupaClone records, including encrypted credentials, connected project metadata, clone jobs, and reports, followed by deletion of the auth user.
After the end of the services, Denvo will delete remaining Customer data unless applicable law requires storage; payment providers may retain payment records where legally required.
11. Audits and information
Denvo will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR, including summaries of security measures and relevant provider certifications. Where this is insufficient, Denvo will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, at reasonable intervals, with reasonable prior written notice, during business hours, without disrupting operations, and subject to confidentiality. The Customer bears the costs of such audits unless they reveal material non-compliance.
12. International transfers
Because Denvo is located in the United States, processing of Customer data involves a transfer of personal data from the EU/EEA, the United Kingdom, or Switzerland to the United States. For these transfers, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module Two (controller to processor), with the Customer as data exporter and Denvo as data importer, including the UK International Data Transfer Addendum and the Swiss adaptations where applicable. Sections 2, 3, 6, and 7 of this DPA serve as the annexes describing the processing, data categories, security measures, and subprocessors.
Where a subprocessor is certified under the EU-U.S. Data Privacy Framework, transfers to that subprocessor may instead rely on the corresponding adequacy decision.
13. Governing law and contact
This DPA is governed by the laws of the State of New Mexico, USA, except where mandatory data protection law of the Customer's jurisdiction applies, including the Standard Contractual Clauses, which are governed as set out in the clauses themselves.
For DPA or data processing questions, contact: legal@supaclone.io.