Legal
Data Processing Agreement
Last updated: 2026-04-25
This DPA supplements the terms of service for clients operating under GDPR, UK GDPR, CCPA, or equivalent regulations. It describes the roles, sub-processors, and security measures involved when we handle personal data on your behalf during a build.
Roles
For data your end users submit through the product we build, you are the data controller and we act as a data processor only during the build itself. After Friday, all infrastructure is in your name and you are the sole processor of production data.
Sub-processors
- Cloudflare (hosting, DNS)
- Anthropic / OpenAI (only if AI features are scoped in)
- Stripe (payments)
- Resend (email)
- Sentry (error tracking)
- PostHog (analytics)
Security
- HTTPS-only with HSTS preload.
- Strict CSP, X-Frame-Options DENY, and full security-headers suite.
- Secrets stored encrypted at rest in Cloudflare environment variables.
- No production data on developer laptops; we use seed data only.
- Code reviews on every meaningful change.
Data subject rights
We assist you in responding to data subject requests (access, deletion, portability) for any data we’ve handled. Contact hello@i2launch.com.
Breach notification
If we become aware of a security incident affecting your data, we notify you within 24 hours.
Sign and return
Need a countersigned PDF version? Email hello@i2launch.com.