← Back to home

Data Processing Agreement

Last updated: March 28, 2026

1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller", "you") and CanaryGuard ("Processor", "we", "us") for the provision of canary token services via the CanaryGuard platform at canaryguard.app.

The Controller determines the purposes and means of processing personal data through their use of the CanaryGuard platform. The Processor processes personal data on behalf of the Controller in accordance with the Controller's instructions and applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Scope of Processing

The Processor processes personal data solely for the purpose of providing the CanaryGuard services, which includes:

  • Account management: processing user account data for authentication, authorization, and service delivery.
  • Token management: storing and managing canary token metadata, configurations, and deployment records.
  • Alert processing: receiving, processing, and delivering alert notifications when canary tokens are triggered, including enrichment with IP geolocation data.
  • Payment processing: facilitating Bitcoin/Lightning payments via BTCPay Server and maintaining transaction records.
  • Alert channel delivery: transmitting alert data to Controller-configured channels (Slack, Discord, custom webhooks).
  • API services: processing API requests authenticated with the Controller's API keys.

3. Categories of Data

3.1 Account Data

  • Email address and display name.
  • Hashed authentication credentials.
  • Account preferences and configuration settings.
  • API key metadata (key prefix and creation date; full keys are hashed).
  • Team membership data: user roles, invitation email addresses, invitation status and timestamps.
  • Plan and subscription information.

3.2 Token Metadata

  • Token type, name, memo, and configuration.
  • Token creation and expiration timestamps.
  • Token status (active, expired, deleted).
  • Callback URLs and associated domain records.

3.3 Alert Data

  • IP addresses of third parties who trigger canary tokens.
  • Approximate geolocation data derived from IP addresses (city, region, country, coordinates).
  • HTTP user agent strings and request headers.
  • Timestamps of token trigger events.
  • DNS query metadata for DNS-type tokens.
Note: Alert data may contain personal data of third parties (the individuals who trigger canary tokens). The Controller is responsible for ensuring a lawful basis exists for processing this data and for fulfilling any data subject rights requests related to it.

3.4 Payment Records

  • Bitcoin/Lightning transaction identifiers.
  • Payment amounts, timestamps, and plan associations.
  • BTCPay Server invoice references.

4. Processing Locations

Personal data is processed and stored in the following locations and infrastructure:

  • Supabase Cloud (US): primary database storage, authentication, and row-level security.
  • Railway (US): application hosting and API servers.
  • Hetzner (EU, Germany): callback server infrastructure (svccdns.com), DNS processing, and self-hosted BTCPay Server.
Note: Account data and token metadata are stored in the US (Supabase, Railway). Callback processing and payment infrastructure are hosted in the EU (Hetzner, Germany). Alert data originates at the EU-hosted callback server and is persisted to the US-hosted database.

5. Sub-Processors

The Controller authorizes the Processor to engage the following sub-processors for the provision of the services. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor.

Sub-ProcessorPurposeLocation
SupabaseDatabase hosting, authentication, storageUS / EU
RailwayApplication hosting and computeUS
HetznerEU infrastructure and DNS callback serversEU (Germany, Finland)
ResendTransactional email deliveryUS
BTCPay ServerBitcoin/Lightning payment processingSelf-hosted (EU)
ip-api.comIP geolocation enrichment for alert dataUS / EU

6. Security Measures

The Processor implements the following technical and organizational measures to protect personal data:

6.1 Encryption

  • Encryption at rest provided by our database provider (Supabase) for all stored data.
  • Encryption in transit via TLS 1.2+ (HTTPS) for all client-server and server-server communications.
  • API keys are cryptographically hashed (SHA-256) before storage. Authentication credentials are securely hashed by our authentication provider.

6.2 Access Controls

  • Row-level security (RLS) enforced at the database layer, ensuring users can only access their own data.
  • API key authentication with unique per-user keys (cg_live_ prefix format).
  • Role-based access controls for internal administrative operations.

6.3 Infrastructure Security

  • HTTPS enforced on all endpoints with no exceptions.
  • Webhook payloads signed with HMAC-SHA256 for integrity verification.
  • Regular security updates and patching of all infrastructure components.
  • Logical data isolation between customers enforced via row-level security policies at the database layer.

7. Data Subject Rights

The Processor will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law, including:

  • Right of access: providing copies of personal data processed on behalf of the Controller.
  • Right to rectification: correcting inaccurate personal data upon the Controller's instruction.
  • Right to erasure: deleting personal data upon the Controller's verified request.
  • Right to restriction of processing: restricting processing activities as instructed.
  • Right to data portability: providing personal data in a structured, commonly used, machine-readable format (JSON).
  • Right to object: ceasing processing activities upon the Controller's instruction where applicable.

The Processor will respond to Controller assistance requests within 10 business days. Data subject requests received directly by the Processor will be forwarded to the Controller without undue delay.

8. Data Breach Notification

In the event of a personal data breach, the Processor will:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.
  • Provide the Controller with sufficient information to fulfill any breach notification obligations to supervisory authorities and data subjects.
  • Include in the notification: the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to mitigate the breach.
  • Cooperate with the Controller's investigation and remediation efforts.
  • Document all breaches, including facts, effects, and remedial actions taken, regardless of whether notification to a supervisory authority is required.

9. Data Retention and Deletion

Upon termination or expiration of the service agreement:

  • The Controller may request export of all personal data in JSON format via the API or by contacting support.
  • The Processor will delete all personal data within 30 days of contract termination, unless retention is required by applicable law.
  • Active canary tokens will be deactivated immediately upon account termination.
  • Alert data, token metadata, and account information will be permanently deleted from all primary storage and backups within the 30-day retention period.
  • Payment records may be retained for up to 7 years where required by tax or financial regulations.
Data export: Controllers can export their data at any time via the REST API v1 (GET /api/v1/tokens and GET /api/v1/alerts) or by contacting support@canaryguard.app.

10. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:

  • Audits may be conducted no more than once per calendar year, with at least 30 days' written notice.
  • Audits must be conducted during normal business hours and must not unreasonably interfere with the Processor's operations.
  • The Controller may appoint a qualified independent third-party auditor, subject to the Processor's reasonable approval and execution of a confidentiality agreement.
  • The Processor will provide reasonable cooperation and access to relevant records, systems, and personnel.
  • Audit costs are borne by the Controller unless the audit reveals a material breach of this DPA by the Processor.

11. International Data Transfers

Where personal data is transferred outside the European Economic Area, the Processor ensures that appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission (Module 2: Controller to Processor) are incorporated by reference into this DPA.
  • The Processor conducts transfer impact assessments for each sub-processor located outside the EEA.
  • Supplementary technical measures (encryption at rest and in transit) are applied to all transferred data.

12. Term and Termination

This DPA remains in effect for the duration of the service agreement between the parties. The obligations related to data deletion, breach notification, and confidentiality survive termination. Either party may terminate this DPA in the event of a material breach that remains uncured for 30 days after written notice.

13. Contact

For questions about this Data Processing Agreement or to exercise any rights under this DPA, contact us at support@canaryguard.app.