1. Scope and roles
The Customer is the controller and Keter Labs is the processor for personal data submitted to the Service (including Inputs, Outputs, and end-user account data if the Customer is a business).
2. Documented instructions
Keter Labs will process personal data only on the Customer's documented instructions, including as set out in the Terms and this DPA, and as required by applicable law.
3. Security measures
- TLS 1.2+ in transit; AES-256 at rest.
- Role-based access control with least privilege.
- Row-level security on all customer tables.
- Audit logging of privileged actions.
- Vulnerability management and dependency scanning.
4. Sub-processors
Keter Labs uses the following sub-processors to deliver the Service:
| Provider | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. | Edge hosting, CDN, DDoS | Global |
| Supabase Inc. | Managed Postgres, auth, storage | EU / US |
| OpenAI, L.L.C. | Image and text generation | US |
| Google LLC (Gemini) | Video and text generation | US / EU |
| Anthropic PBC | Text generation | US |
| ElevenLabs Inc. | Voice, music, SFX generation | US |
| fal.ai Inc. | Image / video / 3D generation | US |
| Replicate Inc. | Fallback model hosting | US |
| Resend / Postmark | Transactional email | EU / US |
We will notify Customers at least 30 days before adding or replacing a sub-processor. Customer may object on reasonable grounds.
5. International transfers
For transfers of personal data from the EEA, UK, or Switzerland to third countries without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (2021/914) and the UK IDTA, as applicable.
6. Assistance and data-subject requests
Keter Labs will assist Customer in responding to data-subject requests and in complying with Articles 32–36 GDPR, taking into account the nature of processing.
7. Breach notification
Keter Labs will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal-data breach affecting Customer data.
8. Deletion and return
Upon termination, Keter Labs will delete or return all personal data within 30 days, unless storage is required by law.
9. Contact
Data Protection contact: dpo@keterlabs.ai.
Questions about this document? Reach out at legal@keterlabs.ai.