Data Processing Agreement

2.1 Subject Matter

Cred processes personal data submitted by or on behalf of the Controller through the Cred credential delegation service, including through the developer portal at cred.ninja, the API at api.cred.ninja, the Cred TypeScript SDK (@credninja/sdk), the Python SDK (cred-auth), and the MCP server (@credninja/mcp).

2.2 Duration

This DPA remains in effect for the duration of the Terms of Service and terminates automatically upon expiration or termination of the Terms of Service. Upon termination, Cred will delete or return personal data in accordance with Section 11.

2.3 Roles

The Controller determines the purposes for which End Users connect Third-Party Services through Cred and deploys Agents that request delegated credentials. Cred acts as Processor for the personal data processed in connection with those activities. Where Cred independently determines the purposes and means of processing (e.g., for its own billing, security monitoring, or service improvement), Cred acts as Controller for that processing.

4.1 Account Data

• Developer account: email address, hashed password (bcrypt, cost factor 10), registration timestamp, account preferences.
• End User account: email address, hashed password (bcrypt, cost factor 10), email verification status, registration timestamp.

4.2 OAuth Credential Data

• OAuth refresh tokens: stored encrypted at rest using AES-256-GCM with a unique random 16-byte initialization vector per token and AWS KMS-managed encryption key.
• OAuth access tokens: short-lived (typically 1 hour). Issued to authorized Agents and not stored by Cred beyond the delegation response.
• Token metadata: provider name, granted scopes, token expiration timestamps, revocation status.
• OAuth state and code verifier: used during PKCE authorization flows, stored in encrypted browser sessions and deleted upon completion.

4.3 Delegation Records

• Authorization grants: records linking End Users, Applications, and Third-Party Services, including granted scopes and consent timestamps.
• Delegation logs: delegation request timestamps, requesting Agent identity, requested scopes, outcome (success/failure/consent_required), and error codes.
• Delegation receipts: JWS/Ed25519 signed cryptographic receipts for each delegation event.

4.4 Agent Identity Data

• Agent tokens: SHA-256 hash of the plaintext cred_at_* token. Plaintext is never stored.
• Agent client metadata: Agent name, associated Developer account, creation timestamp, assigned scopes.
• DID-based identifiers: did:key identifiers derived from Ed25519 public keys, used for agent identity verification where applicable.

4.5 Technical Metadata

• Session data: encrypted browser session identifiers and session metadata. Personal data within sessions is redacted in logs.
• Request metadata: timestamps, HTTP status codes, anonymized error context. IP addresses are not retained in application logs.
• Webhook delivery logs: endpoint URL, delivery ID, event type, delivery status, response code. Webhook payloads do not contain credentials.

5.1 Instructions

Cred will process personal data only on documented instructions from the Controller, including the instructions set out in the Terms of Service and this DPA, unless required to do so by applicable law. Cred will promptly inform the Controller if it believes an instruction infringes Applicable Data Protection Law.

5.2 Confidentiality

Cred will ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations and receive training on data protection requirements relevant to their role.

5.3 Security

Cred will implement and maintain the technical and organizational measures described in Section 7 to protect personal data against unauthorized access, disclosure, alteration, or destruction.

5.4 Sub-processors

Cred will engage Sub-processors only as described in Section 6 and will ensure Sub-processors are bound by data protection obligations equivalent to those in this DPA.

5.5 Data Subject Rights

Cred will assist the Controller in fulfilling its obligation to respond to Data Subject rights requests as described in Section 8, taking into account the nature of the processing.

5.6 Audit Rights

Cred will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and, upon reasonable prior written notice (minimum 30 days), allow for and contribute to audits conducted by the Controller or a mandated auditor, provided such audits do not unreasonably disrupt Cred’s operations or compromise the security of other customers’ data.

5.7 Deletion or Return

At the Controller’s choice, Cred will delete or return all personal data upon termination of the Terms of Service in accordance with Section 11 of this DPA, unless applicable law requires retention of the personal data.

6.1 Changes to Sub-processors

Cred will provide at least 14 days’ prior written notice of any intended changes to Sub-processors (additions or replacements) by email to the Controller’s registered address or by posting to this page. The Controller may object to such changes within 14 days of notification by contacting dpa@cred.ninja. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the Terms of Service.

7.1 Encryption

• At rest: OAuth refresh tokens encrypted using AES-256-GCM. Each token uses a unique cryptographically random 16-byte initialization vector. Authentication tags are stored alongside ciphertext to detect tampering. Encryption keys managed via AWS KMS with per-account cryptographic isolation.
• In transit: All data transmitted over HTTPS (TLS 1.2+). API endpoints enforce HTTPS in production.
• Passwords: bcrypt hashing at cost factor 10. Plaintext passwords are never stored or logged.
• Agent tokens: SHA-256 hashed before storage. Plaintext cred_at_* tokens are never stored.

7.2 Access Controls

• OAuth 2.0 authorization with mandatory PKCE (S256 code challenge method, RFC 7636).
• Session-based authentication for developer and user portal access with secure cookie configuration.
• Agent token validation via hash comparison — agents are authenticated without exposing plaintext tokens.
• CSRF protection via origin validation middleware on all state-modifying endpoints.
• CORS whitelisting to permitted origins (cred.ninja, api.cred.ninja).

7.3 Infrastructure Security

• HTTP security headers via Helmet (Content-Security-Policy, X-Frame-Options, Strict-Transport-Security).
• Tiered rate limiting: authentication endpoints (10 req/15 min), API endpoints (100 req/15 min), delegation endpoints (60 req/min), token endpoints (20 req/15 min).
• PII and secret redaction in all application logs via log-sanitizer middleware before any external transmission.
• Decrypted credentials wiped from memory immediately after use — never retained beyond the in-process delegation operation.

7.4 Organizational Measures

• Access to production systems and databases is restricted to authorized personnel on a need-to-know basis.
• Security incidents are reviewed, documented, and subject to root cause analysis.
• Third-party security audits and penetration testing conducted periodically.
• Security architecture review required before changes to encryption.ts, schema.ts, or authentication middleware.

8.1 Assistance

Cred will, taking into account the nature of the processing and the information available to Cred, assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of:

• Access: End Users can view their connected OAuth services, authorized applications, and delegation activity through the User portal (/user/connections and /user/authorizations).
• Rectification: End Users can update account information through /user/settings.
• Erasure: End Users can revoke individual OAuth connections or request full account deletion, which triggers deletion of all associated personal data including encrypted refresh tokens.
• Portability: Personal data can be exported through the API. Contact dpa@cred.ninja for bulk data export.
• Restriction and Objection: Contact dpa@cred.ninja to request restriction of processing or to object to specific processing activities.

8.2 Response Time

Cred will respond to Data Subject rights requests forwarded by the Controller within 30 days. Complex requests may require up to 90 days with notice provided within the initial 30-day period. Cred will provide the Controller with the information needed to satisfy Data Subject requests to the extent technically feasible.

8.3 Unsolicited Requests

If Cred receives a Data Subject rights request directly (not via the Controller), Cred will forward it to the Controller at the email address on the account without undue delay.

9.1 Data Location

Personal data is primarily stored and processed in the United States on infrastructure provided by Render (API and PostgreSQL) and Vercel (portal CDN). AWS KMS key operations are performed in the United States.

9.2 Transfer Mechanisms

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or other third countries, Cred relies on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs): The European Commission’s SCCs (Decision 2021/914, Module Two: Controller-to-Processor) are incorporated by reference into this DPA for transfers from the EEA. For UK transfers, the UK Addendum to the SCCs applies. For Swiss transfers, the Swiss FDPIC guidance applies.
• Sub-processor SCCs: Where Sub-processors receive transfers of EEA personal data, Cred ensures equivalent transfer protections apply, including through Sub-processor SCCs or adequacy decisions.

9.3 Transfer Impact Assessment

Upon request, Cred will provide the Controller with information reasonably necessary to conduct a Transfer Impact Assessment (TIA) for transfers of EEA personal data to the United States, including information about the legal frameworks applicable to Cred and its Sub-processors.

10.1 Detection and Assessment

Cred will implement and maintain technical and organizational measures to detect, investigate, and assess personal data breaches, including unauthorized access to or disclosure of personal data, loss of encrypted credential data, or unauthorized access to the credential vault.

10.2 Notification Timelines

Upon becoming aware of a personal data breach that affects personal data processed on behalf of the Controller, Cred will:

• Within 24 hours: Provide initial notification to the Controller by email to the account’s registered address, including a preliminary description of the incident, the categories and approximate number of affected Data Subjects, and the categories of personal data involved.
• Within 72 hours: Provide a more detailed incident report including the likely consequences of the breach, measures taken or proposed to address the breach, and the contact details of Cred’s data protection contact.
• Ongoing: Provide regular updates as the investigation progresses and remediation measures are implemented.

10.3 Regulatory Notifications

The Controller is responsible for making any required notifications to supervisory authorities and affected Data Subjects. Cred will cooperate with and assist the Controller in making such notifications as required by Applicable Data Protection Law.

10.4 Security Incidents

Not all security incidents constitute personal data breaches. Cred will notify the Controller of security incidents that affect the confidentiality, integrity, or availability of personal data, even where the impact on Data Subjects has not yet been fully assessed.

11.1 Deletion on Termination

Upon expiration or termination of the Terms of Service, Cred will, at the Controller’s choice within 30 days of termination:

• Delete all personal data processed on behalf of the Controller, including encrypted refresh tokens, delegation records, audit logs, and account data; or
• Return personal data in a structured, machine-readable format (JSON or CSV) to the Controller before deletion.

11.2 Retention After Deletion Request

After receiving a deletion request, Cred will complete deletion within 30 days. Certain data may be retained for longer periods where required by applicable law (e.g., financial records required for tax compliance), in which case Cred will notify the Controller and restrict processing of such data to the minimum necessary.

11.3 Deletion Confirmation

Upon request, Cred will provide written confirmation that personal data has been deleted in accordance with this DPA. Encrypted backups are deleted on their regular rotation schedule, which does not exceed 30 days.

11.4 Data Export Prior to Termination

The Controller may export personal data through the Cred API or developer portal at any time during the term. For bulk data export requests, contact dpa@cred.ninja at least 14 days before the desired termination date to allow sufficient processing time.