Data Processing Addendum

Last updated: April 9, 2026

1. Scope

This Data Processing Addendum ("DPA") forms part of the agreement between DMG L&D, LLC, operating as Bytario (the "Processor") and any paying customer of api.bytario.com (the "Controller") whose use of the service involves processing personal data on behalf of end users located in the European Economic Area, United Kingdom, or jurisdictions with equivalent data protection laws.

2. Subject matter and duration

The Processor processes file bytes submitted to the API strictly for the purpose of executing the requested conversion and returning the result. No file contents are persisted beyond the duration of the request (typically under one second). Processing continues for as long as the Controller maintains an active subscription.

3. Nature and purpose of processing

Conversion of image, PDF, QR code, and barcode bytes submitted by the Controller's end users via the API. The Processor does not inspect, analyze, profile, or train any machine-learning models on submitted content.

4. Categories of data subjects and personal data

• Data subjects: the Controller's end users whose files pass through the API.
• Personal data: whatever the Controller's end users include in their files (potentially EXIF metadata with GPS, photos of identifiable individuals, PDF document contents). The Processor does not examine or extract this data beyond what the requested conversion requires.

5. Subprocessors

The Processor uses the following subprocessors:

• Cloudflare, Inc. — compute (Workers), KV storage, DNS, DDoS protection. Processing region: Cloudflare's global network with Worker execution at the nearest edge to the request origin.
• Stripe, Inc. — payment and subscription management for the Controller only (never the Controller's end users).
• Resend.com — transactional email for delivering API keys to the Controller only.

The Processor will provide 30 days' advance notice of any new subprocessor by email to the Controller's billing contact. The Controller may object to a new subprocessor by terminating the subscription within that window and receiving a pro-rated refund for the unused portion.

6. Security measures

• TLS 1.3 in transit for all API and control-plane traffic.
• API keys hashed at rest in Cloudflare KV.
• Workers execute in isolated V8 isolates with no persistent filesystem.
• Principle of least privilege for all operational access.
• Quarterly review of subprocessor security posture.

7. Data subject rights

The Processor will reasonably assist the Controller in responding to data subject access, deletion, correction, and portability requests. Because no file contents are stored, most such requests can be answered with "no data held."

8. Breach notification

The Processor will notify the Controller of any personal data breach affecting Controller data without undue delay and in any event within 72 hours of becoming aware of the breach.

9. International transfers

Where personal data is transferred outside the EEA/UK, the Processor relies on the European Commission's Standard Contractual Clauses (2021/914) as incorporated by Cloudflare's DPA.

10. Return and deletion of data

Upon termination of the agreement, the Processor will delete all Controller account data (billing metadata, hashed API keys) within 30 days, except where retention is required by applicable tax or regulatory law.

11. Contact

Questions or signed-copy requests: dpa@bytario.com.