Data Processing Addendum
Effective May 22, 2026
What this page is
A Data Processing Addendum (DPA) is the contract that governs how Pebble handles your personal data on your behalf when you use our service. It satisfies the requirements of Article 28 of the GDPR and the equivalent provisions of the UK GDPR + the California Consumer Privacy Act (CCPA / CPRA).
This page is a summaryof what's in our DPA — not the contract itself. To execute a signed DPA for your account, email web@getpebble.net and we'll send the current version inside one business day.
What our DPA covers
- Roles. You are the data controller. Pebble is the data processor for personal data you upload, type into the questionnaire, or collect through your published site's forms.
- Scope. Data we process is limited to what's needed to deliver the service — account info, questionnaire answers, generated site files, form submissions sent to your inbox.
- Sub-processors. Listed below. We give 30 days' notice before adding a new sub-processor that processes personal data on your behalf.
- Security. Encryption in transit (TLS 1.2+), encryption at rest for all sentinel files + database rows, hashed passwords (Supabase / Argon2), per-user storage isolation in our output directory.
- International transfers. Standard Contractual Clauses (SCCs) for any EEA → US transfer, including transfers to our sub-processors.
- Data subject rights. We help you respond to access, rectification, erasure, and portability requests within reasonable timelines — the same controls power our own account-deletion flow, which is documented in our Privacy Policy.
- Breach notification. We notify you without undue delay (target: 48 hours) of any confirmed personal-data breach affecting your data.
- Deletion on termination. When you delete your account, all personal data is purged within the cooling-off window (default 14 days). Sub-processor cleanup runs the same week.
Sub-processors
These are the third-party services Pebble depends on. Each handles a specific slice of your data — none holds the full picture.
| Sub-processor | Purpose |
|---|---|
| Supabase | Authentication + Postgres database + file storage |
| Stripe | Subscription billing + payment processing |
| Resend | Transactional email (signup, password reset, form replies) |
| Cloudflare | CDN + DDoS protection + DNS |
| Railway | Application hosting for the Pebble engine |
| Vercel | Hosting for the customer-facing Pebble app |
| Anthropic | LLM provider — generates site code from your brief |
| LLM provider (Gemini) — alternate generator | |
| OpenRouter | LLM gateway (Qwen) — alternate generator |
We'll send 30 days' advance notice to your account email when adding a new sub-processor that processes your personal data. You can object — if we can't resolve the concern, you can cancel without penalty.
Certifications — honest version
Our underlying infrastructure providers (Supabase, Stripe, Cloudflare, Railway, Vercel) are SOC 2 Type II and ISO 27001 certified — that protects the platform layer.
Pebble itself is not yet certified.We're following the standard SaaS path: implement controls first (done — encryption, access logs, per-user isolation, breach SOP), engage Vanta or Drata for continuous monitoring (next), then schedule the SOC 2 Type II audit (~9 months out). We'll publish the certifications here when they're real.
We'd rather wait and tell you the truth than slap badges on the site we haven't earned.
Get the signed DPA
Email web@getpebble.net with your account email and company name. We'll send the current Pebble DPA, pre-filled with your details, for counter-signature inside one business day.
For other questions: Privacy Policy · Terms of Service