# DPA · Onto
> Data Processing Addendum for customers processing personal data through Onto.

**Source:** /legal/dpa
**Extracted:** 2026-05-20T20:59:17.577Z

---
Legal

## Data Processing Addendum

The Data Processing Addendum (DPA) for customers processing personal data through Onto's APIs and SDKs.

Status

Drafting · pre-launch

Effective

Upon public availability

Document

v0.1 · draft

Contact

[founder@buildonto.dev](mailto:founder@buildonto.dev)

What this document will cover

*   01Roles: Onto as Processor, customer as Controller for data sent to our APIs
*   02Categories of personal data processed and the purposes for each
*   03Subprocessor list with current providers (Vercel, Polar, Cloudflare, Supabase) and notification rights for changes
*   04International transfer mechanisms: Standard Contractual Clauses (SCCs) and UK addendum
*   05Customer audit rights, security-incident notification timelines, and data return on termination
*   06Annex on technical and organisational measures (TOMs) aligned with GDPR Art. 32

Onto is operating in private preview. We're finalising this policy ahead of general availability. If you need a copy under NDA or have a specific compliance question, email [founder@buildonto.dev](mailto:founder@buildonto.dev) and we'll respond within one business day.

[Back to home](/)