Legal

Data Processing Agreement

Placeholder — this page's final copy hasn't been written yet. What's below is accurate but minimal.

Last updated — pending launch

oauth.work acts as a processor of the personal data your organization stores in the service; your organization is the controller. A signable DPA covering sub-processors, transfer mechanisms, and breach notification lands with general availability.

Highlights

  • Per-tenant key isolation; private keys envelope-encrypted at rest.
  • Processing limited to documented instructions and the service's purpose.
  • Breach notification and a current sub-processor list will be published here.

Need a DPA executed for an enterprise deployment now? hello@oauth.work.