Data Processing

We process. You control.

PolDex acts as a data processor on behalf of customers. Customers are the data controller. A formal DPA path is available.

Request DPA ->Security Overview
Processor Posture

PolDex is the processor. You are the controller.

When you submit documents for extraction, PolDex processes that content on your instruction and on your behalf. PolDex does not determine the purpose or means of processing - you do.

This relationship is formalized in the Data Processing Agreement, which sets out the obligations of both parties, the scope of processing, and the rights of data subjects.

01

You (Controller)

Determine what documents to submit, for what purpose, under what legal basis. Responsible for the lawfulness of the original collection.

02

PolDex (Processor)

Extract structured data from submitted documents under your instruction. Apply retention and deletion controls. Do not use content for any other purpose.

03

Cloudflare and inference providers (Sub-Processors)

Operate production hosting, storage, queueing, and model inference infrastructure under their respective data processing terms.

DPA Coverage

What the DPA covers.

The agreement defines the relationship around customer-submitted insurance documents, structured output, subprocessors, retention, deletion, and review rights.

Scope of processingCategories of data processed, processing purposes, duration, and permitted operations.
Controller obligationsLawful basis for submission, instruction rights, audit rights, and breach notification obligations.
Processor obligationsConfidentiality, security measures, sub-processor management, and breach notification to controller.
Data subject rightsDeletion, access, portability, and objection assistance obligations on the processor.
SubprocessorsList of approved sub-processors, notification of changes, and approval requirements.
International transfersMechanism for data transfers outside EEA/UK - Standard Contractual Clauses where required.
Deletion & Return

Deletion is real and bounded.

Raw document contentDeleted from worker disk after extraction completes (minutes)
Structured extraction outputDeleted 90 days after job creation, or on explicit request
Deletion request processingPOST /v1/jobs/{id}/delete - acknowledged within 24 hours, processed within 7 days
Operational metadataMay be retained for audit and billing reconciliation after content deletion
Audit & Review

Bounded and serious.

PolDex supports security and compliance review with the following:

  • SOC 2 preparation package and control map in progress
  • Security questionnaire responses for enterprise buyers
  • Penetration-test planning summary available when scheduled
  • Right-to-audit clause available in enterprise DPA
  • Subprocessor list available on request

Need a DPA?

Contact enterprise@poldex.ai with your legal team's requirements. We respond within 3 business days.

Request DPA ->Contact Details