Data Processing

We process.
You control.

PolDex acts as a data processor on behalf of customers. Customers are the data controller. A formal DPA path is available.

Request DPA →Security Overview
Processor Posture

PolDex is the processor. You are the controller.

When you submit documents for extraction, PolDex processes that content on your instruction and on your behalf. PolDex does not determine the purpose or means of processing — you do.

This relationship is formalized in the Data Processing Agreement, which sets out the obligations of both parties, the scope of processing, and the rights of data subjects.

You (Controller)

Determine what documents to submit, for what purpose, under what legal basis. Responsible for the lawfulness of the original collection.

PolDex (Processor)

Extract structured data from submitted documents under your instruction. Apply retention and deletion controls. Do not use content for any other purpose.

AWS (Sub-Processor)

Operate the compute, storage, and model inference infrastructure under AWS terms. Governed by AWS Data Processing Addendum.

DPA Coverage

What the DPA covers.

Scope of processing

Categories of data processed, processing purposes, duration, and permitted operations.

Controller obligations

Lawful basis for submission, instruction rights, audit rights, and breach notification obligations.

Processor obligations

Confidentiality, security measures, sub-processor management, and breach notification to controller.

Data subject rights

Deletion, access, portability, and objection assistance obligations on the processor.

Subprocessors

List of approved sub-processors (AWS services), notification of changes, and approval requirements.

International transfers

Mechanism for data transfers outside EEA/UK — Standard Contractual Clauses where required.

Deletion & Return

Deletion is real and bounded.

PolDex does not claim instant universal deletion across all systems. What we do commit to:

Raw document content

Deleted from worker disk after extraction completes (minutes)

Structured extraction output

Deleted 90 days after job creation, or on explicit request

Deletion request processing

POST /v1/jobs/{id}/delete — acknowledged within 24 hours, processed within 7 days

Operational metadata

May be retained for audit and billing reconciliation after content deletion

Audit & Review

Bounded and serious.

PolDex supports security and compliance review with the following:

SOC 2 Type II audit documentation available under NDA
Security questionnaire responses for enterprise buyers
Penetration test results summary available under NDA
Right-to-audit clause available in enterprise DPA
Subprocessor list available on request

Need a DPA?

Contact enterprise@poldex.io with your legal team's requirements. We respond within 3 business days.

Request DPA →Contact Details