Data Processing Addendum

For files, folders, mailbox contents and any encrypted blobs you upload, you act as the data controller. DRIVUNO acts as data processor and processes only ciphertext on your behalf. Because content is encrypted on your device with keys we do not hold, DRIVUNO cannot read, scan, or analyse it.

The personal data we process is limited to: (a) the encrypted blobs you upload, (b) account metadata strictly needed to operate the service (email, region, billing status), (c) audit and security telemetry (IP, user agent, action). No advertising processing, no profiling, no AI training on your content.

• Supabase — encrypted database rows and encrypted object storage.
• Cloudflare — TLS termination, DNS, DDoS protection (transports ciphertext only).
• Stripe — subscription billing (never receives file content).
• Resend — transactional emails (verification, alerts; never your file content).
• Twilio — optional SMS recovery codes.

The current list is published at /sovereignty. We give at least 30 days notice of any new sub-processor.

End-to-end encryption with XChaCha20-Poly1305 and X25519. Master keys derived with Argon2id (3 ops, 64 MiB) from a passphrase only the user knows. TLS 1.3 in transit. Strict CSP, HSTS preload, SRI on third-party scripts. Append-only audit logs. RLS on every database table. WebAuthn passkeys and TOTP for step-up authentication. Daily automated provider failover sweeps.

You choose the residency region at signup (EU, Japan, or Global). When transfers outside the EEA are necessary, we rely on the EU Standard Contractual Clauses (2021/914) and document them in our public sovereignty page.

Users can export everything we hold about them at any time from Settings → Security → Privacy & data. Account deletion is irreversible after a 30-day grace period and purges ciphertext from storage, deletes all metadata, and anonymises audit logs.

We notify affected controllers within 72 hours of becoming aware of a confirmed personal data breach, with the scope, affected data categories, and the remediation plan.

On reasonable notice (no more than once per 12 months, except in case of confirmed incident) we make available the documentation, security posture and pen-test summaries required to demonstrate compliance with this DPA.

Upon termination, we delete or return all personal data within 30 days, unless union or member state law requires storage of the personal data. Encrypted blobs are deleted from storage; audit logs are anonymised.