Data Processing Agreement (DPA)

The DPA outlines Polymet’s responsibilities as a data processor, including scope of processing, subprocessor controls, breach notification and incident response. The DPA is compliant with GDPR, CCPA, and similar global data protection laws.

Data Processing Terms

Polymet Inc. acts as a data Processor when handling personal data on behalf of its customers, while the customer retains the role of Controller. Polymet employees may access data only as needed and are bound by confidentiality and access controls. We process personal data solely for legitimate business purposes, including: (i) providing and improving our services, (ii) identifying users for support and service quality, (iii) and—only in the case of unpaid users—leveraging generated content and metadata to enhance our models and design capabilities. The types of data we may process include names, email addresses, usage data, output content-related metadata, technical logs, and user-submitted information as outlined in this Privacy Policy. We use third-party subprocessors (e.g., AWS, Stripe, Posthog, WorkOS, Resend, Antrophic etc.) to provide essential infrastructure and analytics. We assess our subprocessors for SOC 2 compliance and share a subprocessors list only if there is a legitimate legal or contractual requirement to do so. Polymet implements industry-standard security controls, including encryption of data at rest and in transit, role-based access controls, infrastructure monitoring, and incident alerting. In line with GDPR and other global regulations, users have the right to access, correct, or delete their personal data, and we support these requests in a timely and compliant manner. In the event of a confirmed personal data breach, we will notify affected parties without undue delay. For any data protection inquiries, please contact us at info@polymet.ai

Data Residency and Cross-Border Transfers

Polymet processes and stores all customer data in U.S.-based infrastructure. For transfers from the EU, UK, or other restricted regions, we rely on Standard Contractual Clauses (SCCs) and implement additional technical and organizational safeguards, including:
  • TLS encryption and data-at-rest encryption using AES-256
  • Limited subprocessor usage with rigorous due diligence
  • Access controls aligned with the principle of least privilege

Subprocessors and Subcontrollers

To provide and support our services, Polymet, Inc. engages carefully selected third-party service providers (“subprocessors”) that may process limited personal data on our behalf. We ensure that all subprocessors meet appropriate security and privacy obligations, and we evaluate them for industry compliance standards such as SOC 2, ISO 27001, GDPR and CCPA alignment. Below is a list of our current sub-processors and their roles:
  • WorkOS - used for enterprise-grade authentication and Single Sign-On (SSO), enabling user and organization-level access to Polymet’s services.
  • Posthog - provides product analytics and event tracking to help us understand usage patterns and improve the user experience of our services.
  • Supabase - serves as our backend platform for user authentication and secure database storage.
  • Resend - sends transactional emails (e.g., password resets, invites) and promotional communications to users.
  • Stripe - handles payment processing and billing, limited to paid customers. Stripe only accesses the data necessary to fulfill payment transactions.
  • Pylon - used to manage and respond to customer support requests, including contextual data access to improve service quality and resolution time.
  • Attio - acts as our Customer Relationship Management (CRM) platform. Attio helps us organize customer interactions, improve service delivery, and better understand user needs to enhance our offerings.
  • Antrophic, OpenAI - serves as LLM providers in part of our generation pipeline.
  • Langfuse - serves as a LLM prompts tracking and observability for AI process.
We review all sub-processors for compliance with data protection standards and monitor them regularly. If you are an enterprise customer with specific legal or security requirements regarding data handling, please contact us at info@polymet.ai

Breach Notification and Incident Response

Polymet maintains a formal Incident Response Plan designed to detect, investigate, and respond to potential data breaches promptly and effectively. In the event of a security incident involving unauthorized access to personal data, we will assess the scope and impact of the incident and notify affected users without undue delay. Where required by law, including under the General Data Protection Regulation (GDPR), we will notify the appropriate supervisory authorities within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also inform affected users directly. Our breach notifications will include a description of the nature of the breach, the categories and approximate volume of affected data and individuals, the likely consequences of the breach, and the measures we have taken or plan to take to mitigate its effects. Polymet will provide timely updates as further information becomes available during the investigation and will fully cooperate with regulatory authorities and affected customers to ensure transparent and effective resolution. For any questions or concerns related to security incidents or data breaches, please contact our security team at security@polymet.ai.

Tenant Isolation

Polymet ensures strict logical separation of customer data across its multi-tenant platform. Each organization and user operates within a uniquely scoped environment, defined by distinct organization and workspace identifiers. All data access is governed by API-level request scoping and enforced through granular, role-based access controls that limit visibility and operations to authorized users only. This architecture is purpose-built to prevent any cross-tenant data exposure. Data created or managed by one customer is fully isolated from other tenants within the system, ensuring confidentiality and integrity across all accounts.

Data Deletion

Polymet processes verified deletion requests promptly and in accordance with applicable data protection laws. Customer data is permanently removed from active systems within 30 days of the request. Backup data and residual records are purged within 90 days. Data deletion process is only executed with the customers’ authorized administrator a formal request submittance to info@polymet.ai

Get in touch

If you have any concerns about Polymet or believe you have uncovered a data processing issue, please get in touch via the e-mail address info@polymet.ai.