DPA placeholder

DPA placeholder without unsupported claims.

These pages describe the intended product policy surface while formal legal, security, vendor, and Enterprise reviews are still gated by the operational readiness register.

Reviewed by: GetFileURL technical team
Last updated: June 5, 2026

Open dashboard Security model

DPAprivacy reviewEnterpriseregional review

Current statusAPI-ready

Published as a placeholder until formal review is complete.

SourceFileRelayPOSTOutputURL

Status: Placeholder pending external legal review
Default region: US default; regional Enterprise later only after vendor evidence
Claims gate: No privacy-framework or regional-residency claim before approved DPA and regional evidence

Claims gate:
no SOC 2 claim
no regulated privacy framework claim
no regional residency claim
no malware-free claim
legal review required

Short answer

What this page answers

Current GetFileURL DPA placeholder for Enterprise review. No regulated privacy framework, regional residency, or signed DPA claim is made before legal approval.

Use this page when the workflow needs file bytes available at a direct URL with predictable metadata, lifecycle controls, and a cleanup path.

Updated June 5, 2026

Enterprise path

A signed DPA must match the actual runtime and vendor path.

The architecture has region fields, retention controls, data-request workflows, and break-glass restrictions, but signed DPA language depends on external legal review and vendor evidence.

Processing scope

Workspace metadata, file metadata, logs, diagnostics, support access, and subprocessors must be covered.

Regional processing

Region-specific processing must not be promised until Cloudflare regional controls, Convex region strategy, logs, backups, and support paths are proven.

Support access

Break-glass access is policy-controlled and time-bound, with Enterprise opt-out design.

Current controls

Product controls exist, legal commitments are gated.

Retention policy, data request tracking, audit events, incident response, abuse workflow, and subprocessor records are product foundations, not a substitute for legal approval.

Data requests

Dashboard workflows track access, correction, export, deletion, restriction, and objection requests.

Audit

Control-plane actions produce audit and operational evidence.

Review packet

Enterprise DPA review must include subprocessors, regional path, scanner path, logs, backups, and support access.

FAQ

Answers before the workflow breaks

Can I get a signed DPA today?

Not yet. This placeholder documents the intended review path, not an executed legal artifact.

Can you claim regulated privacy readiness?

No. That wording is blocked until legal review approves it.

Can Enterprise customers opt out of break-glass file access?

The architecture includes that policy path, but contract wording still needs review.

Keep building the file URL path

Back to home