idioma.chat
Accessibility (VPAT)Privacy PolicyBack to Home

Data Processing Agreement

Effective: March 28, 2026 · GabaNode Lab, LLC · Version 1.0

For Government & Enterprise Procurement Teams: This DPA governs how GabaNode Lab, LLC processes personal data on behalf of your agency when you use the Idioma translation platform. It is intended to satisfy standard vendor assessment requirements. For executed DPA copies or data privacy officer inquiries, contact accesstreec@gmail.com.

1. Definitions

  • "Controller" – the government agency or organization that deploys the Idioma widget on its website and determines the purposes of data processing.
  • "Processor" – GabaNode Lab, LLC, acting on the Controller's instructions to deliver the translation service.
  • "Personal Data" – any information that can identify a natural person, as defined by applicable law (e.g., CCPA, state privacy statutes).
  • "Translation Content" – the web page text, document text, or other content submitted through the widget for translation processing.

2. Scope of Processing

GabaNode Lab processes data strictly as necessary to deliver the Idioma translation service as configured by the Controller. Processing is limited to:

  • Routing translation requests to upstream API providers (Google, Anthropic)
  • Billing usage tracking (character counts, request counts — not content)
  • Enforcing the tenant's monthly spending cap
  • Logging security events to the audit trail (IP address, event type, timestamp)

3. Data We Do NOT Collect

The following data is explicitly never stored by GabaNode Lab:

  • The text content of web pages submitted for translation
  • The text content of documents submitted for OCR or translation
  • End-user (constituent) identities — the widget operates anonymously
  • Browser cookies beyond the agency tenant's session (no cross-site tracking)

4. Data Retention Schedule

Data TypeRetention PeriodBasis
Account credentials (hashed)Life of accountService delivery
Tenant configuration & widget settingsLife of accountService delivery
Audit logs (security events)90 days active, archived on requestCompliance & security
Monthly usage counters13 months (billing reconciliation)Financial records
Cloudflare / Vercel request logs30 daysSecurity & debugging
Translation contentZero retentionPrivacy by design
Document OCR contentZero retentionPrivacy by design

5. Security Controls

  • Encryption in transit: All data transmitted over TLS 1.2+. Cloudflare and Vercel enforce HTTPS.
  • Encryption at rest: Neon Postgres database encrypted at rest using AES-256 (AWS).
  • Authentication: JWT with HttpOnly, Secure, SameSite=Strict cookies. Passwords hashed using bcrypt (cost factor 12).
  • Rate limiting: IP-based rate limiting on all authentication and sensitive mutation endpoints.
  • Audit logging: All administrative actions (sign-in, password changes, billing updates, domain changes) are timestamped and stored in a tamper-evident audit log table with IP address capture.
  • Access control: Production database access restricted to the serverless runtime. No direct public access to the database.

6. Subprocessors

GabaNode Lab uses the following subprocessors to deliver the Idioma service. All subprocessors are bound by their own DPAs and data processing terms.

SubprocessorPurposeData LocationRetention
Google Cloud Translation API
Privacy Policy →		Core machine translation of web page and document contentUSA (multi-region)No retention
Anthropic (Claude API)
Privacy Policy →		AI-powered quality review, plain-language rewriting, and document summarizationUSANo retention
Stripe, Inc.
Privacy Policy →		Payment processing, subscription management, invoicingUSARetained per Stripe DPA and financial regulations
Neon (Neon, Inc.)
Privacy Policy →		Managed serverless Postgres — stores account data, tenant config, audit logsUSA (AWS us-east-1)For the life of the customer account
Vercel, Inc.
Privacy Policy →		Next.js application hosting and serverless edge runtimeUSA (global CDN)Request logs retained 30 days
Cloudflare, Inc.
Privacy Policy →		Edge-deployed translation Worker, rate limiting, DDoS protectionUSA (global edge network)Request logs retained 30 days

7. Data Subject Rights

As a Processor, GabaNode Lab will assist Controllers in fulfilling data subject rights requests within 30 days. Supported actions include account data export, account deletion, and audit log review for the requesting tenant.

To submit a request: accesstreec@gmail.com

8. Breach Notification

In the event of a confirmed personal data breach affecting Controller data, GabaNode Lab will notify the Controller within 72 hours of becoming aware of the incident. Notification will include: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed.

9. Governing Law

This DPA is governed by the laws of the State of Colorado, USA, consistent with the Controller's operational jurisdiction. For federal agency engagements, parties agree to negotiate any required modifications to comply with applicable federal law.

10. Contact & Executed Copies

For an executed, signed copy of this DPA for your procurement records, or to discuss agency-specific data handling requirements:
accesstreec@gmail.com