Legal

Data Processing Agreement

Last updated: June 1, 2026

1. Overview

This page summarizes how Civrel, Inc. ("Civrel") processes customer data and lists the subprocessors we rely on. It is intended to help compliance, legal, and procurement teams evaluate Civrel during a vendor security review.

A full, executable Data Processing Agreement is available to customers and prospective customers on request. To receive it, contact legal@civrel.io.

2. Roles and Scope of Processing

The customer is the controller of the personal data it submits to the platform. Civrel acts as the processor, processing that data only to provide the SCRA compliance services and on the customer's documented instructions.

  • Categories of data: servicemember identifiers (including names, dates of birth, and Social Security Numbers used for verification), account and case information, and customer-user account details.
  • Purpose of processing: military-status verification through the Defense Manpower Data Center (DMDC), SCRA eligibility determination, case management, documentation, monitoring, and reporting.
  • Duration: for the term of the customer agreement and any retention period required by law or the agreement.

3. Civrel's Obligations as Processor

  • Process personal data only on the customer's documented instructions.
  • Ensure personnel authorized to process data are bound by confidentiality.
  • Apply the technical and organizational security measures described in Section 4.
  • Engage subprocessors only under written terms imposing equivalent data-protection obligations, and notify customers of changes (Section 5).
  • Assist the customer in responding to data-subject requests where applicable.
  • Assist the customer with security, breach notification, and related obligations.
  • Delete or return personal data at the end of the engagement, subject to legal retention requirements.
  • Make available information necessary to demonstrate compliance.

4. Security Measures

Civrel maintains an information security program designed to Gramm-Leach-Bliley Act (GLBA) standards. Measures include encryption of Social Security Numbers with AES-256-GCM at rest (decrypted only at verification time and zeroed from memory after use), TLS 1.3 in transit, role-based access control, append-only audit logging retained for seven years, US-based infrastructure with database encryption at rest, automated backups with disaster recovery, and continuous vulnerability scanning.

Full detail is on our Security page.

5. Subprocessors

Civrel engages the following subprocessors to deliver the services. All process data within the United States.

Subprocessor Purpose Location
Render, Inc. Cloud application hosting and managed PostgreSQL database United States
Amazon Web Services, Inc. Encrypted document storage (S3) and AI-assisted document processing (Textract, Bedrock) United States

Military-status verification is performed against the U.S. Department of Defense's Defense Manpower Data Center (DMDC). DMDC is a government system of record, not a commercial subprocessor; data is transmitted to it solely to perform the verification the service exists to provide.

We will provide notice of any intended addition or replacement of a subprocessor so the customer has the opportunity to object. To receive subprocessor change notifications, contact legal@civrel.io.

6. International Transfers

Civrel stores and processes customer data in the United States and does not transfer personal data internationally. Dedicated infrastructure options are available for enterprise customers.

7. Breach Notification

Civrel maintains an incident-response process and will notify affected customers without undue delay, and within the timeframe specified in the executable DPA, upon becoming aware of a personal-data breach affecting their data.

8. Return and Deletion of Data

On termination of the engagement, Civrel will return or delete customer personal data at the customer's election, subject to retention required by law or the customer agreement. Audit records for closed compliance cases are retained for seven years to support the customer's own regulatory obligations.

9. Requesting the Executable DPA

To execute a Data Processing Agreement or to request supporting security documentation for a vendor review, contact legal@civrel.io. This page is informational and does not by itself constitute a binding agreement.