Astra
Back to Legal Center
B2B

B2B Embed Data Processing Addendum

Data processing addendum for embed widget partners

Last updated · 2026-05-14

These terms are updated periodically; we email all users before material changes. This document is not legal advice for your specific situation — for that, consult your own counsel.

B2B Embed Data Processing Addendum (DPA)

Last updated: 2026-05-14 · These terms are reviewed by Astra periodically and effective on the Last updated date above.

This DPA supplements the standard Embed Partner Agreement and governs Astra's processing of personal data on behalf of Partner when end-users interact with the embedded reading widget.

Roles

  • Partner is the Controller of end-user data collected via Partner's site
  • Astra is the Processor acting on Partner's documented instructions
  • Sub-processors (Anthropic, Deepgram, Cartesia, Stripe, Supabase, LiveKit, Vercel, Cloudflare) are sub-processors and Astra remains liable for their compliance

What we process

  • End-user inputs to the widget (questions, audio if voice enabled)
  • Anonymous session identifiers tied to Partner's slug
  • IP address (for fraud prevention; not persisted beyond 30 days)

We do not link these inputs to other Astra accounts unless the end-user is signed in.

Purposes

Strictly: render the requested reading, log usage for Partner's billing dashboard, prevent abuse.

Security

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access on a need-to-know basis
  • Annual third-party penetration test
  • Incident notification to Partner within 72 hours of confirmed breach affecting Partner's end-users

Data subject rights

Partner is responsible for honoring end-user rights under GDPR, CCPA, etc. Astra will assist within 30 days of a written request:

  • Access / portability
  • Deletion
  • Correction
  • Restriction / objection

Cross-border transfers

Where required, governed by Standard Contractual Clauses (EU 2021 SCCs) and the UK Addendum. Partner attaches its own SCCs with Astra for further onward transfer.

Termination

On Embed Partner Agreement termination, Astra:

  • Stops processing
  • Returns or deletes end-user data within 30 days (Partner's choice)
  • Retains anonymized aggregate metrics indefinitely

Audit rights

Partner may audit Astra's compliance once per 12 months, at Partner's expense, on 30 days' written notice.

Contact

hello@astraplatform.ai · subject: "B2B DPA"

These terms are reviewed by Astra periodically and effective on the Last updated date above.

Questions about this document?

Email us — we reply within 24h (12h for Pro & creators).

hello@astraplatform.aiHelp center