Legal

Data Processing Agreement

Effective date: April 1, 2026 · Last updated: April 1, 2026

This Data Processing Agreement ("DPA") describes how Blackfyre LLC ("Blackfyre," "Processor") processes personal data on behalf of subscribers ("Controller") in connection with the Blackfyre GovCon AI service. This DPA is incorporated into and governed by the Blackfyre Terms of Service.

1. Definitions

Personal data: Any information relating to an identified or identifiable natural person, as processed through the service
Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion
Controller: The subscriber who determines the purposes and means of processing (you)
Processor: Blackfyre LLC, which processes data on behalf of the Controller
Subprocessor: A third party engaged by Blackfyre to assist in processing personal data

2. Scope of Processing

Blackfyre processes the following categories of personal data on behalf of subscribers:

Account identity data (name, email address)
Company profile data (company name, UEI, NAICS codes, certifications, capabilities)
Conversation content (messages and agent responses)
Uploaded documents (solicitation PDFs)
Usage and session metadata

Processing is carried out solely for the purpose of providing the Blackfyre GovCon AI service as described in the Terms of Service and at the direction of the Controller.

3. Data Storage — Supabase (AWS)

All subscriber data is stored on Supabase, which is hosted on Amazon Web Services (AWS) infrastructure in the United States (us-east-1 region).

Database records are encrypted at rest using AES-256
Row-level security (RLS) policies enforce strict per-user data isolation at the database layer — no query from one user can return another user's rows
File storage (uploaded PDFs) is scoped to individual user paths and is not publicly accessible without a signed URL
Supabase Auth manages authentication tokens; sessions are short-lived JWTs

4. Data Processing — Railway (Backend)

The Blackfyre backend API is hosted on Railway, a cloud infrastructure provider. API requests (including chat messages in transit) are processed on Railway's infrastructure before being forwarded to Anthropic.

Data in transit is encrypted via TLS 1.2 or higher at all hops
Railway does not persist your conversation content — it is a stateless API layer
Railway is hosted on AWS infrastructure (us-west-2)

5. AI Processing — Anthropic Claude API

Conversation messages are transmitted to Anthropic PBC for response generation via the Claude API.

Blackfyre operates under Anthropic's zero data retention (ZDR) configuration — Anthropic does not store API request/response data beyond what is required to serve the request
Anthropic does not use API data to train its models under ZDR
Anthropic is a US-based company; data is processed within the United States

6. Security Measures

Blackfyre implements the following technical and organizational security measures:

Encryption at rest: AES-256 for all database records and file storage
Encryption in transit: TLS 1.2+ for all API communication
Access control: Row-level security at the database layer; no cross-user data access possible via the API
Authentication: JWT-based session tokens with short expiry; Google OAuth 2.0 supported
Staff access: Production database access is restricted to essential personnel and is logged
Incident response: Subscribers will be notified within 72 hours of becoming aware of a personal data breach affecting their data

7. Subprocessor List

Blackfyre uses the following subprocessors. We will provide 30 days' notice before adding a new subprocessor that processes personal data.

Subprocessor	Purpose	Location
Supabase Inc.	Database, authentication, file storage	USA (AWS us-east-1)
Railway Corp.	Backend API hosting	USA (AWS us-west-2)
Anthropic PBC	AI response generation (Claude API)	USA
Stripe Inc.	Payment processing and billing	USA
Vercel Inc.	Frontend hosting (static assets)	USA
SAM.gov (GSA)	Procurement opportunity data (query only)	USA (US Government)
USASpending.gov (Treasury)	Contract award data (query only)	USA (US Government)
HigherGov	Procurement intelligence (query only)	USA
Tango	Procurement intelligence (query only)	USA

8. Data Subject Rights

As Controller, you are responsible for responding to data subject requests from your own personnel. Blackfyre will assist by providing the technical means to access, export, correct, or delete personal data upon written request within 7 business days. Contact hello@blackfyre.ai.

9. Data Transfers

All subprocessors are based in the United States. No personal data is transferred to countries outside the United States in the ordinary course of providing the service.

10. Term and Termination

This DPA remains in effect for the duration of the subscriber's Terms of Service. Upon termination, Blackfyre will delete or return personal data within 30 days as described in the Privacy Policy.

11. Contact

Data processing inquiries: hello@blackfyre.ai — subject line "DPA Inquiry."

Blackfyre LLC · GSA MAS 47QTCA26D002F · Washington, DC