Data processing

A data processing agreement, in plain terms.

Cuttlefish keeps your data where you put it and only does what you allow. If your team needs that in writing, our Data Processing Agreement spells out how we handle data on your behalf — and you can request a signed copy.

The basics

What a DPA is, and who needs one.

A Data Processing Agreement is the contract that sets out how a vendor handles personal data for a customer. It is the document procurement and security teams ask for during review.

What the document does

The DPA defines our roles, the data we touch on your behalf, how we protect it, and the commitments we make about transfers, retention, and your rights. It sits alongside our terms of service and is signed before or at purchase. It turns the promises on this site into binding commitments.

Who needs one

Teams subject to GDPR, UK GDPR, or CCPA usually require a signed DPA before rolling Cuttlefish out. So do organizations whose security or procurement process gates new tools on a data agreement. If that is you, request the signed copy and route it through your reviewers.

How to get it

Email our legal team and tell us your company, your work email, and any review deadline. We send the current signed DPA for your counsel to review and execute. If you have security-specific questions, those can run in parallel through our security and subprocessor routes.

In plain language

How Cuttlefish processes your data.

The short version: most of your data never leaves your machine. The DPA covers the limited backend data we do handle, summarized here.

Roles: you control, we process

You are the controller of your own content — your chats, files, prompts, and the work Cuttlefish does for you. Moguls Inc acts as a processor for the limited operational data our backend handles on your behalf, and only for the purposes you have agreed to.

Categories of data

The backend handles session information, account and configuration preferences, and tamper-proof records of governed actions. Your conversations, files, documents, and AI provider keys are not collected or transmitted to us — keys stay in your operating system's secure keychain.

Where your data lives

Local stays local. Run a model on your own machine and the whole exchange stays there. When you use an outside AI provider, your request goes straight from your device to them under your own key — we do not sit in the middle or store that traffic.

Security measures

Backend data is encrypted at rest and protected in transit with modern TLS. Records of governed actions are written once and cannot be quietly altered, so the proof of what happened stays trustworthy. Access controls and approvals are part of how the product works, not an add-on.

International transfers

The backend that handles this limited data runs in the United States. The signed DPA sets out the transfer protections that apply to customers in the EU, the UK, and other regions, so cross-border processing is covered by recognized safeguards.

Retention

Operational data is kept only as long as needed to run your account and the service. Records of governed actions are held in write-once storage for a fixed seven-year period for audit integrity, then handled per the agreement. You can ask what we hold and request deletion within those limits.

Your rights

What you can ask us to do.

The DPA carries the data-subject rights set out in our Privacy Policy. You can exercise them by contacting our legal team.

Access and correction

Ask what personal data we hold about you, and request that anything inaccurate be corrected.

Deletion and portability

Request deletion of your data, or a portable copy of it, within the limits of the audit-record retention period.

Object, restrict, withdraw

Object to or restrict how we process your data, and withdraw consent at any time without losing your other rights.

No sale of your data

We do not sell personal information, and you are never penalized for exercising any of these rights.

Request the document

Get the signed DPA for your team.

Email our legal team and we will send the current signed agreement for your counsel to review and execute.