Skip to content
DeCA Platform

The due-diligence pack, published before you ask

An SLA with numbers and service credits, a downloadable DPA, the subprocessor list, data location and live service status. Everything procurement, your advisors or your DPO need to review — no forms, no NDA.

The whole file, at a glance

The six documents and resources a B2B due diligence usually takes weeks to extract from a vendor. Here they are, published.

SLA with service credits

Availability objectives with a measurement definition, exclusions and automatic compensation. In force from launch.

Read the SLA

DPA (GDPR Art. 28)

A complete, downloadable data processing agreement: subject matter, measures, subprocessors, breaches and audits.

View the DPA

Subprocessors

Who processes data on our behalf, what data, where, and under which safeguards. 30 days' advance notice of changes.

See the list

Data location: EU

Database and primary PDF storage with residency in the European Union.

See details

Service status

Availability of the inspection service, API and panel, measured and published in real time, with incident history.

Open the status page

Technical security

Encryption, RLS isolation and the verifiable hash chain, explained in detail. Don't trust us — verify.

Read the page

Service level agreement (SLA) — v1

No transport-document vendor in Spain publishes its SLA. This is ours, with definitions and compensation. No hidden fine print: the fine print is right here, published.

In force from launch

ServiceMonthly objectiveWhat it measures
Public inspection download (URL/QR)99.9%Monthly availability of the service answering each document’s public URL.
Public API and web panel99.5%Monthly availability of the v1 API and the self-service web application.

Definition and measurement

Monthly availability is the percentage of minutes in the calendar month during which the service responds correctly, measured by independent external monitoring from several geographic locations. Results are published on thestatus page, incident by incident.

The following does not count as downtime: scheduled maintenance announced at least 48 hours in advance on the status page (always outside Spanish business hours and never affecting the inspection download), failures of the customer's network or systems, use contrary to theterms of service, and force majeure.

Service credits

If we close a month below the objective, we compensate with a service credit on that month's spend (plan fee or, for prepaid bundles, its equivalent in document credits):

  • Below target and ≥ 99.0%: 10% service credit.
  • Below 99.0% and ≥ 95.0%: 25% service credit.
  • Below 95.0%: 50% service credit.

Claim by email within 30 days of month end, stating the affected dates; we verify against our monitoring and apply the credit to your next invoice or credit balance. The service credit is the exclusive remedy for SLA breaches.

Subprocessors

The providers that process data on our behalf. This list is the same one annexed to the DPA: there are no two versions.

SubprocessorServiceData processedLocationSafeguards
Cloudflare, Inc.Delivery network (edge/CDN), public inspection download service and PDF storage (R2)Transport document PDFs and technical access logsGlobal network; data storage configured in the EUDPA with Standard Contractual Clauses (SCCs) and EU-U.S. Data Privacy Framework certification
Supabase, Inc. (sobre AWS)Database and panel user authenticationAccount data, master data (customers, vehicles, drivers) and document dataEU region (AWS data centre in the European Union)DPA with SCCs; data remains in the selected EU region
Stripe, Inc.Payment processing and billingBilling and payment data (card data is handled by Stripe only)EU / USADPA with SCCs and EU-U.S. Data Privacy Framework certification
Resend, Inc.Transactional email delivery (driver links, alerts, notifications)Recipient email addresses and notification contentUSA / EUDPA with SCCs

Any addition or replacement is published here and emailed to account administratorsat least 30 days in advance. The contractual detail (safeguards, right to object) is in theDPA.

Data location: European Union

Where your data lives, without ambiguity.

Database

Hosted in an EU data centre. It holds account data, master data and document content, with per-account isolation enforced by the database engine itself (RLS).

PDFs and evidence

Object storage configured with EU data residency, distributed through a global delivery network so inspections download fast from any roadside.

Transfers

Where a subprocessor is headquartered outside the EU, processing relies on Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework. Case by case, in the subprocessor table.

Security contact and commitments

Who to write to and what you can hold us to.

Breach notification

If a security breach affects personal data we process on your behalf, we notify you without undue delay with the information under GDPR Art. 33(3), so you can meet your own deadlines before your supervisory authority. This is a contractual commitment in the DPA.

Incident transparency

Availability incidents are published on thestatus page with a timeline and post-incident analysis. No history rewriting.

Changes to these documents

The SLA, the DPA and this page are versioned. Material changes are announced by email to account administrators with reasonable notice, and never reduce guarantees mid-term.

Due-diligence FAQ

Are you ISO 27001 certified?
Not yet — and we will not pretend otherwise with a decorative badge. Our answer in the meantime is radical transparency: a public SLA with service credits, a published DPA, a subprocessor list, a technical security page with verifiable evidence, and an open status page. Formal certification is on our roadmap; the transparency is already here.
Where is my data stored?
The database is hosted in a European Union data centre and PDF storage is configured with EU data residency. Subprocessors headquartered outside the EU operate under Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework. The full list is published on this page.
Will you sign your DPA? Can I use my own?
Our DPA is published and forms part of the service contract; if your legal team needs a countersigned copy, we will send one. If your organisation requires its own data-processing agreement, write to us and we will review it — we are a small vendor and we answer fast.
How will I know if you change a subprocessor?
We publish any change to the subprocessor list at least 30 days in advance and notify account administrators by email, as set out in the DPA. If you object on reasonable data-protection grounds, you may terminate without penalty before the change takes effect.
How do I report a security vulnerability?
Write to security@deca.example. We acknowledge within 48 working hours and take no legal action against good-faith research. Details are on the security page and at /.well-known/security.txt.

89daysuntil 5 October 2026

The due diligence is already done. All that's missing is your account.

Start with 10 free documents and keep this page for your compliance file.