Legal
Data Processing Addendum
Last updated: June 27, 2026
This page summarizes Myellin data processing practices for customers and vendor-review teams. A signed data processing addendum can be requested from privacy@myellin.com.
Roles
For customer workspace content, notebook data, uploaded files, prompt libraries, chat history, Learn data, and organization administration records, the customer is the controller and Myellin acts as processor. Myellin acts as controller for account administration, security, abuse prevention, billing/support communications where applicable, and product operations metadata.
Customer data
Customer data may include account details, notebook content, flashcards, prompt templates, AI run metadata, uploaded files, and support communications. Organization records may include membership, invitations, roles, policies, audit events, public-link inventory, and integration token metadata.
Processing purposes
Myellin processes customer data to provide the product, maintain security, support account administration, troubleshoot issues, and operate user-initiated AI workflows.
Locations
Myellin is hosted through Vercel and Supabase. Data location depends on the production deployment configuration and the subprocessors used for enabled features. Optional AI providers may process selected content in the regions described by their own service terms. Customers with a region requirement should request confirmation before enabling optional providers.
Subprocessors
Current infrastructure and AI subprocessors are listed on the Subprocessors page. Provider use can vary by feature and customer configuration.
Retention
Customer content remains in Myellin until deleted by the user, removed through account deletion, or handled through a verified data subject request. Audit and security records may be retained according to the configured organization retention policy. Backups and subprocessor logs may continue to retain data for their normal retention windows.
Deletion and export
Users can export account data from the product and delete content or request account-level deletion. Account export intentionally omits secret ciphertext, token hashes, and raw provider keys. Organization-wide self-service export is not available yet. Data requests can be sent to privacy@myellin.com.
Current enterprise scope
Myellin currently supports organization membership administration, audit logs, public-link inventory, AI provider policy, Clipper/MCP token inventory, BYOK encryption, account export, and signed Windows desktop deployment through managed package releases. SSO/SAML/OIDC, SCIM, organization-enforced MFA, and remote device/session revocation are not implemented yet.