Data Processing Addendum

This DPA forms part of, and is incorporated into, the Terms of Service. It applies whenever we process personal data on behalf of a customer ("Customer Data").

You are the "controller" of Customer Data. We are the "processor" (or, in California, the "service provider"). For your own account data (e.g. your billing email), we act as a controller in our own right under the Privacy Policy.

We will process Customer Data only on documented instructions from you. The instructions are: (a) the Service as configured by you; (b) any other instruction you give us in writing that is consistent with the Terms.

You authorize us to engage the categories of subprocessors listed in the Privacy Policy. We will give 30 days' notice of any new subprocessor by email; if you object, you may terminate the affected portion of the Service for a pro-rata refund.

We remain responsible for the acts and omissions of our subprocessors as if they were our own.

For Customer Data originating in the EEA, the UK, or Switzerland, the EU Standard Contractual Clauses (Module 2, controller-to-processor) and the UK International Data Transfer Addendum are incorporated into this DPA by reference, with us as the data importer and you as the data exporter.

We will implement and maintain technical and organisational measures appropriate to the risks of processing Customer Data. These include:

• TLS 1.2+ for all data in transit; AES-256 for data at rest.
• HMAC-signed identity tokens for inter-service authentication.
• Per-tenant data isolation enforced at the database, object-storage, and HTTP layers.
• Per-account spend caps enforced before every chargeable operation.
• Logging, monitoring, and alerting; restart-safe persistent job queues.
• Least-privilege access controls; production access requires multi-factor authentication.

Additional detail is in our Security documentation.

On reasonable written notice (no more than once per year, unless required by your supervisory authority), we will make available the most recent third-party audit reports available to us (e.g. SOC 2 Type II) and respond to a reasonable security questionnaire. On-site audits are by agreement and at your cost.

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach affecting Customer Data. The notification will describe the nature of the breach, categories and approximate volume of data records concerned, likely consequences, and the measures taken or proposed to address it.

On termination of the Service, you may export Customer Data via the in-product "Download my data" tool for up to 30 days. After 30 days, we will delete or anonymise Customer Data from live systems; backup copies expire per the published backup-retention schedule.

This DPA takes effect when you accept the Terms and continues for as long as we process Customer Data on your behalf.