Data Processing Agreement

Effective Date: November 2, 2025

For EU/UK/Swiss Customers

This Data Processing Agreement (DPA) forms part of our Terms of Service for customers subject to GDPR and other data protection laws. By accepting our Terms of Service, you also accept this DPA.

Overview

This DPA reflects our commitment to GDPR compliance and establishes:

  • The roles of Controller (you) and Processor (us)
  • Our data processing obligations
  • Security measures and safeguards
  • Your rights and our responsibilities
  • International data transfer protections

Data Processing Details

Data Categories

  • Usage metrics (API calls, timestamps)
  • Account information (names, emails)
  • Billing data (addresses, transaction history)
  • Technical data (IP addresses, logs)

Data Subjects

  • Your employees and authorized users
  • Your customers (aggregate metrics only)

Processing Purpose

To provide billing and usage metering services as described in our Terms of Service.

Our Commitments

  • Process only on your instructions - We follow your documented instructions
  • Maintain confidentiality - All personnel bound by confidentiality
  • Implement security measures - TLS 1.2+, AES-256, access controls
  • Assist with data subject requests - Help you fulfill user rights requests
  • Notify data breaches - Within 48 hours of discovery
  • Delete data on termination - Within 90 days unless legally required to retain

Security Measures

Technical

  • • Encryption (TLS 1.2+, AES-256)
  • • Multi-factor authentication
  • • Security monitoring 24/7
  • • Regular penetration testing

Organizational

  • • Role-based access control
  • • Employee background checks
  • • Security training programs
  • • Incident response procedures

Subprocessors

We use carefully vetted subprocessors to help deliver our services. You can view our current subprocessors on our Subprocessor List.

We will notify you 30 days before engaging new subprocessors, and you have the right to object.

International Data Transfers

For data transfers from the EEA, UK, or Switzerland to the US, we use:

  • Standard Contractual Clauses (SCCs) - EU Commission approved
  • Supplementary Measures - Per EDPB recommendations
  • Data Residency Options - Available upon request

Data Retention and Deletion

We retain data only as long as necessary:

  • Account data: Duration of account + 90 days
  • Usage data: 2 years
  • Financial records: 7 years (legally required)

See our Data Retention Policy for complete details.

Audit Rights

You have the right to audit our compliance:

  • ✓ Annual SOC 2 reports (when available)
  • ✓ On-site audits (with 30 days notice, once per year)
  • ✓ Security documentation upon request

Contact & Questions

Data Protection Officer: [email protected]

DPA Requests: [email protected]