Last updated: May 1, 2026
Scope
This DPA applies to all processing of personal data that we perform on behalf of the Controller in connection with the services.
Roles
The Controller determines the purposes and means of processing. The Processor processes data only on the Controller’s documented instructions, which are deemed to be the Terms and the use of the services.
Subprocessors
The Controller authorizes the use of subprocessors listed in our public registry. The Processor will notify the Controller 30 days before adding a new subprocessor; the Controller may object on reasonable grounds.
International transfers
Transfers outside the EEA rely on the EU Standard Contractual Clauses (Module 2 for Controller-to-Processor, Module 3 for Processor-to-Processor). The SCCs are incorporated by reference.
Security
The Processor will implement and maintain appropriate technical and organizational measures, as described in our Security Overview at /legal/security.
Personal data breach
The Processor will notify the Controller without undue delay and in any event within 24 hours of becoming aware of a personal data breach affecting the Controller’s personal data.
Data subject rights
The Processor will provide reasonable assistance with data subject rights requests, including access, rectification, erasure, and portability.
Audit rights
The Controller may audit the Processor’s compliance once per year on 30 days notice, or more frequently following a personal data breach. Audits may rely on our SOC 2 report and other certifications.
Return and deletion
On termination, the Processor will delete or return all personal data within 90 days, except where retention is required by law.
Order of precedence
In case of conflict between this DPA and the Terms, this DPA prevails for matters of data protection.
