Data Processing Agreement
Last updated March 29, 2026
This Data Processing Agreement (the “DPA”) is entered into by and between Datarails, as shall be defined in the Terms of Service or the respective order form (the “Company” or, for purposes of this engagement, the “Processor”), and the Customer as such defined in the applicable Order Form, forms an integral part of the Terms of Service between the Company and the Customer (which shall be deemed for purposes of this engagement as the “Controller”).
All capitalized terms shall have the meaning ascribed to them in the Terms of Service agreement signed between the Company and the Customer (the “Terms of Service”) unless expressly provided otherwise in this DPA. In the event of a conflict between the Terms of Service and this DPA, the terms of this DPA shall control over processing of Customer Personal Data (as defined below).
The Customer and the Company hereby agree as follows:
1. DEFINITIONS
1.1. “Applicable Data Protection Laws” means applicable privacy and data protection laws in connection with the processing of personal data conducted pursuant to the Terms of Service, including without limitation (to the extent applicable), (a) GDPR (as defined below); (b) CCPA (as defined below); (c) UK GDPR and (d) guidance issued by any relevant supervisory authority or implementing, amending, or supplementing the above laws, rules and regulations, whether in effect now or in the future.
1.2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations.
1.3. “Customer” as used in this DPA shall mean collectively, the Customer party that enter into the Terms of Service.
1.4. “Customer Personal Data” means any Personal Data provided by Customer or by any of its representatives or employees on its behalf and processed by the Company solely on Customer’s behalf, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or natural person, or for purposes of the CCPA, with a consumer or household, to the extent that such information is protected as “personal information” (or an analogous variation of such term) under Applicable Data Protection Laws.
1.5. “Data Subject Requests” means any requests from a Data Subject related to access, rectification, suppression, limitation, objection, portability and erasure of Personal Data or other requests authorized under Applicable Data Protection Law.
1.6. “Designated Contact” for reporting Security Events, Data Subject Requests, and Personal Data Breach of the Customer Personal Data, means (a) compliance@datarails.com and such additional contact as designated by the Company; and (b) the Customer’s email included in the applicable order form and/or such additional contact as designated by the Customer.
1.7. “GDPR” means EU General Data Protection Regulation 2016/679.
1.8. “Instructions” means the documented instructions provided by the Customer, including as set forth in the Terms of Service, this DPA, and as necessary to provide the Services, including the Customer’s use of the Services submission of data, and any configurations or actions performed by the Company on the Customer’s behalf.
1.9. “Personnel” means Company or Customer’s employees, contractors, subcontractors, agents, representatives and end users.
1.10. “Security Event” means any actual unauthorized access to or compromise of Customer Personal Data.
1.11. “Service Provider” has the meaning set forth in Section 1798.140(v) of the CCPA.
1.12. “Sub-processor” means any third party engaged by the Company to process Customer Personal Data on behalf of the Customer.
1.13. “UK GDPR” means the retained version of the UK General Data Protection Regulation under the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, and the Data (Use and Access) Act 2025, as each is in force and as may be amended, replaced or supplemented.
1.14. The terms, “Controller” “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the Applicable Data Protection Laws.
2. DATA PROTECTION AND PRIVACY OF PERSONAL DATA
In addition to the other obligations set forth hereunder, each of Customer and Company agree:
2.1. Roles of the Parties. The parties acknowledge and agree that, with respect to the processing of Customer Personal Data, the Customer acts as the controller, and the Company acts as a processor (and, where applicable, a Service Provider under applicable data protection laws).
2.2. Compliance with Applicable Law. Each party shall comply with its respective obligations under Applicable Data Protection Laws in relation to the processing of Customer Personal Data.
2.3. Processing Instructions. The Company shall process Customer Personal Data solely on behalf of the Customer and in accordance with the Customer’s documented instructions, including as set forth in the Terms of Service and this DPA, and shall not process Customer Personal Data for any purpose other than as instructed by the Customer, unless required to do so by applicable law.
2.4. Nature and Purpose of Processing. The Company processes Customer Personal Data solely for the purpose of providing the Services in accordance with the Terms of Service, as further described in Annex A (Details of Processing). The Company shall not sell Customer Personal Data, and the transfer of Customer Personal Data to the Company shall not be deemed a sale under applicable law.
2.5. Restricted Use and Disclosure. The Company shall not retain, use, or disclose Customer Personal Data for any purpose other than as necessary to perform the Services, as permitted under this DPA, or as otherwise required by applicable law.
2.6. International Transfers. The Company may process Customer Personal Data in countries outside the EEA or the United Kingdom. To the extent such processing constitutes a transfer under Applicable Data Protection Laws, such transfers shall be carried out in accordance with Applicable Data Protection Laws and subject to appropriate safeguards, including the Standard Contractual Clauses attached as Annex B to this DPA (the “SCCs”), which are hereby incorporated by reference and form an integral part of this DPA. Where applicable, the SCCs shall be supplemented by the UK Addendum or other valid transfer mechanism. For the purposes of the SCCs, the Customer shall be deemed the data exporter and the Company the data importer, unless otherwise specified in Annex I.A of the SCCs. In the event of any conflict between the SCCs and this DPA, the SCCs shall prevail with respect to the subject matter of data transfers.
2.7. Unlawful Instructions. The Company shall promptly inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.
2.8. Use of Artificial Intelligence. The Company may use automated tools, including artificial intelligence or machine learning technologies, in connection with the provision of the Services. Any processing of Customer Personal Data using such tools shall be carried out solely in accordance with this DPA and Applicable Data Protection Laws. The Company shall not use Customer Personal Data to train or improve its models for purposes unrelated to the provision of the Services, and shall not engage in automated decision-making producing legal or similarly significant effects on individuals, unless expressly authorized in writing by the Customer and permitted under Applicable Data Protection Laws.
2.9. Customer Responsibilities. The Customer is responsible for ensuring that its instructions, including any data submitted to the Services, comply with Applicable Data Protection Laws, including providing appropriate notices and obtaining any required consents.
3. DATA SUBJECT RIGHTS
3.1. The Company shall provide commercially reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s access, rectification, erasure, data portability, restriction of processing or opt-out requests and objections. Customer acknowledges that it is solely responsible for responding to and resolving all Data Subject requests and for ensuring compliance with all obligations under Applicable Data Protection Laws regarding Data Subject rights. The Company’s role is purely assistive, and all substantive decisions regarding Data Subject requests remain with Customer.
3.2. The Company shall notify the Customer’s Designated Contact without undue delay if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of the Customer Personal Data; and ensure it responds to that request as required by Applicable Data Protection Laws (but the Company will not itself respond other than to confirm receipt of the request, to inform the data subject, authority or other third party that their request has been forwarded to Customer, and/or to refer them to Customer, except per reasonable instructions from Customer).
3.3. The Company will also reasonably assist Customer with the resolution of any request or inquiries that Customer receives from data protection authorities relating to the Company.
3.4. Upon Customer’s reasonable request, the Company shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to the Company. The Company shall provide reasonable assistance to Customer in the cooperation or prior consultation with any Supervisory Authority in the performance of its tasks relating to this Section 3.4, to the extent required under Applicable Data Protection Laws. Any such assistance shall be provided at Customer’s cost if it requires substantial time or resources beyond normal Service operations.
4. PERSONAL DATA BREACH AND SECURITY EVENTS
4.1. The Company shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach or a Security Event affecting the Customer Personal Data and shall provide the Customer with reasonable information regarding the nature of the breach and the measures taken or proposed to address it.
4.2. Unless otherwise mandated by Applicable Data Protection Laws, the Customer shall instruct the Company whether to notify Data Subjects or supervisory authorities of the Personal Data Breach, pursuant to the requirements under Applicable Data Protection Laws.
4.3. The Company shall take reasonable steps in the investigation, mitigation and remediation of each such Personal Data Breach or a Security Event.
5. SUBPROCESSORS AND PERSONNEL
5.1. Customer shall ensure Personnel authorized to Process the Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and shall ensure that such personnel use the Customer Personal Data only in accordance with this DPA and implement the security measures stipulated in this DPA.
5.2. Both parties will disclose the Customer Personal Data only to those Personnel who have the need to know such Customer Personal Data in connection with the performance of the Terms of Service.
5.3. Customer hereby grants to the Company a general written authorization to use sub-processors for the provision of the Service, provided that:
5.3.1. the Company shall ensure that it engages such sub-processors by written agreement;
5.3.2. the sub-processors engaged by the Company are listed at https://www.datarails.com/sub-processors/, and may be updated by the Company from time to time.
5.3.3. The Company shall ensure that any sub-processor is bound by written contractual obligations that are no less protective than those set out in this DPA.
5.3.4. Where the Company engages any third-party AI service (including large language model or generative AI platforms) that may process Customer Personal Data, such service shall be treated as a Sub-Processor under this DPA, and the Processor shall ensure that appropriate contractual and technical safeguards are in place; and
5.3.5. the Company will notify the Customer of any intended changes concerning the addition or replacement of a sub-processor thereby giving the Customer the opportunity to object to the addition or replacement within fourteen (14) days of the notification. Any objection must be reasonable, documented in writing, and based on legitimate data protection grounds demonstrating that the proposed sub-processor cannot comply with obligations substantially similar to those in this DPA. If Customer raises a reasonable and documented objection, the Company may: (i) provide an alternative sub-processor that reasonably addresses Customer’s concerns; or (ii) implement additional safeguards to address the specific concerns raised. If the Company determines that it cannot reasonably accommodate Customer’s objection or that the sub-processor is necessary for core functionality of the Services, Customer may terminate the affected Services upon written notice to Company within thirty (30) days, provided that Customer shall remain obligated to pay all fees for Services through the effective date of termination. If Customer does not object within fourteen (14) days, Customer shall be deemed to have accepted the new or replacement sub-processor. Notwithstanding the foregoing, the objection right shall not apply to: (a) sub-processors engaged for general IT services (such as cloud infrastructure providers) where Company implements appropriate technical and organizational measures; or (b) sub-processors replacing existing sub-processors that perform substantially similar functions and are subject to substantially similar contractual obligations.
6. SECURITY
6.1. The Company shall implement and maintain commercially reasonable and appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of processing Customer Personal Data, in accordance with the requirements of Applicable Data Protection Laws. Such measures are further described in Annex II, if applicable.
6.2. Each party shall implement appropriate technical and organizational measures to protect personal data under its control, consistent with applicable data protection laws and industry standards.
6.3. The Customer shall be responsible for the accuracy and completeness of Customer Personal Data. The Company shall implement reasonable measures to ensure the security and integrity of Customer Personal Data, including maintaining appropriate logging and access controls, to the extent applicable to the Services. Each party shall retain personal data only as necessary to fulfill its obligations under this Agreement and in accordance with applicable law.
7. RECORDS AND AUDITS
7.1. In connection with the processing of Customer Personal Data, the Company shall, during the term of engagement with the Customer, provide the Customer with information reasonably necessary to demonstrate compliance with the obligations laid down in the Applicable Data Protection Laws, within reasonable times, subject to the Company’s confidentiality obligations and internal policies.
7.2. Should Applicable Data Protection Laws require Customer to perform an audit on the Company for compliance purposes, and only during the term of the engagement with Customer, the Company shall allow for and contribute to audits and inspections, conducted by the Customer or another auditor mandated by the Customer, provided that: (i) the auditor or anyone on its behalf shall enter into a confidentiality undertaking towards Company in a form reasonably agreed by Company; (ii) the audit shall not be conducted more than once every twelve months; (iii) the Customer must provide reasonable prior written notice; (iv) the audit may be conducted only during business hours, shall cause minimal disruption to the Company’s business and shall be subject to reasonable safeguards to protect the Company’s confidential information; (v) the purpose of the audit shall be limited only to compliance with Applicable Data Protection Laws; and (vi) the Customer shall bear all reasonable costs and expenses associated with such audit, unless otherwise agreed in writing. The Company may satisfy its obligations under this section by providing Customer with attestations, certifications, and summaries of audit reports conducted by accredited third-party auditors.
8. GENERAL
8.1. This DPA shall be governed by the laws applicable to the Terms of Service.
8.2. Upon termination or expiration of the Terms of Service, the Customer shall have the ability to access and export Customer Personal Data during the term of the Agreement. Following termination, the Company shall delete Customer Personal Data within a reasonable period, unless applicable law requires storage of such Personal Data.
8.3. The parties acknowledge that laws governing artificial intelligence and automated decision-making are evolving. The Company may update its AI-related practices or applicable AI Terms as reasonably necessary to reflect changes in law, provided that such updates do not materially diminish Customer’s rights or increase its obligations under this DPA.
8.4. Company’s liability under this DPA, including any liability arising from or related to the processing of Customer Personal Data, Personal Data Breaches, Security Events, sub-processors, or any other matter arising under this DPA, is subject to and shall not exceed the limitations on liability, exclusions, caps, and disclaimers contained in the Terms of Service.
8.5. IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Terms of Service with effect from the effective date set out below.