Data Processing Agreement
This DPA forms part of the agreement between the customer ("Controller") and Runback Inc., a Delaware corporation ("Processor"), for the managed cloud service. It governs Runback's processing of personal data on the customer's behalf. A countersignable copy — which includes completed Annexes I, II, and III and constitutes the binding Art.28 GDPR processor agreement — is available from legal@runback.dev.
1. Roles
For personal data contained in agent traces and account data processed via the managed cloud, the customer is the Controller and Runback is the Processor. Runback processes such data only on the customer's documented instructions, including those expressed through use of the service.
2. Subject matter & duration
| Subject matter | Provision of the Runback managed cloud (observe, replay, evals, audit). |
|---|---|
| Duration | For the term of the agreement, plus any limited deletion window. |
| Nature & purpose | Storing and processing agent trace and account data to deliver the service. |
| Data subjects | The customer's users and any individuals whose data appears in traces (designed to be redacted in-process). |
| Categories | Account identifiers; technical/usage data; trace content as configured by the customer. |
3. Processor obligations
- Process only on documented instructions, including for transfers.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organisational measures (Section 6).
- Assist the Controller with data-subject requests and with security, breach, and impact-assessment obligations.
- Delete or return personal data at the end of the service, subject to legal retention.
- Make available all information necessary to demonstrate compliance with the obligations in Art.28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable prior notice and appropriate confidentiality obligations.
4. Sub-processors & independent controllers
The Controller authorises Runback to engage the following sub-processors under written terms imposing equivalent data-protection obligations:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Managed Postgres database and authentication infrastructure — stores agent trace records, account data, and audit logs for the managed cloud. | United States |
| Resend Inc. | Transactional email delivery — sends magic-link sign-in emails and alert notifications. Receives recipient email address and message content only. | United States |
Independent controllers (not sub-processors):Lemon Squeezy LLC operates as Merchant of Record for paid subscriptions. As MoR, Lemon Squeezy acts as an independent data controller for payment and billing data — it is not a sub-processor of Runback and is not bound by this DPA. Lemon Squeezy's own privacy policy and terms govern its processing of your payment data.
Runback will give the Controller at least 30 days' advance written notice of any intended addition or replacement of sub-processors listed above, allowing the Controller reasonable time to object before the change takes effect. The countersignable DPA (available from legal@runback.dev) includes an Annex III with the current, dated sub-processor list.
5. International transfers
Where personal data is transferred from the EEA or UK to a third country, the parties rely on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914), Module 2 (Controller to Processor), which are incorporated by reference. For UK transfers, the parties additionally rely on the UK Addendum to those SCCs (issued by the ICO under S119A(1) of the UK Data Protection Act 2018). The completed Annexes I (description of processing and competent supervisory authority), II (technical and organisational security measures), and III (sub-processor list) are included in the countersignable DPA available from legal@runback.dev. No transfer occurs for self-hosted deployments.
6. Security measures
Runback maintains measures appropriate to the risk, including: in-process redaction of secrets and PII before egress; encrypted transport; hashed credentials and API keys; role-based access control; tenant isolation; tamper-evident, hash-chained audit records; and rate limiting. The current, honest state of these controls is published on our security page.
7. Personal-data breach
Runback will notify the Controller without undue delay and in any case within 48 hoursof becoming aware of a personal-data breach affecting the Controller's data, and will provide information reasonably needed for the Controller's own notification duties under applicable law (including GDPR Art. 33 and APRA CPS 234).
8. Deletion & return
On termination, Runback will delete or return the Controller's personal data within 30 days, except where retention is required by applicable law. The Controller can delete individual runs at any time through the service. Self-hosted deployments retain full control of their database and may execute deletion immediately.
9. Liability & precedence
Liability under this DPA is subject to the limitations in the Termsor MSA, except that the aggregate liability cap shall not limit either party's liability arising from a personal-data breach caused by that party's breach of this DPA or gross negligence or wilful misconduct in its data-protection obligations — such liability remains uncapped or subject to a separate higher sub-cap as agreed in the executed MSA. If there is a conflict on data-protection matters, this DPA controls.
10. Contact
Data-protection contact: privacy@runback.dev. To execute a signed DPA: legal@runback.dev.