Runback
Why RunbackSee it workPricingDocsLog inStart free →
Legal

Data Processing Agreement

Last updated 2 July 2026

This DPA forms part of the agreement between the customer ("Controller") and Runback Inc., a Delaware corporation ("Processor"), for the managed cloud service. It governs Runback's processing of personal data on the customer's behalf. A countersignable copy — which includes completed Annexes I, II, and III and constitutes the binding Art.28 GDPR processor agreement — is available from legal@runback.dev.

Self-host doesn't need a DPA. If you run Runback in your own infrastructure, you remain the sole controller and processor of your data — we never receive it, so there is no processing for us to govern. This DPA applies only to the managed cloud. If your legal team requires a vendor agreement for software supply-chain due diligence regardless of data flow, contact legal@runback.dev for an appropriate addendum.

1. Roles

For personal data contained in agent traces and account data processed via the managed cloud, the customer is the Controller and Runback is the Processor. Runback processes such data only on the customer's documented instructions, including those expressed through use of the service.

2. Subject matter & duration

Subject matterProvision of the Runback managed cloud (observe, replay, evals, audit).
DurationFor the term of the agreement, plus any limited deletion window.
Nature & purposeStoring and processing agent trace and account data to deliver the service.
Data subjectsThe customer's users and any individuals whose data appears in traces (designed to be redacted in-process).
CategoriesAccount identifiers; technical/usage data; trace content as configured by the customer.

3. Processor obligations

  • Process only on documented instructions, including for transfers.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Section 6).
  • Assist the Controller with data-subject requests and with security, breach, and impact-assessment obligations.
  • Delete or return personal data at the end of the service, subject to legal retention.
  • Make available all information necessary to demonstrate compliance with the obligations in Art.28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable prior notice and appropriate confidentiality obligations.

4. Sub-processors & independent controllers

The Controller authorises Runback to engage the following sub-processors under written terms imposing equivalent data-protection obligations:

Sub-processorPurposeLocation
Supabase Inc.Managed Postgres database and authentication infrastructure — stores agent trace records, account data, and audit logs for the managed cloud.United States
Resend Inc.Transactional email delivery — sends magic-link sign-in emails and alert notifications. Receives recipient email address and message content only.United States

Independent controllers (not sub-processors):Lemon Squeezy LLC operates as Merchant of Record for paid subscriptions. As MoR, Lemon Squeezy acts as an independent data controller for payment and billing data — it is not a sub-processor of Runback and is not bound by this DPA. Lemon Squeezy's own privacy policy and terms govern its processing of your payment data.

Runback will give the Controller at least 30 days' advance written notice of any intended addition or replacement of sub-processors listed above, allowing the Controller reasonable time to object before the change takes effect. The countersignable DPA (available from legal@runback.dev) includes an Annex III with the current, dated sub-processor list.

5. International transfers

Where personal data is transferred from the EEA or UK to a third country, the parties rely on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914), Module 2 (Controller to Processor), which are incorporated by reference. For UK transfers, the parties additionally rely on the UK Addendum to those SCCs (issued by the ICO under S119A(1) of the UK Data Protection Act 2018). The completed Annexes I (description of processing and competent supervisory authority), II (technical and organisational security measures), and III (sub-processor list) are included in the countersignable DPA available from legal@runback.dev. No transfer occurs for self-hosted deployments.

6. Security measures

Runback maintains measures appropriate to the risk, including: in-process redaction of secrets and PII before egress; encrypted transport; hashed credentials and API keys; role-based access control; tenant isolation; tamper-evident, hash-chained audit records; and rate limiting. The current, honest state of these controls is published on our security page.

7. Personal-data breach

Runback will notify the Controller without undue delay and in any case within 48 hoursof becoming aware of a personal-data breach affecting the Controller's data, and will provide information reasonably needed for the Controller's own notification duties under applicable law (including GDPR Art. 33 and APRA CPS 234).

8. Deletion & return

On termination, Runback will delete or return the Controller's personal data within 30 days, except where retention is required by applicable law. The Controller can delete individual runs at any time through the service. Self-hosted deployments retain full control of their database and may execute deletion immediately.

9. Liability & precedence

Liability under this DPA is subject to the limitations in the Termsor MSA, except that the aggregate liability cap shall not limit either party's liability arising from a personal-data breach caused by that party's breach of this DPA or gross negligence or wilful misconduct in its data-protection obligations — such liability remains uncapped or subject to a separate higher sub-cap as agreed in the executed MSA. If there is a conflict on data-protection matters, this DPA controls.

10. Contact

Data-protection contact: privacy@runback.dev. To execute a signed DPA: legal@runback.dev.

Runback

Govern, observe & audit your AI agents.

AI Governance Weekly

One regulatory update, one incident pattern, one control — every Monday.

Product

How it worksPricingDocumentationGet started free

Proof

MTTR proofrunback.cassette/v1Verify a recordDemo runs

Company

EnterpriseSecurityBook a callContact
© RunbackPrivacyTermsDPA