Data Processing Addendum

1. Definitions

Terms not defined in this DPA have the meaning given in the UK GDPR. "Controller", "Processor", "Sub-processor", "Personal Data", "Data Subject", "Processing", and "Supervisory Authority" carry the meanings in Article 4. "SCCs" means the EU Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, as may be supplemented for UK transfers by the UK IDTA or UK IDTA Addendum.

2. Roles and scope

• The Customer is the Controller of the Personal Data processed through the Services; the Provider is the Processor acting on documented instructions from the Controller.
• Where the Customer is itself a processor acting on behalf of another controller, this DPA applies as a sub-processing arrangement and the Customer warrants that it has authority to engage the Provider.
• The Provider processes Personal Data only to provide, secure, support, and bill for the Services, or as otherwise instructed by the Controller in writing (which includes instructions issued through the normal use of the Services' dashboards and APIs).

3. Subject matter and duration

• Subject matter: cloud-cost analytics, pricing comparison, budgeting, alerting, and related FinOps features delivered by the Provider through the Services.
• Duration: for as long as the Customer uses the Services, plus the deletion-and-return period described in section 10.
• Nature and purpose of processing: storage, analysis, aggregation, notification, and audit logging of cloud-cost data and workspace content.
• Categories of data subjects: Customer's authorised users (employees, contractors, and invited teammates).
• Categories of Personal Data: name, business email address, hashed password, profile image (optional), session metadata, and any personal data the Customer chooses to upload or connect via cloud-provider accounts. Special-category data is not in scope; the Customer agrees not to upload it.

4. Obligations of the Provider

The Provider will:

• process Personal Data only on the Controller's documented instructions, including as to transfers, unless required by law (in which case the Provider will notify the Controller unless the law prohibits notification on important grounds of public interest);
• ensure that persons authorised to process the Personal Data are committed to confidentiality (either contractually or by statutory duty);
• implement and maintain the technical and organisational measures described in section 7;
• make available to the Controller all information necessary to demonstrate compliance with Article 28 UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to section 11;
• taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to data-subject requests (Articles 12–22 UK GDPR);
• assist the Controller in meeting its obligations under Articles 32 to 36 UK GDPR (security, breach notification, impact assessments, prior consultation) taking into account the nature of the processing and the information available to the Provider;
• notify the Controller without undue delay — and no later than 72 hours after becoming aware — of any confirmed Personal Data breach affecting the Controller's Personal Data, providing the information required by Article 33(3);
• promptly inform the Controller if an instruction infringes data-protection law, in the Provider's opinion.

5. Obligations of the Controller

• The Controller is responsible for the lawfulness of the data it provides, for providing any notices and obtaining any consents required under data-protection law, and for the accuracy of the data.
• The Controller will ensure that its instructions to the Provider comply with data-protection law.
• The Controller is responsible for the security of its account credentials, API keys, and any integrations it configures (for example, webhook URLs to third-party services).

6. Sub-processors

The Controller provides a general authorisation for the Provider to engage sub-processors for the Services, subject to the safeguards in this section. The current list is maintained in our Privacy Policy (sub-processors). A dedicated versioned sub-processor registry is planned; Enterprise customers may subscribe to change notifications in the order form.

• The Provider will impose on each sub-processor obligations equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
• The Provider will remain fully liable to the Controller for the performance of each sub-processor's obligations.
• The Provider will give at least 30 days' prior written notice (or email) of the addition or replacement of any sub-processor. The Controller may object in writing within that period for reasonable data-protection grounds; in the absence of a resolution, the Controller may terminate the affected Service without penalty.

7. Security measures (Annex II)

The Provider maintains the following technical and organisational measures, described more fully on our Security page:

• TLS 1.2+ in transit; HSTS on marketing and dashboard domains.
• Envelope encryption of cloud-provider credentials at rest (AES-256-GCM with a key-management layer that supports key rotation).
• Role-based access control (OWNER / ADMIN / MEMBER / VIEWER) and workspace isolation; server-side enforcement of plan limits on every mutation endpoint.
• Authentication via NextAuth with JWT sessions, bcrypt-hashed passwords, rate-limited login and registration, password-reset token rotation, and optional SAML SSO for Enterprise workspaces.
• Webhook-signature validation on all inbound third-party webhooks.
• CSP, HSTS, frame-deny, nosniff, XSS, Permissions-Policy headers; Powered-By header suppressed.
• Structured audit logging of account-level actions; server logs retained for 30 days.
• Backups encrypted at rest and purged within 90 days of account deletion.
• Access to production systems restricted to named personnel under principle of least privilege; credentials rotated on personnel change.

The Provider reviews and updates these measures periodically. Material reductions in protection will not be made. A current snapshot is maintained at /security.

8. International transfers (Annex I.B / SCCs)

Where Personal Data is transferred from the UK or EEA to a country that has not been the subject of an adequacy decision by the UK or the EU, the parties agree to incorporate:

• the EU SCCs (Commission Implementing Decision (EU) 2021/914), Module Two (Controller-to-Processor) where the Customer is a Controller, or Module Three (Processor-to-Processor) where the Customer is a Processor;
• the UK IDTA or the UK IDTA Addendum to the SCCs, where the transfer is subject to UK law.

The SCCs and the UK IDTA/Addendum are incorporated by reference into this DPA. Where there is a conflict between this DPA and the SCCs/IDTA, the SCCs/IDTA prevail for international-transfer purposes.

Annex I (parties, description of the transfer, competent supervisory authority) and Annex II (technical and organisational measures) are set out in this DPA in sections 3, 4, and 7. Annex III (sub-processors) is maintained in the Privacy Policy.

9. Breach notification

The Provider will notify the Controller of a confirmed Personal Data breach without undue delay and no later than 72 hours after becoming aware. The notification will include, to the extent known at the time: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, the measures taken or proposed to address the breach, and the contact point for further information. Further information will be provided as it becomes available.

The Controller is responsible for deciding whether and how to notify its own data subjects and the Supervisory Authority. The Provider will assist the Controller as reasonably required.

10. Return and deletion

On termination or expiry of the agreement, the Provider will, at the Controller's choice, return or delete Personal Data, and delete existing copies, unless legal retention requires otherwise. Return is available by machine-readable export from the dashboard or API for 30 days after termination; deletion from primary storage completes within 30 days of termination and from rolling backups within 90 days.

11. Audit rights

• The Controller may, on reasonable written notice and not more than once per 12-month period (save where a Personal Data breach or regulator request requires otherwise), audit the Provider's compliance with this DPA.
• In lieu of on-site audit, the Provider may satisfy audit requests by providing its most recent third-party assessment report (for example, SOC 2 when available) or by completing a security questionnaire.
• Audits will be conducted during business hours, with reasonable notice, and subject to confidentiality. The Controller bears its own costs; each party bears its own reasonable costs of complying.

12. Liability and term

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement between the parties (including the Terms of Service or any Enterprise order form). This DPA takes effect on the effective date of the underlying agreement and remains in force for the term of that agreement, and for any further period during which the Provider processes Personal Data for the Controller.

13. Governing law

Where the underlying agreement is governed by the laws of England and Wales, this DPA is similarly governed. Where a different governing law applies to the underlying agreement, this DPA follows that law — except that the SCCs and the UK IDTA are governed by the laws they prescribe.

14. Signing and contacts

A signable PDF version of this DPA, identical in substance to the content on this page, is available at /documents/rateplane-dpa.pdf (placeholder; to be replaced with the counsel-approved PDF). Enterprise customers may also request a DPA execution via their order form or by emailing legal@rateplane.com.

Data-protection enquiries: dpo@rateplane.com.