Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Whitenoise AS ("Processor", "we") and you ("Controller", "you") for the use of the Runlater service ("Service"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

• "Personal Data" means any data relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose

The Processor processes Personal Data solely to provide the Service as described in the Terms of Service. This includes:

• Executing HTTP requests to URLs configured by the Controller
• Storing task configuration, execution history, and webhook payloads
• Sending notification emails to addresses specified by the Controller
• Receiving and forwarding inbound webhook events

3. Types of Personal Data

The Personal Data processed depends on what the Controller includes in webhook payloads, HTTP headers, and request bodies. This may include:

• Email addresses (for account management and notifications)
• Any data contained in webhook request/response bodies configured by the Controller
• IP addresses of inbound webhook senders

4. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or member state law
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures to ensure security of processing (see Section 6)
• Not engage another processor without prior written authorization from the Controller (see Section 7)
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
• Assist the Controller in ensuring compliance with obligations under Articles 32-36 GDPR
• Delete or return all Personal Data upon termination of the Service, at the Controller's choice
• Make available all information necessary to demonstrate compliance and allow for audits

5. Obligations of the Controller

The Controller shall:

• Ensure there is a lawful basis for processing Personal Data through the Service
• Provide documented instructions for processing
• Ensure that data subjects are informed about the processing in accordance with Articles 13 and 14 GDPR

6. Technical and Organizational Measures

The Processor implements the following security measures:

• Encryption in transit: All data transmitted via TLS 1.2 or higher
• Encryption at rest: Database and backups encrypted at rest
• Access control: SSH key-based server access, no shared credentials, principle of least privilege
• API key security: Stored as irreversible cryptographic hashes
• Data minimization: Response bodies truncated to 256KB, automatically deleted per retention schedule
• Webhook signatures: HMAC-SHA256 signatures for webhook payload integrity
• Audit logging: All data access and modifications are logged
• Infrastructure: Hosted in netcup data center, Nuremberg, Germany (ISO 27001 certified)

7. Sub-processors

The Controller authorizes the Processor to engage the sub-processors listed on our Sub-processor page.

The Processor shall:

• Notify the Controller of any intended changes to sub-processors at least 30 days in advance by updating the Sub-processor page and notifying via email
• Impose the same data protection obligations on sub-processors as contained in this DPA
• Remain fully liable for the acts and omissions of its sub-processors

If the Controller objects to a new sub-processor, they may terminate the Service by providing written notice within 30 days of the notification.

8. Data Breach Notification

The Processor shall:

• Notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach
• Provide sufficient information for the Controller to meet its obligations under Articles 33 and 34 GDPR, including:
  • Nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach

9. Data Location

All Personal Data is processed and stored within the European Union (Nuremberg, Germany). The Processor shall not transfer Personal Data outside the EU/EEA without the prior written consent of the Controller and appropriate safeguards under Chapter V GDPR.

10. Data Retention and Deletion

Upon termination of the Service:

• The Controller may request export of their data before termination
• The Processor will delete all Personal Data within 30 days of termination
• The Processor will provide written confirmation of deletion upon request

During the term of the Service, execution data is automatically deleted according to the retention schedule described in our Privacy Policy.

11. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit requests should be submitted in writing with reasonable notice. The Processor may charge reasonable costs for audits beyond one per year.

12. Term and Termination

This DPA is effective for the duration of the Controller's use of the Service and survives termination to the extent required for the Processor to fulfill its obligations regarding deletion or return of Personal Data.

13. Governing Law

This DPA is governed by the laws of Norway. Any disputes arising from this DPA shall be resolved in the courts of Oslo, Norway.

14. Contact

For DPA-related inquiries:

• Whitenoise AS
• Org.nr: 821 244 722
• Oslo, Norway
• support@runlater.eu