Logo RayDB

Data Processing Agreement (DPA)

Effective date: 15th of February, 2025

This Data Processing Agreement ("DPA") is part of the Terms of Service of Harbur Cloud Solutions S.L.U. ("Processor") and applies where the Processor processes Personal Data on behalf of the users ("Controller") in connection with the provision of services.

1. Definitions

1.1 "Personal Data" - Any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.

1.2 "Processing" - Any operation performed on Personal Data, such as collection, storage, use, transfer, or deletion.

1.3 "Sub-Processor" - Any third party engaged by the Processor to assist in processing Personal Data.

1.4 "Applicable Data Protection Laws" - Includes, but is not limited to, the General Data Protection Regulation (GDPR) and UK GDPR.

1.5 "Standard Contractual Clauses (SCCs)" - The contractual clauses adopted by the European Commission as a valid mechanism for ensuring compliance with GDPR when transferring Personal Data outside the EU/EEA.

2. Roles and Responsibilities

2.1 Controller's Obligations:

  • Ensure compliance with all applicable data protection laws.
  • Obtain necessary consents and provide necessary notices for data processing.

2.2 Processor's Obligations:

  • Process Personal Data only as instructed by the Controller.
  • Implement appropriate technical and organizational measures to protect Personal Data.
  • Assist the Controller in fulfilling data subject rights requests.
  • Notify the Controller of any data breaches without undue delay.

3. Processing Details

  • Nature of Processing: Hosting and management of PostgreSQL databases.
  • Purpose of Processing: To provide cloud-based database services.
  • Types of Personal Data: Name, email, billing details, IP address, and any other data stored by the Controller in the database.
  • Categories of Data Subjects: The Controller’s customers, employees, and any other individuals whose data is stored in the database.
  • Retention Period: As determined by the Controller or as required by law.

4. Security Measures

Processor shall implement the following security measures:

  • Data encryption in transit and at rest.
  • Access controls and authentication mechanisms.
  • Regular security assessments and audits.
  • Data backup and disaster recovery procedures.

5. Data Storage and International Transfers

  • All personal data and billing information processed by the Processor is stored exclusively in the EU/EEA.
  • If the Controller selects a database storage location outside the EU/EEA using third-party cloud providers, the Controller is responsible for ensuring compliance with GDPR, including implementing appropriate safeguards for data transfers.
  • If the Controller stores personal data in a non-EU/EEA region using an external cloud provider, the Standard Contractual Clauses (SCCs) shall apply between the Controller and the selected third-party provider. The Processor shall not be responsible for compliance with GDPR in such cases but may assist the Controller in implementing necessary safeguards.

6. Sub-Processors

  • The Controller authorizes the use of the following Sub-Processors:
    • Cloud Hosting Provider: AWS, Google Cloud, Microsoft Azure
    • Payment Processor: Stripe
  • Processor shall notify the Controller of any changes to Sub-Processors and provide an opportunity to object.

7. Data Breach Notification

  • Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of a data breach.
  • Notification shall include the nature of the breach, affected data, and remedial actions taken.

8. Data Subject Rights

Processor shall assist the Controller in responding to requests from data subjects, including:

  • Access Requests – Providing details on stored Personal Data.
  • Correction Requests – Updating inaccurate Personal Data.
  • Deletion Requests – Erasing Personal Data upon request.
  • Restriction Requests – Limiting processing where legally required.

9. Audit Rights

  • Controller has the right to audit Processor’s compliance with this DPA.
  • Audits shall be conducted no more than once per year, unless a security incident occurs.

10. Term and Termination

  • This DPA remains effective as long as the Processor processes Personal Data on behalf of the Controller.
  • Upon termination, Processor shall delete or return all Personal Data, unless retention is required by law.

11. Governing Law

  • This DPA is governed by the laws of the European Union and the jurisdiction of the relevant EU Member State where the Controller is located.

12. Contact Information

For any inquiries regarding this DPA, please contact: