Data Processing Addendum.

Overview

Standard Data Processing Addendum. EEA SCCs (Module 2) annexed. UK Addendum annexed. India DPDP-compliant clauses annexed. Sub-processor list at /trust/subprocessors. Updated quarterly.

What this addendum covers

Roles

For most data flows, the Customer is the Controller and Relay is the Processor. For Relay’s own account and billing information, Relay is the Controller. Roles per data category are defined in Annex I.

International transfers

EEA transfers rely on the European Commission’s Standard Contractual Clauses (Module 2, controller to processor), incorporated by reference. UK transfers rely on the UK International Data Transfer Addendum to the SCCs. India residents are handled under the Digital Personal Data Protection Act (DPDP) framework, with notice, consent, and grievance officer mechanisms documented in Annex III.

Sub-processors

We maintain a current, dated list of sub-processors at /trust/subprocessors. Customers may subscribe to email notifications of changes; we give 30 days’ notice before adding a new sub-processor.

Security

Technical and organisational measures are described in Annex II and align with the security posture published at /trust/security.

Audits and assurance

Customers may exercise audit rights through our SOC 2 Type II report (under NDA) and an annual questionnaire. On-site audit rights are available to Enterprise customers under the order form.

Executing this DPA

For most customers the DPA is incorporated by reference into your order form and requires no separate signature. For customers who need a counter-signed copy, contact /company/contact and we’ll route it through our legal team.