Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") is incorporated into and forms part of the ReflexDB.cloud Terms of Service between ReflexDB ("ReflexDB.cloud", "we", "us", "Processor") and the customer entity that has accepted the Terms of Service ("Customer", "Controller").

This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of applicable data protection law, including the EU General Data Protection Regulation (GDPR) 2016/679 and, where applicable, the UK GDPR.

By using the Service, Customer agrees to the terms of this DPA. If you are entering into this DPA on behalf of a company or other legal entity, you represent that you have the authority to bind that entity to this DPA.

2. Definitions

Terms not defined here have the meanings given in the Terms of Service or applicable data protection law.

• "Personal Data" means any information relating to an identified or identifiable natural person that Customer uploads to, or that is processed by, the Service.
• "Processing" has the meaning given under applicable data protection law and "process" and "processed" shall be construed accordingly.
• "Sub-processor" means any processor engaged by ReflexDB.cloud to process Personal Data on Customer's behalf.
• "Data Subject" means the individual to whom Personal Data relates.
• "Standard Contractual Clauses" or "SCCs" means the clauses adopted by the European Commission in Decision 2021/914.

3. Scope and Nature of Processing

ReflexDB.cloud processes Personal Data solely to provide the Service as described in the Terms of Service and as further instructed by Customer. The subject matter, duration, nature, and purpose of processing, and the types of Personal Data and categories of Data Subjects, are as follows:

• Subject matter: Provision of a managed in-memory reactive database service that synchronises data from Customer's source databases (MySQL, MariaDB, and PostgreSQL, with SQL Server planned).
• Duration: For the term of the Agreement and as necessary to fulfil obligations under this DPA.
• Nature: Storage, replication, querying, and deletion of data.
• Purpose: To provide the Service — specifically, to maintain a continuously synchronised read replica of Customer's source database and expose it via a REST API endpoint.
• Types of Personal Data: Any personal data present in Customer's source database and replicated to the Service. ReflexDB.cloud does not inspect or categorise this data; Customer determines what data is included.
• Categories of Data Subjects: Any individuals whose data appears in Customer's source database (e.g. Customer's own end-users, employees, or contacts).

4. Customer's Obligations

Customer represents and warrants that:

• Customer has a lawful basis for processing Personal Data and for sharing it with ReflexDB.cloud.
• Customer has provided all required notices and obtained all required consents from Data Subjects to the extent required by applicable law.
• Customer's instructions to ReflexDB.cloud comply with applicable data protection law.
• Customer is responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired it.

5. Processor Obligations

ReflexDB.cloud agrees to:

• Process Personal Data only on Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
• Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
• Implement and maintain appropriate technical and organisational measures as described in Section 6.
• Respect the conditions for engaging Sub-processors as described in Section 7.
• Assist Customer in responding to Data Subject requests, to the extent technically feasible.
• Assist Customer in ensuring compliance with obligations relating to security, breach notification, impact assessments, and prior consultation, taking into account the nature of processing and information available to ReflexDB.cloud.
• At Customer's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires retention.
• Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

6. Security Measures

ReflexDB.cloud implements and maintains appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption in transit: All data transmitted between Customer and the Service is encrypted using TLS 1.2 or higher.
• Encryption at rest: Control plane data is encrypted at rest using AES-256. In-memory data within ReflexDB instances is not persisted to disk.
• Credential isolation: Source database connection credentials are stored in a dedicated secrets manager as encrypted values; they are never written to the control plane database.
• Access controls: Access to production systems is restricted to authorised personnel via role-based access policies. All access is logged.
• API authentication: Per-instance API endpoints are protected by HMAC-SHA256 API key authentication enforced at the network edge.
• Network isolation: All infrastructure runs within isolated private networks; customer instances are not directly accessible from the public internet except through the authenticated API endpoint.
• Data region: All Personal Data is processed and stored in EU (Ireland) by default. Customers may select the US (Virginia) region at instance creation time. Account data and billing records are always processed in the EU.

7. Sub-processors

Customer authorises ReflexDB.cloud to engage the following Sub-processors to process Personal Data on Customer's behalf. ReflexDB.cloud will enter into data processing agreements with each Sub-processor imposing data protection obligations no less protective than those in this DPA.

ReflexDB.cloud will notify Customer of any intended changes to Sub-processors by updating this page and sending notice to Customer's registered email address at least 14 days before the change takes effect. Customer may object to the new Sub-processor within that period; if the parties cannot resolve the objection, Customer may terminate the Agreement with a pro-rated refund.

8. International Data Transfers

ReflexDB.cloud stores and processes Personal Data in the region selected by Customer. The default region is EU (Ireland); the US (Virginia) region is available on all plans. Account data and billing records are always processed in the EU.

Where Personal Data is processed outside the European Economic Area — including when Customer selects the US region, or via Sub-processors such as Stripe — ReflexDB.cloud relies on the European Commission's Standard Contractual Clauses (Module 2: controller to processor) or other approved transfer mechanisms to ensure an adequate level of protection.

9. Data Subject Rights

If ReflexDB.cloud receives a request directly from a Data Subject exercising their rights under applicable data protection law (access, rectification, erasure, restriction, portability, or objection), ReflexDB.cloud will promptly forward the request to Customer and will not respond to the Data Subject directly unless instructed by Customer or required by law.

Customer is responsible for responding to Data Subject requests. ReflexDB.cloud will provide reasonable assistance, including by making available data deletion and export mechanisms through the Service dashboard.

10. Security Incident Notification

ReflexDB.cloud will notify Customer without undue delay (and in any event within 72 hours where feasible) upon becoming aware of a personal data breach affecting Customer's Personal Data. Notification will be sent to Customer's registered email address and will include, to the extent known at the time: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

11. Audits and Inspections

ReflexDB.cloud will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Customer may conduct an audit or inspection of ReflexDB.cloud's data processing activities, subject to:

• 30 days' prior written notice to legal@reflexdb.cloud;
• Audits conducted no more than once per calendar year, unless a confirmed personal data breach warrants an additional audit;
• Customer bearing the cost of the audit unless the audit reveals a material breach of this DPA.

12. Deletion and Return of Data

Upon termination or expiry of the Agreement, or upon Customer's written request, ReflexDB.cloud will, at Customer's election: (a) securely delete all Personal Data, or (b) return Personal Data to Customer in a machine-readable format. ReflexDB.cloud will confirm deletion in writing within 30 days. Backups subject to automatic deletion schedules will be deleted within 90 days.

Customer may export their data at any time during the term via the Service dashboard.

13. Governing Law

This DPA is governed by the laws of Ireland, consistent with the governing law provision of the Terms of Service.

14. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses take precedence.

Contact

For questions about this DPA, data subject requests, or to request a countersigned copy, contact legal@reflexdb.cloud.

Enterprise customers requiring a negotiated or countersigned DPA should contact us at legal@reflexdb.cloud with the subject line "DPA Request".