Data Processing Agreement
Last updated: 2026-04-17
This Data Processing Agreement ("DPA") forms part of the Terms of Service between UnboundBytes ("Processor") and the customer ("Controller") who has entered into an agreement for the UnboundBytes Service. It reflects the parties' agreement with regard to the processing of Personal Data under the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent data protection laws.
If you are a business customer subject to GDPR and require a counter-signed copy of this DPA, email legal@unboundbytes.com with your company details and we will return a signed PDF within two business days.
1. Definitions
Terms such as "Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Sub-processor" have the meanings given to them in the GDPR. In this DPA, "Customer Data" means any Personal Data that UnboundBytes processes on behalf of the Controller in the course of providing the Service.
2. Roles of the Parties
The Controller determines the purposes and means of the Processing of Customer Data. UnboundBytes acts as a Processor, Processing Customer Data only on the Controller's documented instructions, including instructions embedded in the Controller's use of the Service (for example, provisioning devices, deploying applications, or configuring backups).
3. Categories of Data and Data Subjects
Categories of Personal Data: email addresses and display names of Controller's users; device metadata (hostname, OS, architecture, connection status); audit logs; billing-account metadata. UnboundBytes does not Process the Controller's end-user application data, which remains on the Controller's infrastructure.
Categories of Data Subjects: Controller's administrators and end users with portal access, and individuals whose metadata is present in audit logs generated by the Service.
4. Duration and Purpose of Processing
UnboundBytes Processes Customer Data for the duration of the Service agreement and only for the purpose of providing, securing, and supporting the Service as described in the Terms of Service and the Privacy Policy.
5. Sub-processors
The Controller authorizes UnboundBytes to engage the Sub-processors listed below. UnboundBytes remains liable for each Sub-processor's compliance with the obligations in this DPA.
- Cloudflare, Inc. — Edge compute, CDN, and storage (D1, Durable Objects, R2). Processing locations: global edge (primarily United States and European Union).
- Paddle.com Market Ltd. — Merchant of record, payment processing, and tax compliance. Processing locations: United Kingdom and European Union.
- Amazon Web Services, Inc. — Transactional email delivery via Amazon SES. Processing location: United States.
UnboundBytes will give the Controller at least 30 days' prior notice of any new or replacement Sub-processor. The Controller may object to a new Sub-processor on reasonable grounds related to data-protection compliance by emailing legal@unboundbytes.com.
6. Security Measures
UnboundBytes implements appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:
- TLS 1.2+ encryption in transit.
- Encryption at rest for secrets (HashiCorp Vault, AES-256-GCM).
- Tenant-level isolation in Durable Objects and D1.
- HMAC-SHA256 request signing between services.
- Short-lived JWT authentication and role-based access control.
- Per-tenant rate limiting and circuit-breaker patterns on third-party dependencies.
- Mandatory code review and automated security scanning (supply-chain, SAST, SCA).
- Audit logging of authentication and administrative events.
- Backups encrypted client-side before upload to R2.
7. International Transfers
Where Customer Data originates in the European Economic Area, the United Kingdom, or Switzerland and is transferred to a country not covered by an adequacy decision, UnboundBytes relies on the EU Standard Contractual Clauses (module "Processor to Processor" or "Controller to Processor" as applicable), together with supplementary measures as required by local data-protection law.
8. Data-Subject Requests
UnboundBytes will, taking into account the nature of the Processing, assist the Controller through appropriate technical and organizational measures in responding to requests from Data Subjects to exercise their rights under applicable data-protection law. Controllers can export or delete most Customer Data directly via the portal; for requests that cannot be fulfilled through the portal, contact legal@unboundbytes.com.
9. Personal-Data Breach Notification
UnboundBytes will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal-Data Breach affecting Customer Data. Notice will include the nature of the breach, the likely consequences, the measures taken or proposed to address it, and a contact point for further information.
10. Audits
UnboundBytes will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Where reasonably required and at the Controller's expense, UnboundBytes will allow for and contribute to audits conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable confidentiality and operational-security requirements.
11. Return or Deletion of Data
Upon termination of the Service, the Controller may export Customer Data through the portal or API for 30 days. After that period, UnboundBytes will delete Customer Data from its production systems, except where retention is required by law. Residual copies in encrypted backups are deleted on their normal retention schedule (7–90 days, depending on plan).
12. Liability and Governing Law
The liability caps and governing-law provisions in the Terms of Service apply to this DPA. Nothing in this DPA excludes or limits either party's liability where such exclusion is prohibited by applicable law.
13. Contact
Data-protection inquiries and DPA counter-signature requests: legal@unboundbytes.com.