Data Protection Addendum
This Data Protection Addendum (“DPA”) forms part of the agreement between AppRamp and the customer (“Customer”) and applies where AppRamp processes personal data on Customer’s behalf in providing the Service.
1. Roles
Customer is the controller of personal data contained in traffic to Customer’s endpoints; AppRamp is the processor. For account data of Customer’s own users of the AppRamp portal, AppRamp is an independent controller as described in the Privacy Policy.
2. Scope of processing
AppRamp processes personal data only to provide the Service: receiving requests, validating and transforming them, forwarding them to Customer’s backend, returning responses, and recording per-workspace request counts. Request and response bodies are processed transiently and not persisted.
3. Instructions
AppRamp processes personal data only on Customer’s documented instructions, which consist of the configuration Customer creates in the Service and the agreement between the parties, unless required otherwise by law (in which case AppRamp informs Customer unless legally prohibited).
4. Confidentiality and security
AppRamp ensures persons authorised to process personal data are bound by confidentiality, and implements appropriate technical and organisational measures, including encryption in transit, salted password hashing, secret isolation for backend credentials, access controls, and audit logging.
5. Subprocessors
Customer authorises the subprocessors listed in the Privacy Policy (currently Cloudflare, Inc.; optionally the AI model provider Customer selects for widget generation). AppRamp will provide 30 days’ notice of new subprocessors, during which Customer may object on reasonable data-protection grounds.
6. Assistance
Taking into account the nature of processing, AppRamp assists Customer with data-subject requests and with Customer’s obligations regarding security, breach notification, and data-protection impact assessments, insofar as information is available to AppRamp.
7. Breach notification
AppRamp notifies Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer’s data, with the information reasonably required for Customer’s own notifications.
8. International transfers
Where processing involves transfers from the EEA, the UK, or Switzerland to countries without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (module two), which are incorporated by reference, with the UK Addendum where applicable.
9. Deletion and return
On termination of the Service, AppRamp deletes personal data processed on Customer’s behalf within 30 days, unless retention is required by law. Configuration data can be exported by Customer before deletion.
10. Audits
AppRamp makes available information reasonably necessary to demonstrate compliance with this DPA and allows audits by Customer or a mandated auditor, no more than once per year, on 30 days’ notice, during business hours, without access to other customers’ data.
11. Contact
To execute this DPA or ask questions: legal@appramp.dev.