Data Processing Agreement
Last updated: 2026-05-25
How to sign: this page is the published template. To execute it, email [email protected] from the account that owns your EchoRelay project. We countersign and return a PDF with both signatures within 5 business days. A wet-ink or PAdES-qualified e-signature is acceptable on either side.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between EchoRelay ("Processor") and the Customer signing below ("Controller") and governs the Processor's handling of Personal Data on behalf of the Controller under the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and any equivalent local data-protection law applicable to the Controller.
1. Subject-matter, duration, nature, purpose
- Subject-matter: the Processor's provision of the EchoRelay relay service to the Controller, including request validation, fan-out, queueing, retry, and delivery to Controller-configured target URLs.
- Duration: the term of the Controller's active EchoRelay subscription, plus the retention windows defined in section 8 below.
- Nature: automated processing — storage in transit, configuration storage, billing-related processing.
- Purpose: to perform the relay service contracted by the Controller and meet the Processor's legal obligations (billing, anti-abuse, breach notification).
2. Categories of Personal Data and data subjects
Categories of Personal Data processed (as defined and supplied by the Controller through API requests, configuration, and account use):
- Account identifiers of Controller staff (email, optional display name, hashed password, TOTP secret).
- Configuration content authored by the Controller (project name, line/endpoint definitions, target URLs, mapping rules, retry policies).
- Request metadata generated as Controller traffic flows through the relay (tenant slug, timestamps, HTTP method, status code, latency, source IP).
- Request payloads, processed in transit only and not persisted beyond delivery/retry completion.
- Billing data (invoice IDs, billing country) — the Processor's sub-processor Paddle is the controller for payment-card data.
Categories of data subjects:
- Controller's staff members (account holders).
- End users of the Controller's product whose actions trigger calls into EchoRelay (insofar as those payloads contain Personal Data).
3. Obligations and rights of the Controller
The Controller is and remains the controller of all Personal Data processed under this DPA. The Controller warrants that:
- It has a lawful basis under GDPR Art 6 (and, where applicable, Art 9) for every category of Personal Data it instructs the Processor to handle.
- Its privacy notice to end users discloses the use of EchoRelay as a sub-processor where required.
- Its API requests do not include Personal Data that the Controller is not authorised to disclose.
4. Processor obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EEA.
- Ensure persons authorised to process Personal Data have committed themselves to confidentiality.
- Implement and maintain the technical and organisational measures described in /security, which form Annex I of this DPA.
- Assist the Controller with data-subject rights requests and DPIAs where reasonably required.
- Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as described in section 9.
5. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed below (Annex II of this DPA). The Processor shall:
- Impose data-protection obligations on each sub-processor that are no less protective than those in this DPA.
- Give the Controller at least 30 days' written notice (by email to the account contact) before adding or replacing a sub-processor.
- Allow the Controller to object to a change on reasonable data-protection grounds; if the objection cannot be resolved, the Controller may terminate the affected services for cause without penalty.
5.1 Current sub-processors
| Sub-processor | Purpose | Data categories | Region | Transfer mechanism |
|---|---|---|---|---|
| Hetzner Cloud GmbH | Compute, managed PostgreSQL, Redis, S3-compatible backup storage | All customer data (account, configuration, billing, request metadata) | Germany — Nuremberg primary, Falkenstein backup | EEA-only; no transfer mechanism required |
| Cloudflare, Inc. | DNS, TLS termination, CDN, DDoS protection, WAF, edge logging | Request metadata, source IP addresses, user-agent strings | Global edge; EU-resident customer data preferred to EU points-of-presence | Standard Contractual Clauses (2021/914) + Data Processing Addendum |
| Paddle.com Market Ltd | Billing, payment processing, sales-tax handling, invoicing | Customer name, email, billing address, payment method (Paddle is the controller for cardholder data — we never see it) | United Kingdom + United States | SCCs + UK IDTA; Paddle's own DPA |
| Resend | Transactional email delivery (account verification, billing alerts, data-export links) | Email addresses, message contents | United States | SCCs |
| GitLab Inc. | Source code repository, CI/CD pipelines, container registry. No customer production data ever lands here. | None — only EchoRelay source code and CI artefacts | United States | SCCs; GitLab's own DPA |
5.2 Internal infrastructure (not third-party sub-processors)
The following are operated by EchoRelay on infrastructure rented from Hetzner above — they are not separate processors but listed here for transparency.
- ClickHouse for request-log aggregation (self-hosted on Hetzner; EU-only).
- Loki + Grafana for service-log aggregation (self-hosted on Hetzner; EU-only, internal access only).
- Vector for log shipping inside the cluster.
5.3 Notification of changes
When a new sub-processor is added or an existing one is replaced this section is updated within 24 hours of the change going live, the "Last updated" timestamp at the top reflects the change date, customers on a signed DPA receive an email at least 30 days before the change takes effect (except where the change is mandated by security or legal obligation), and if you object to a change, you may terminate your contract for cause per section 4 above.
6. Security measures (Annex I)
Technical and organisational measures are documented at /security and updated as the Processor's controls evolve. At signature date they include: encryption at rest (storage-level and field-level for secrets), TLS-in-transit, hashed credentials, mandatory 2FA for staff, role-based access control, daily encrypted backups, audit logging, and a documented disaster-recovery runbook.
7. Personal-data breach notification
The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any Personal-Data breach affecting the Controller's data. The notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
8. Return or deletion of data
On termination of the underlying agreement, the Processor shall, at the Controller's choice:
- Provide a structured machine-readable export of the Controller's account, configuration, billing, and audit-log data within 30 days; or
- Delete the Controller's data within 30 days,
except to the extent retention is required by Union or Member State law (e.g. invoices retained for the period required by tax law). The Processor shall certify deletion in writing on request.
Request-log retention windows. During the term, request-log records — processing metadata only (method, path, status, timing); never request bodies or headers — are retained for a per-plan searchable window and hard-deleted at expiry: Free 7 days, Prepaid 14 days, Pro 30 days, Scale 90 days, Enterprise up to one year, and one year where the Extended log retention add-on is active. Deletion at expiry is automatic and irreversible.
9. Audit rights
The Processor shall make available, on the Controller's reasonable written request and no more than once per twelve-month period, the information necessary to demonstrate compliance with Article 28 GDPR — including current SOC 2 / ISO 27001 reports if held, sub-processor lists, security-policy documentation, and the most recent restore-drill report. On-site audits are available only for enterprise customers with a separately negotiated audit clause.
10. International transfers
Where any sub-processor is located outside the EEA, the parties rely on the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, or the UK International Data Transfer Addendum where the UK GDPR applies. The Controller appoints the Processor as its agent to execute the SCCs with the relevant sub-processor on the Controller's behalf.
11. Liability and governing law
Each party's liability under this DPA is subject to the limitation-of-liability provisions in the Terms of Service. This DPA is governed by the law specified in the Terms of Service. Where Member State law mandates a specific governing law for data-protection purposes, that law prevails for those purposes only.
12. Order of precedence
In the event of conflict between this DPA and the Terms of Service, this DPA prevails on data-protection matters. In the event of conflict between this DPA and the SCCs, the SCCs prevail. Annexes I and II are incorporated by reference from the linked pages and form part of this DPA.
This template is offered as a starting point. It tracks the GDPR Article 28(3) checklist and references the SCCs adopted in 2021. EchoRelay's first signed copy was reviewed by external counsel; the Controller is responsible for obtaining its own legal review before signing.