Data Processing Agreement

"Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Sub-processor" have the meanings given in the UK GDPR and EU GDPR (General Data Protection Regulation).

"Service Data" refers to the personal data processed by REM on behalf of the Controller in the course of providing the Service, limited to account information and usage metadata.

REM processes personal data solely for the purpose of providing the Service as described in the Terms of Service. The categories of personal data processed include:

• Account data: Email address, name, hashed password
• Authentication data: Hashed API keys, MFA configuration, session tokens
• Usage data: API request logs, IP addresses, timestamps
• Billing data: Stripe customer ID, subscription status (card details are processed directly by Stripe)

The data subjects are users of the Service (account holders and API consumers).

REM shall:

• Process personal data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorised to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 5)
• Not engage Sub-processors without prior written consent of the Controller
• Assist the Controller in responding to data subject requests
• Delete or return all personal data upon termination of the Service, unless retention is required by law
• Make available all information necessary to demonstrate compliance and allow for audits

REM currently uses the following Sub-processors:

We will notify the Controller of any intended changes to Sub-processors at least 30 days in advance, providing an opportunity to object.

REM implements the following technical and organisational measures:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
• Authentication: Bcrypt password hashing, SHA-256 API key hashing, TOTP MFA support
• Access Control: Role-based access, principle of least privilege, admin separation
• Audit Logging: Append-only audit trail for all security-sensitive actions
• Data Minimisation: We collect only the minimum data necessary to provide the Service
• Incident Response: Documented procedures with 72-hour breach notification commitment
• Backup: Regular automated backups with point-in-time recovery capability

REM will assist the Controller in fulfilling data subject requests including access, rectification, erasure, data portability, and restriction of processing. Requests will be actioned within 30 days.

Where personal data is transferred outside the UK or EEA, REM ensures that appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) as approved by the European Commission, or the UK International Data Transfer Agreement (IDTA) as applicable.

In the event of a personal data breach, REM shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

This DPA remains in effect for the duration of the Service agreement. Upon termination, REM will delete all personal data within 30 days, unless retention is required by applicable law. The Controller may request a copy of their data in a portable format prior to deletion.

For DPA-related enquiries:

dpo@remtel.io