Data Processing Agreement

In this Data Processing Agreement ("DPA"), the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the Terms of Use or the Privacy Policy.

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data — in most cases, the workspace owner or administrator using the Services.
• "Processor" means the entity that processes Personal Data on behalf of the Controller — in this case, Rapidly Software Ltd.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
• "Sub-processor" means any third party engaged by Rapidly to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
• "UK GDPR" means the GDPR as retained in United Kingdom law by the European Union (Withdrawal) Act 2018.
• "SCCs" means the Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914).

Applicability. This DPA applies when Rapidly processes Personal Data on behalf of the Controller in the course of providing the Services. This DPA supplements and is incorporated into the Terms of Use. In the event of any conflict between this DPA and the Terms of Use on matters of data protection, this DPA shall prevail.

Roles. The workspace owner or administrator is the Controller. Rapidly is the Processor. The Controller determines the purposes and means of processing; Rapidly processes Personal Data only on behalf of and in accordance with the Controller's documented instructions.

Duration. This DPA remains in effect for the duration of the Controller's use of the Services and continues until all Personal Data has been deleted or returned in accordance with Section 9.

Subject Matter: Provision of the Rapidly platform, including file sharing, customer management, analytics, and payment facilitation.

Categories of Data Subjects:

• End users and visitors of the Controller's workspace
• Customers who interact with the Controller's workspace
• Workspace members and collaborators
• File share recipients

Categories of Personal Data:

• Contact information (name, email address)
• Billing and payment data (processed via Stripe; Rapidly stores only metadata)
• File sharing metadata (hashed IP addresses, download counts, timestamps, checksums)
• Customer/CRM data (names, emails, billing addresses, external IDs, custom field responses)
• Usage data (page views, feature usage, session data)
• Device and technical data (IP address, browser type, operating system)

Special Category Data: The Controller may upload or collect special category data (e.g., health, financial, or biometric data) through files or custom fields. The Controller is solely responsible for ensuring a lawful basis exists for processing any such data and for informing Rapidly if special category data is being processed.

Purpose of Processing: To provide, maintain, secure, and improve the Services as described in the Terms of Use and as instructed by the Controller.

The Controller shall:

• Ensure that its instructions to Rapidly comply with all applicable data protection laws;
• Have a lawful basis for processing Personal Data and for transferring it to Rapidly;
• Provide all necessary notices to, and obtain all necessary consents or authorisations from, data subjects as required by applicable law;
• Conduct Data Protection Impact Assessments (DPIAs) where required under Article 35 of the GDPR; and
• Promptly notify Rapidly if it becomes aware of any Data Breach or security incident affecting Personal Data processed through the Services.

Rapidly shall:

(a) Instructions. Process Personal Data only on the Controller's documented instructions, including with regard to international data transfers, unless required to do so by EU or member state law — in which case Rapidly will inform the Controller of the legal requirement before processing (unless prohibited by law).

(b) Confidentiality. Ensure that all persons authorised to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

(c) Security. Implement and maintain appropriate technical and organisational measures to protect Personal Data, as described in Section 7 of this DPA and as required by Article 32 of the GDPR.

(d) Sub-processors. Not engage any Sub-processor without prior compliance with Section 6 of this DPA.

(e) Data Subject Rights. Assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Controller's obligations to respond to data subject requests under Articles 15–22 of the GDPR (access, rectification, erasure, restriction, portability, objection).

(f) Compliance Assistance. Assist the Controller in ensuring compliance with obligations under Articles 32–36 of the GDPR (security, breach notification, DPIAs, prior consultation with supervisory authorities), taking into account the nature of processing and information available to Rapidly.

(g) Deletion/Return. At the Controller's choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless EU or member state law requires continued storage. See Section 9 for details.

(h) Audit. Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller. See Section 10 for details.

General Authorisation. The Controller grants Rapidly a general written authorisation to engage Sub-processors for the provision of the Services.

Current Sub-processors. A list of current Sub-processors is maintained and available upon request by contacting [email protected]. Current Sub-processors include:

• Cloud Infrastructure Provider — hosting, compute, storage (EU/US regions)
• Stripe, Inc. — payment processing (US, certified under EU-US Data Privacy Framework)
• Email Delivery Service — transactional and notification emails
• Sentry — error tracking and monitoring
• ClamAV — malware scanning (self-hosted)

Notification of Changes. Rapidly will notify the Controller by email at least 30 days before engaging any new Sub-processor or replacing an existing one. The notification will include the Sub-processor's name, location, and description of processing.

Objection Right. The Controller may object to a new Sub-processor within 14 days of notification by providing written reasons to [email protected]. Rapidly will make reasonable efforts to address the objection. If the objection cannot be resolved, the Controller may terminate the affected Services without penalty.

Flow-Down Obligations. Rapidly shall impose on each Sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA, in accordance with Article 28(4) of the GDPR. Rapidly remains fully liable to the Controller for the performance of each Sub-processor's obligations.

Rapidly implements and maintains the following technical and organisational measures to protect Personal Data, in accordance with Article 32 of the GDPR:

Encryption:

• TLS 1.2+ for all data in transit
• AES-256 encryption for file transfers
• Client-side OpenPGP encryption for secret messages
• Encryption at rest for stored data

Access Controls:

• Role-based access controls (RBAC) with scope-based permissions
• Least-privilege access for all employees and systems
• Multi-factor authentication available for user accounts
• API token and workspace access token management

Infrastructure:

• Hosted on industry-standard cloud infrastructure
• Network firewalls and intrusion detection systems
• Regular security patching and updates
• Automated malware scanning (ClamAV) for uploaded files

Monitoring & Logging:

• Structured logging with audit trails
• Automated security monitoring and anomaly detection
• Rate limiting on all public endpoints

Organisational:

• Confidentiality obligations for all personnel
• Security awareness and data protection training
• Incident response plan and procedures

Notification to Controller. Rapidly shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

Content of Notification. The notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and Personal Data records affected;
• The name and contact details of Rapidly's point of contact;
• A description of the likely consequences of the Data Breach;
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

Controller's Obligations. The Controller is responsible for notifying the relevant supervisory authority within 72 hours of becoming aware of a Data Breach (where required under Article 33 of the GDPR) and for notifying affected data subjects where required under Article 34.

Cooperation. Rapidly shall cooperate with the Controller and provide reasonable assistance in investigating, mitigating, and remediating the Data Breach, and in fulfilling the Controller's notification obligations.

Upon Termination. Upon termination or expiry of the Services, and at the Controller's written request, Rapidly shall either:

• Return all Personal Data to the Controller in a structured, commonly used, machine-readable format (e.g., CSV or JSON export); or
• Delete all Personal Data, including all copies, from Rapidly's systems and those of its Sub-processors.

Timeline. Rapidly will complete deletion or return within 30 days of receiving the Controller's instruction. Rapidly will confirm deletion in writing upon request.

Exceptions. Rapidly may retain Personal Data to the extent required by applicable EU or member state law (e.g., tax records, legal holds). In such cases, Rapidly will inform the Controller of the legal requirement and will continue to protect the retained data in accordance with this DPA.

Automatic Deletion. Certain data is automatically deleted by the Services in the ordinary course of operation:

• Secret messages/files: deleted upon retrieval or expiration
• File sharing metadata: hashed IPs retained for up to 12 months
• Server logs: retained for up to 90 days
• Account data: deleted 30 days after account deletion

Information. Rapidly shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and GDPR Article 28.

Audit Rights. The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits and inspections of Rapidly's data processing activities, subject to the following conditions:

• The Controller shall provide at least 30 days' prior written notice;
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt Rapidly's operations;
• The Controller shall bear the costs of the audit (unless the audit reveals material non-compliance by Rapidly);
• The auditor must agree to reasonable confidentiality obligations;
• Audits shall be limited to once per 12-month period, unless required by a supervisory authority or triggered by a Data Breach.

Compliance Reports. Where available, Rapidly may satisfy audit requests by providing relevant compliance certifications, audit reports, or summaries prepared by independent third-party auditors.

Transfer Locations. Personal Data may be transferred to and processed in the United States and other countries where Rapidly's infrastructure providers and Sub-processors operate.

Transfer Mechanisms. For transfers of Personal Data from the EEA, UK, or Switzerland to countries without an adequate level of data protection, Rapidly relies on:

• Standard Contractual Clauses (SCCs) — Module 2 (Controller-to-Processor) as adopted by the European Commission (Implementing Decision 2021/914), which are hereby incorporated by reference into this DPA;
• EU-US Data Privacy Framework — for transfers to US-based Sub-processors certified under the DPF;
• UK International Data Transfer Addendum (IDTA) — for transfers subject to the UK GDPR.

Transfer Impact Assessments. Rapidly maintains Transfer Impact Assessments (TIAs) for its international data transfers and will make these available to the Controller upon request.

Supplementary Measures. In addition to contractual safeguards, Rapidly implements supplementary technical measures including encryption in transit and at rest, pseudonymisation (IP hashing), and access controls to protect transferred data.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Use, except that:

• Neither party's liability for breaches of its data protection obligations under this DPA or applicable law (including GDPR) shall be limited in a manner that would prevent the other party from recovering direct damages caused by such breach;
• Nothing in this DPA limits either party's liability for fraud, gross negligence, willful misconduct, or any liability that cannot be excluded under applicable law.

Governing Law. This DPA is governed by the laws of Ireland. If the Controller is subject to the UK GDPR, the provisions of this DPA shall be interpreted in accordance with UK GDPR requirements.

Amendments. Rapidly may update this DPA from time to time to reflect changes in law, regulatory guidance, or our processing practices. Material changes will be notified to the Controller at least 30 days in advance.

Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Entire Agreement on Data Processing. This DPA, together with the Terms of Use and Privacy Policy, constitutes the complete agreement between the parties regarding the processing of Personal Data.

For questions, requests, or notifications relating to this DPA, please contact:

Rapidly Software Ltd.
Cork, Ireland
Email: [email protected]