Data Processing Agreement

1. Scope and purpose

Restorable provides automated database backup, restore verification, and cryptographic evidence generation. This agreement covers the personal data Restorable processes on the Customer's behalf to deliver the service.

What this agreement covers

Restorable processes account and operational metadata to orchestrate backups, run restore tests, deliver evidence emails, and maintain the transparency log.

What this agreement does not cover

Restorable does not process the contents of Customer's database backups. Backups are encrypted end-to-end using Customer-held age encryption keys (the Content Encryption Key, or CEK). Restorable stores the resulting ciphertext but cannot decrypt it. Restorable has no access to the encryption keys and no mechanism to obtain them.

This is not a policy choice. It is an architectural constraint enforced by the cryptographic design of the agent software (open source, Apache-2.0, auditable by Customer's security team). The agent runs in Customer's infrastructure, holds Customer's keys, and encrypts before any data leaves Customer's environment.

Because Restorable cannot access backup contents, it is not a data processor for any personal data contained in Customer's databases. Customer remains the sole controller of that data.

2. Legal basis

Restorable processes the metadata described in Section 3 as a data processor under Article 28 of Regulation (EU) 2016/679 (GDPR), acting on the Customer's documented instructions to provide the backup verification service.

3. Categories of personal data processed

Data subjects: Customer's employees and contractors who administer the Restorable account (admin users) and, indirectly, individuals whose email addresses appear in notification configurations.

Special categories (Article 9): None. Restorable does not knowingly process special-category data. If database hostnames or labels inadvertently contain special-category information, Customer should sanitize these before configuration.

4. Processing instructions

Restorable processes the data listed in Section 3 solely to:

1. Orchestrate scheduled backups and restore tests
2. Store encrypted backup ciphertext (opaque blobs; not personal data)
3. Generate, sign, and deliver cryptographic receipts
4. Maintain the per-organization transparency log
5. Send evidence emails and operational alerts
6. Process subscription payments through the payment sub-processor
7. Provide Customer access to the dashboard and API

Restorable will not process the data for any other purpose. Restorable will not sell, share, or use the data for profiling, advertising, or analytics beyond service delivery.

5. Sub-processors

Restorable uses the following sub-processors. All are located in the European Union or European Economic Area. No personal data is transferred outside the EU/EEA.

CDN (Bunny, Ljubljana, SI): Used for the marketing site only. Does not process Customer account data or any data covered by this agreement.

Self-hosted services (GlitchTip, Plausible, Grafana): Operated by Restorable on EU infrastructure. No third-party sub-processor involvement.

Sub-processor changes

Restorable will notify Customer by email at least 30 days before adding or replacing a sub-processor. Customer may object within that period. If the objection cannot be resolved, Customer may terminate the subscription. Restorable will not add a sub-processor located outside the EU/EEA without Customer's explicit prior consent.

6. No international data transfers

All processing occurs within the European Union and European Economic Area. Restorable's infrastructure is 100% EU-operated: compute in France and Germany, payments in the Netherlands, email in France, DNS in Germany.

No Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions are required because no personal data leaves the EU/EEA.

Honest disclosure: The compute hardware (AMD processors) is US-designed silicon physically located in French and German data centers. This does not constitute an international data transfer under GDPR. Customers requiring hardware-level non-US-origin guarantees should use the Self-hosted deployment model, where all processing occurs on Customer-chosen infrastructure.

7. Security measures

Restorable implements the following technical and organizational measures to protect the personal data described in Section 3.

Technical measures

• End-to-end encryption of backup payloads. Customer-held age keys encrypt all backup data before it leaves Customer's infrastructure. Restorable stores only ciphertext and cannot decrypt it.
• Encryption in transit. All API communication uses TLS 1.2 or higher. Agent-to-orchestrator communication is authenticated and encrypted.
• Encryption at rest. Metadata stored in Scaleway Managed Postgres uses storage-level encryption. Object storage uses server-side encryption for the ciphertext layer.
• Append-only transparency log. Per-organization signed Merkle log of all backup, receipt, and operator-access events. Customers can independently verify inclusion and consistency proofs. Prevents silent deletion or modification of audit records.
• Ed25519 cryptographic receipts. Every restore test produces a DSSE-signed receipt using the Customer's key. Receipts are independently verifiable without Restorable's involvement.
• Agent-initiated only architecture. Restorable never initiates contact toward the agent. The agent always pulls; the orchestrator only responds. Restorable cannot push code, configuration, or signals to Customer's infrastructure.
• Access controls. Role-based access within Customer organizations. Restorable operator access is logged in the transparency log.

Organizational measures

• EU-only infrastructure policy. No US vendors in the data path. Enforced by architecture, not policy.
• Open-source agent. Customer's security team can audit every line of the agent binary. Reproducible builds allow verification that the binary matches the source.
• Minimal data collection. Restorable collects only the metadata necessary to deliver the service. No telemetry, no analytics on Customer data, no tracking.
• Operator access logging. All operator access to Customer data is recorded in the append-only transparency log.

8. Data retention and deletion

During the subscription

• Receipt metadata and transparency log entries are retained according to the Customer's tier: 30 days (Starter), 90 days (Pro), or custom (Team).
• Encrypted backup ciphertext follows the same tier-based retention schedule.
• Account data persists for the duration of the subscription.

After termination

Upon termination of the subscription:

1. Restorable will delete or return all personal data within 30 days of termination, at Customer's choice.
2. Encrypted backup ciphertext will be deleted within 30 days. Since Restorable cannot decrypt this data, "return" means providing Customer the ciphertext files (Customer already holds the decryption keys).
3. Account data (organization name, email addresses) will be retained for 12 months after termination for legitimate business purposes (billing records, dispute resolution), then deleted.
4. Transparency log entries are append-only by design. Selective deletion would compromise the cryptographic integrity of the log for all events. Log entries will be retained for 12 months after subscription termination, then the entire organization's log segment will be deleted. During this period, log entries containing personal data (email addresses, operator identifiers) remain subject to the security measures in Section 7.

Deletion verification

Customer may request written confirmation that deletion has been completed. Restorable will provide this within 14 days of the deletion date.

9. Data subject rights

Customer is the controller and is responsible for responding to data subject requests (access, rectification, erasure, portability, restriction, objection) concerning the personal data Restorable processes on Customer's behalf.

Restorable will:

1. Assist Customer in responding to data subject requests, to the extent technically feasible, within 10 business days of Customer's written request.
2. Not respond directly to data subjects unless instructed by Customer or required by law.
3. Redirect any data subject requests received directly to Customer without undue delay.

Technical limitations

The append-only transparency log cannot be selectively edited or erased without compromising its cryptographic integrity. If a data subject requests erasure of log entries, Restorable will work with Customer to determine an appropriate response (for example, pseudonymization of identifiers in future log entries). This limitation is documented here so Customer can factor it into their own data protection impact assessment.

10. Breach notification

In the event of a personal data breach affecting data processed under this agreement:

1. Restorable will notify Customer without undue delay and no later than 48 hours after becoming aware of the breach. This is within GDPR's 72-hour window for controller notification to the supervisory authority, giving Customer time to assess and report.
2. The notification will include, to the extent known:
   • Nature of the breach (categories and approximate number of data subjects and records affected)
   • Name and contact details of Restorable's point of contact
   • Likely consequences of the breach
   • Measures taken or proposed to address the breach
3. Restorable will cooperate with Customer's investigation and provide additional information as it becomes available.
4. Restorable will document all breaches, including those that do not require notification, and make the documentation available to Customer on request.

Because Restorable cannot decrypt backup payloads, a breach of the ciphertext storage would not expose personal data contained in Customer's databases. Such an event would still be reported under this clause as it affects the encrypted backup service, but the risk assessment would reflect that the data remains encrypted with Customer-held keys.

11. Audits and inspections

1. Restorable will make available to Customer all information necessary to demonstrate compliance with this agreement and Article 28 GDPR.
2. Restorable will allow and contribute to audits and inspections conducted by Customer or a third-party auditor mandated by Customer, with reasonable prior notice (at least 14 days).
3. Customer bears the cost of third-party audits. Restorable will not unreasonably restrict the scope.
4. The open-source agent, wire-protocol specification, and transparency log verification tools are publicly available for independent audit at any time without prior notice.

12. Restorable's obligations

Restorable will:

1. Process personal data only on Customer's documented instructions, including with regard to transfers outside the EU/EEA (none are planned or permitted under the current architecture).
2. Ensure that persons authorized to process personal data are bound by confidentiality obligations.
3. Implement and maintain the security measures described in Section 7.
4. Comply with the sub-processor conditions in Section 5.
5. Assist Customer in meeting its obligations under Articles 32 to 36 GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of processing and the information available to Restorable.
6. At Customer's choice, delete or return all personal data after the end of the service, as described in Section 8.

13. Liability

Liability for data protection breaches is governed by the Terms of Service, subject to the mandatory provisions of GDPR Articles 82 and 83. Liability caps and indemnification follow the Terms of Service. Nothing in this agreement limits either party's liability under mandatory GDPR provisions.

14. Governing law and jurisdiction

This agreement is governed by the laws of Sweden. Disputes will be resolved by the courts of Stockholm, Sweden, consistent with the Terms of Service.

15. Term and termination

This agreement enters into force on the effective date and remains in force for the duration of the subscription agreement. It survives termination of the subscription to the extent necessary to complete the deletion obligations in Section 8.

Either party may terminate this agreement if the other party materially breaches its obligations and fails to remedy the breach within 30 days of written notice.

16. Contact