Data Processing Agreement
This document is a working template provided for transparency during evaluation. The binding version is the one referenced in your signed agreement. For the executed copy, contact [email protected].
This DPA forms part of the agreement between you ("Controller") and Rahoto ("Processor") and applies where Rahoto processes personal data on your behalf in providing the Service. A signed counterpart is available on request for enterprise agreements.
1. Roles and scope
You are the Controller of Customer Data; Rahoto is the Processor. We process personal data only on your documented instructions, which include your use of the Service and the connections you configure.
2. Nature and purpose
| Item | Detail |
|---|---|
| Subject matter | Provision of the Rahoto reporting runtime. |
| Duration | For the term of the agreement plus the export window. |
| Categories of data | As determined by the sources you connect and the reports you build. |
| Data subjects | As determined by your Customer Data (e.g. your customers, employees). |
3. Security measures
Rahoto implements appropriate technical and organisational measures including encryption in transit and at rest, customer-managed keys (BYOK) on enterprise plans, role-based access control, row-level security, and an immutable, hash-chained audit log. Further detail is in the Trust Center.
4. Sub-processors
You authorise Rahoto to engage the sub-processors listed on the sub-processor page. We give at least 30 days' notice before adding a sub-processor, during which you may object on reasonable data-protection grounds.
5. International transfers
Primary processing occurs in the EU. Where any transfer outside the EEA occurs, it is covered by an adequacy decision or Standard Contractual Clauses. Enterprise plans can pin residency by region.
6. Assistance and audits
Rahoto assists the Controller with data-subject requests, breach notification, and data-protection impact assessments, and makes available information necessary to demonstrate compliance.
7. Deletion
On termination, Rahoto deletes or returns Customer Data after the export window, except where retention is required by law.
8. Contact
DPA execution and questions: [email protected].