Data Processing Addendum

1. Definitions

“Personal Data” means information relating to an identified or identifiable person that Ruunly processes on behalf of Customer.

“Customer Data” means Personal Data submitted to the Service by Customer, Customer's authorized users, or End Customers.

“Data Protection Laws” means U.S. state privacy laws, including CCPA/CPRA where applicable, and any other privacy law that applies to Ruunly's processing of Customer Data under the agreement.

“Subprocessor” means a third party engaged by Ruunly to process Customer Data.

2. Roles

For Customer Data, Customer is the business, controller, or equivalent decision-maker. Ruunly is the service provider, processor, contractor, or equivalent service provider. Ruunly will process Customer Data only to provide, secure, support, maintain, and improve the Service, comply with Customer's documented instructions, comply with law, or as otherwise permitted by Data Protection Laws.

3. Customer Instructions

Customer instructs Ruunly to process Customer Data to:

• host and operate the Service;
• authenticate users;
• store and retrieve business and End Customer records;
• process payments and subscription events through Stripe;
• send email and SMS through service providers;
• provide support;
• monitor security and prevent abuse;
• maintain backups and logs;
• comply with legal obligations.

4. Restrictions

Ruunly will not:

• sell Customer Data;
• share Customer Data for cross-context behavioral advertising;
• retain, use, or disclose Customer Data outside the business relationship except as permitted by law;
• combine Customer Data with personal information from other sources except as permitted by law for service provider or processor purposes;
• use Customer Data to infer characteristics about End Customers except as needed to provide the Service.

5. Confidentiality

Ruunly will require personnel with access to Customer Data to protect it and access it only as needed for authorized business purposes.

6. Security

Ruunly will maintain reasonable administrative, technical, and organizational safeguards designed to protect Customer Data against unauthorized access, destruction, loss, alteration, and disclosure. Safeguards include tenant isolation controls, encryption in transit, provider-managed encryption at rest, access controls, logging, and secure payment processing through Stripe.

7. Subprocessors

Customer authorizes Ruunly to use Subprocessors listed on Ruunly's Subprocessor List, which is made available to signed-in customers inside the Service (Settings → Subprocessors) and to prospects on request via our contact form. Ruunly will impose written obligations on Subprocessors requiring them to protect Customer Data and process it only for the contracted services. Ruunly will provide at least 30 days' notice of a new or replacement Subprocessor by updating the in-app list and notifying Customer through the Service or by email. Customer may object in writing within that period; if the objection cannot be reasonably addressed, Customer may terminate the affected Service as its sole remedy.

8. Assistance

Ruunly will provide reasonable assistance, taking into account the nature of the Service and available information, to help Customer respond to privacy rights requests, security incidents, and compliance obligations. Ruunly may charge reasonable fees for assistance that exceeds standard product functionality or support.

9. Privacy Requests

If Ruunly receives a privacy request from an End Customer relating to Customer Data, Ruunly may direct the requester to Customer or forward the request to Customer. Customer is responsible for responding unless Data Protection Laws require Ruunly to respond directly.

10. Deletion and Return

Upon termination or Customer's request, Ruunly will delete or return Customer Data as described in the agreement and product documentation, unless retention is required or permitted by law, security, fraud prevention, dispute resolution, tax, accounting, backup, or compliance obligations.

11. Audits

Ruunly will provide information reasonably necessary to demonstrate compliance with this DPA. Customer may not conduct penetration testing, vulnerability scanning, or audits of Ruunly systems without Ruunly's prior written approval. Ruunly may satisfy audit obligations through security documentation, summaries, third-party reports, or written responses.

12. Security Incidents

Ruunly will notify Customer without undue delay after confirming a Security Incident affecting Customer Data, unless prohibited by law. Notice may include the nature of the incident, affected data categories, mitigation steps, and recommended customer actions, to the extent known.

13. International Transfers

Ruunly is designed for U.S. businesses and primarily uses U.S.-oriented infrastructure. If Customer Data is transferred internationally, Ruunly will use transfer mechanisms required by applicable law.

14. CCPA Service Provider Terms

For CCPA purposes, Ruunly acts as a service provider and contractor for Customer Data. Ruunly certifies that it understands and will comply with the restrictions in this DPA. Customer makes Customer Data available to Ruunly only for the limited and specified business purposes described in this DPA.

15. Order of Precedence

If this DPA conflicts with the agreement, this DPA controls for Personal Data processing. The agreement controls for all other matters.

16. Contact

Privacy and DPA questions: [email protected]