Data Processing Agreement
Last Updated: August 19, 2025
1. Introduction
2. Definitions
Capitalized words and phrases used in this DPA shall have the meanings set forth in this DPA unless Applicable Data Protection Law provides a different definition or meaning for the specific circumstance at issue. Capitalized words and phrases not defined in this DPA or by Applicable Data Protection Law shall have the meaning given to them in the Agreement.
The following definitions apply to this DPA:
“Applicable Data Protection Law” means applicable data privacy, data protection, and cybersecurity laws, rules, and regulations, each as amended from time to time, including but not limited to:
the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and any binding regulations issued under either Act (“CCPA”);
the EU General Data Protection Regulation 2016/679, including the applicable implementing legislation of each Member State (“EU GDPR”);
the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR” and together with the EU GDPR, the “GDPR”);
the Swiss Federal Act on Data Protection of 25 September 2020;
any applicable U.S. state privacy laws; and
any other applicable data protection law and any guidance or statutory codes of practice issued by any relevant regulatory authority.
“Client Personal Data” means all Personal Data that is Processed by Daytona on behalf of Client under the Agreement.
“Data Subject” (i) means the natural person or household to whom Personal Data pertains; and (ii) encompasses the terms “consumer” and “Data Subject” as defined under Applicable Data Protection Law.
“Data Subject Request” means any request made by a Data Subject to exercise rights granted under Applicable Data Protection Law, including but not limited to, a Data Subject’s request to access, correct, delete, opt out of certain Processing, or object to certain Processing.
“Personal Data” (i) means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject; and (ii) encompasses the terms “Personal Data” and “personal information” as defined under Applicable Data Protection Law.
“Process,” “Processing,” or “Processed” means any operation or set of operations performed upon Personal Data. This includes but is not limited to collecting, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing, and destroying Personal Data.
“Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for monetary or other valuable consideration.
“Sensitive Personal Data” shall have the meaning ascribed to “special category data,” “sensitive data,” “sensitive personal data,” or “sensitive personal information” under Applicable Data Protection Law.
“Services” shall mean the services as described in the Agreement or any related order form or statement of work.
“Standard Contractual Clauses” or “SCCs” means:
with respect to “restricted transfers” (as that phrase is defined under Applicable Data Protection Law) that are subject to the EU GDPR, or subject to other Applicable Data Protection Law pursuant to which the EU standard contractual clauses have been adopted, the Controller-to- standard contractual clauses, as set out in Annex 1 to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”); and
with respect to restricted transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual of 21 March 2022, as may be amended or replaced by the UK Information Commissioner’s Office from time to time (the “UK SCCs”.
“Subprocessor” shall mean any subcontractor (including any third party and/or Daytona affiliate) engaged by Daytona to Process Personal Data on behalf of Daytona or Client.
3. General; Term; Precedence
This DPA is effective upon Customer’s acceptance of the Daytona Terms of Service and remains in force for the duration of the Services. Except as modified in this DPA, the Agreement remains in full force and effect. If there is a conflict between this DPA and the Agreement, this DPA controls. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control.
4. Relationship of the Parties
Roles of the Parties for Processing of Client Personal Data. The Parties acknowledge and agree that with regard to the Processing of Client Personal Data under this DPA, Client is the “Business” or “Controller,” and Daytona is the “Service Provider” or “Processor,” as defined by Applicable Data Protection Law.
5. Role and Scope of Processing
Details of Processing of Client Personal Data. The subject matter, nature, purpose and duration of the Processing of Client Personal Data, as well as the types of Client Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.
Processing of Client Personal Data. Daytona is prohibited from Processing Client Personal Data for any purpose other than the specific purpose of performing the Services and in accordance with Client’s instructions. With respect to Client Personal Data Processed under the Agreement, Daytona:
shall at all times comply with Applicable Data Protection Law;
agrees that Client has the right to take reasonable and appropriate steps to help ensure that Daytona’s use of Client Personal Data is consistent with Client’s rights and obligations under Applicable Data Protection Law and the Agreement;
shall notify Client in writing of any determination by Daytona that (i) Client’s instructions regarding the Processing of Client Personal Data would breach Applicable Data Protection Law or the Agreement; or (ii) it can no longer meet its obligations under Applicable Data Protection Law or the Agreement;
agrees that Client has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Data;
shall not Sell Client Personal Data or disclose Client Personal Data to third parties for the purposes of targeted or cross-context behavioral advertising;
shall not retain, use, or disclose Client Personal Data for any purpose, commercial or otherwise, other than for the specific purpose of performing the Services;
shall not retain, use, or disclose Client Personal Data outside of the direct business relationship between the Client and Daytona;
shall not combine Client Personal Data with Personal Data that Daytona receives from or on behalf of another business or person, or that it collects from its own interactions with Data Subjects.
To the extent Daytona receives deidentified data from Client or the Services allow for the deidentification of Client Personal Data, Daytona represents and warrants that it shall not reidentify, attempt to reidentify, or direct any other party to reidentify any Client Personal Data that has been deidentified.
Daytona certifies that it understands the restrictions set forth in this Section 5 and will comply with them.
6. Cross-Border Data Transfers
EEA Transfers. To the extent that the Services or Processing involve the transfer of Client Personal Data from a member state of the European Union or European Economic Area to or within any country that does not ensure an adequate level of protection according to the European Commission, the EU SCCs will apply, as follows:
Module 2 (Controller-to-Processor) will apply where Client is the data exporter and Daytona is the data importer;
Clause 7: The optional docking clause will not apply;
Clause 9: Option 2 will apply as per the terms set out in Section 14 of this DPA (Subprocessors);
Clause 11: The optional language will not apply;
Clause 17: Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
Clause 18(b): Disputes shall be resolved by the courts of Ireland;
Annex I of the EU SCCs shall be deemed completed with the information set out in Exhibit A to this DPA;
Annex II of the EU SCCs shall be deemed completed with the information set out in Exhibit B to this DPA; and
Annex III of the EU SCCs shall be deemed completed with the information set out in Exhibit C to this DPA.
UK Transfers. To the extent that the Services or Processing involve the transfer of Client Personal Data from the United Kingdom to or within any country that does not ensure an adequate level of protection according to the UK Information Commissioner’s Office, the UK SCCs will apply, as follows:
in Table 1, the parties’ contact information shall be satisfied by the information in Exhibit A;
in Table 2, the Approved EU SCCs shall be the EU SCCs, Module 2 (Controller-to-Processor);
references to Table 3 shall be satisfied by the applicable information in Exhibits A, B, and C; and
in Table 4, the Importer shall have the rights outlined in Section 19 of the UK SCCs.
Swiss Transfers. To the extent that the Services or Processing involve the transfer of Client Personal Data from Switzerland to or within any country that does not ensure an adequate level of protection according to the Federal Data Protection and Information Commissioner, the following terms will apply:
the term “Member State” as used in EU SCCs shall be interpreted as including Switzerland and Data Subjects in Switzerland; and
Data Subjects with their regular place of residence in Switzerland are allowed to bring a lawsuit in Switzerland against either the data exporter or the data importer in accordance with Clause 18(c) of EU SCCs.
Transfers From Other Jurisdictions. To the extent that the Services or Processing involve the transfer of Client Personal Data from countries, nations, or jurisdictions not accounted for above to other countries, nations, or jurisdictions, Daytona shall cooperate with Client to ensure that such transfers comply with Applicable Data Protection Law including, when the Parties Agree, by amending this DPA or entering into model agreements authorized under Applicable Data Protection Law.
7. Impact Assessments, Consultations & Data Subject Requests
Assistance. Daytona shall provide Client reasonable assistance in conducting any privacy impact assessments, responding to requests from regulatory authorities, and performing prior consultations with regulatory authorities, each only to the extent required by Applicable Data Protection Law. Where Client cannot reasonably fulfill a Data Subject request using the Services’ available functionality, Daytona shall provide reasonable assistance, taking into account the nature of the Processing and information available to Daytona. Daytona may charge Client on a time-and-materials basis for such assistance, except where the request arises from Daytona’s breach of this DPA.
8. Return or Deletion of Client Personal Data
Deletion of Client Personal Data. At the termination or expiration of the Agreement or at the request of Client, Daytona shall promptly either return or delete all Client Personal Data (whichever is requested by Client). However, if Daytona is required by Applicable Data Protection Law or any other applicable law to retain any Client Personal Data, Daytona may retain the minimal amount of Client Personal Data required by law. If Daytona is required by law to retain any Client Personal Data after termination or expiration of the Agreement, Daytona will continue to safeguard Client Personal Data in accordance with Applicable Data Protection Law and the terms of this DPA.
9. Security
Personal Data Security. Daytona shall implement and maintain appropriate technical and organizational measures designed to ensure the security of the Client Personal Data it Processes as set forth in Exhibit B.
Confidentiality. Daytona shall ensure that all persons Processing Client Personal Data on its behalf, including Daytona’s and its Subprocessors’ employees, agents, and contractors, are subject to a contractual duty of confidentiality or are under an appropriate statutory obligation of confidentiality.
10. Audits and Reviews of Compliance
Records and Audits. Daytona shall maintain complete and accurate records regarding the Processing it performs under the Agreement and this DPA, including as necessary to demonstrate its compliance with the obligations under this DPA and Applicable Data Protection Law. Daytona uses independent third-party auditors to verify its security controls (e.g., SOC2, ISO 27001). Upon written request, Daytona will provide Client with a copy of its most recent certifications or audit reports, subject to reasonable confidentiality obligations. Client agrees these reports satisfy its audit rights under Applicable Data Protection Law. On-site inspections may only be conducted if required by law or if such reports are demonstrably insufficient.
11. Third-Party Disclosure Requests
Unless prohibited by applicable law, Daytona shall notify Client of any inquiry, communication, request or complaint, to the extent relating to Daytona’s Processing of Client Personal Data, from: (i) any government or private entity, organization, or authority, including but not limited to a data protection authority or the U.S. Federal Trade Commission; and/or (ii) any individual. Daytona shall, taking into account the nature of the Processing, provide reasonable assistance to enable Client to respond to such inquiries, communications, requests, or complaints, and to meet applicable legal deadlines. Daytona shall not disclose Client Personal Data to any of the persons or entities above unless it is legally required to do so and has otherwise complied with the obligations in this DPA.
12. Regulatory Fines
Each Party is solely responsible for any fines or penalties imposed directly on it by a supervisory authority under Article 83 GDPR or equivalent provisions of Applicable Data Protection Law. Neither Party indemnifies the other for such fines.
13. Client Obligations
Client shall: (1) comply with Applicable Data Protection Law in its use of the Services; (2) ensure that it has established a legal basis for Daytona’s Processing of the Client Personal Data; (3) be solely responsible for ensuring that it has obtained all necessary consents and rights from Data Subjects for the Processing activities performed by Daytona; and (4) not disclose or make available to Daytona, request that Daytona Process, or use the Services to Process, Sensitive Personal Data.
14. Subprocessors
Client authorizes Daytona to engage Subprocessors to Process Client Personal Data under the Agreement. Daytona shall remain liable for any Processing of Client Personal Data by each such Subprocessor as if it had undertaken such Processing itself. Daytona will contractually impose obligations on its Subprocessors that are substantially similar to, and no less onerous than, those imposed on Daytona under this DPA. Daytona will notify Client of any intended new Subprocessor by updating Exhibit C and, if subscribed, by email. If Client objects based on reasonable data protection concerns, the parties will discuss in good faith. If no resolution is reached, Client’s sole and exclusive remedy shall be to terminate the Agreement for convenience. Daytona remains liable for its Subprocessors’ acts and omissions.
15. Security Incident
Upon becoming aware of a Security Incident, Daytona will notify Client without undue delay. Notification may be delayed at the request of law enforcement or where delay is reasonably necessary for Daytona to investigate and remediate the incident. Such notifications shall include information Client may reasonably request to meet its obligations under Applicable Data Protection Law. Daytona shall make commercially reasonable efforts to investigate and mitigate the effects of any Security Incident. Daytona shall provide Client with reasonable assistance to satisfy Client’s legal obligations in relation to the Security Incident.
By accepting the Terms of Service, Customer agrees to this DPA. No separate signature is required.
Exhibit A
DETAILS OF PROCESSING OF PERSONAL DATA
A. List of Parties
Data Exporter (Client) Details
Name: The Customer agreeing to the Daytona Terms of Service
Role: Controller
Address: As provided by the Customer in their Daytona account
Activities Relevant to the data transferred: Receipt and use of the Services under the Agreement
Contact details: As provided by the Customer in their Daytona account
Signature and date: By creating an account or otherwise accepting the Daytona Terms of Service, Customer is deemed to have signed this DPA (including the SCCs) as of the Effective Date of the Agreement.
Data Importer (Daytona) Details
Name: Daytona Platforms Inc.
Role: Processor
Address: 224 W 35th St, Ste 500 #297, New York, NY 10001, United States
Activities Relevant to the data transferred: Provision of the Services as agreed in the Agreement
Contact details: privacy@daytona.io
Signature and date: By providing the Services, Daytona is deemed to have signed this DPA (including the SCCs) as of the Effective Date of the Agreement.
B. Description of Transfer
Categories of Data Subjects: Users, customers, employees, contractors, and other individuals whose data the Customer submits to or processes through the Services.
Categories of Personal Data: Identifiers and related Personal Data entered into the Services by the Customer (e.g., names, emails, payment details, API keys, usage data, and any other data the Customer chooses to process).Sensitive/Special Category Personal Data: None (customers must not submit sensitive data).
Frequency of Processing/Transfers: Continuous for the duration of the Agreement.
Nature and Purpose of Processing: To provide and support the Services in accordance with the Agreement and this DPA.
Period of Retention: Daytona processes Personal Data for the duration of the Agreement, or until the Customer instructs deletion, unless retention is required by law.
Transfers to Subprocessors: Subject matter, nature, and duration as specified in the Agreement and in Exhibit C (Subprocessors).
C. Competent Supervisory Authority
The competent supervisory authority shall be the Irish Data Protection Commission (unless otherwise required by Applicable Data Protection Law).
Exhibit B
TECHNICAL AND ORGANIZATIONAL MEASURES
Daytona implements and maintains a risk-based information security program that includes administrative, technical, and physical safeguards designed to protect Client Personal Data. These measures include, at a minimum:
Encryption
Encryption of data in transit and at rest.
Access Controls
Role-based and least-privilege access controls with prompt revocation.
Secure authentication practices, including MFA for administrative access.
System Security & Monitoring
Logging and monitoring of systems processing Client Personal Data.
Regular vulnerability scanning, penetration testing, and third-party security audits.
Business Continuity & Disaster Recover
Disaster recovery and business continuity planning with tested backups.
Secure Development & Change Management
Secure software development lifecycle (SDLC), including code reviews and testing.
Personnel Security
Annual mandatory security and privacy training for employees.
Physical Security
Physical and environmental security provided by Daytona’s infrastructure providers (e.g., AWS/OVH/Latitude).
Exhibit C
SUBPROCESSORS
Authorization
Customer authorizes Daytona to engage Subprocessors to process Client Personal Data in connection with the Services. Daytona will remain responsible for each Subprocessor’s compliance with this DPA.Obligations
Daytona will enter into written agreements with each Subprocessor imposing data protection obligations substantially similar to those outlined in this DPA.Current Subprocessors
Daytona currently engages the following Subprocessors to support delivery of the Services:
Subprocessor
Service Provided
Location
Stripe
Payment processing
USA
Lago
Billing Infrastructure
USA
AWS
Cloud Infrastructure
USA
OVH SAS
Cloud Infrastructure
France
Latitude
Cloud Infrastructure
Brazil
Leaseweb
Cloud Infrastructure
USA
Hetzner
Cloud Infrastructure
Germany
Posthog
Analytics
USA
Auth0
Identity Services
USA
Customer.io
Customer Communication
USA
Pylon
Customer Support
USA
Slack
Customer Collaboration
USA
Updates
Daytona may update this list from time to time. Customers will be notified of material changes in accordance with the Agreement.Right to Object
If Customer reasonably objects to the appointment of a new Subprocessor based on data protection concerns, the parties will discuss such concerns in good faith. If no resolution is reached, Customer may terminate the Agreement for convenience as its sole and exclusive remedy.