Riptides Data Processing Addendum (DPA)

Last updated: Jun 12, 2026.

How this DPA is entered into

This Data Processing Addendum forms part of, and is incorporated by reference into, the Terms between Riptides Labs, Inc. (“Riptides,” “Processor”) and the customer (“Customer,” “Controller”). It applies where and to the extent Riptides processes Customer Personal Data on Customer’s behalf in connection with the Service.

Self-serve acceptance. By accepting the Terms or using the Service, Customer agrees to this DPA. Riptides accepts this DPA on the terms set out here; the version published at https://riptides.io/dpa is deemed pre-executed by Riptides, and Customer’s acceptance of the Terms completes it. No further signature is required for it to be binding.
Offline execution. Where Customer requires a counter-signed copy, the parties may execute the signature block in the Annexes; the signed version controls for that Customer.

1. Definitions

Data Protection Laws means all laws applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation 2016/679 (“EU GDPR”), the UK GDPR and UK Data Protection Act 2018, the Swiss FADP, and applicable U.S. state privacy laws.
Customer Personal Data means personal data within Customer Data and Telemetry that Riptides processes on Customer’s behalf under the Terms.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process/Processing, Supervisory Authority have the meanings in the EU GDPR.
Sub-processor means any processor engaged by Riptides to process Customer Personal Data.
Standard Contractual Clauses (“SCCs”) means the clauses approved by EU Commission Implementing Decision 2021/914, and, as applicable, the UK International Data Transfer Addendum and the Swiss adaptations.

2. Roles and scope

The parties acknowledge that, with respect to Customer Personal Data, Customer is the Controller and Riptides is the Processor (or, where Customer is itself a processor for a third party, Riptides is a sub-processor). Riptides processes Customer Personal Data only to provide the Service and as instructed by Customer.

For clarity, personal data that Riptides processes as a controller — for example, account, billing, website, and product-usage data described in the Privacy Policy — is not Customer Personal Data and is governed by the Privacy Policy, not this DPA.

3. Processing instructions

Riptides will process Customer Personal Data only on Customer’s documented instructions, including as set out in the Terms, this DPA, and Customer’s configuration and use of the Service, unless required by law (in which case Riptides will, where legally permitted, inform Customer first). Riptides will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Confidentiality

Riptides will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

5. Security

Riptides will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, and risk of processing, as described in Annex B.

6. Sub-processors

Customer provides general authorization for Riptides to engage Sub-processors. Riptides will (a) maintain a current list of Sub-processors (Annex C); (b) impose data protection obligations on each Sub-processor substantially equivalent to this DPA; (c) remain liable for its Sub-processors’ acts and omissions; and (d) give Customer notice of intended changes (additions/replacements) with a reasonable period to object on reasonable data-protection grounds.

7. Data subject requests

Taking into account the nature of the processing, Riptides will assist Customer by appropriate measures, insofar as possible, to respond to Data Subject requests to exercise their rights. If Riptides receives such a request directly, it will, where permitted, refer the Data Subject to Customer and not respond except on Customer’s instruction.

8. Assistance, breach notification, and DPIAs

Riptides will provide reasonable assistance to Customer with security, breach notification, data protection impact assessments, and prior consultations, taking into account the nature of processing and information available to Riptides.

Personal Data Breach. Riptides will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to assist Customer with its own notification obligations.

9. International transfers

Where Riptides processes Customer Personal Data originating from the EEA, UK, or Switzerland in a country without an adequacy decision, the parties agree the SCCs (and the UK Addendum / Swiss adaptations as applicable) are incorporated into this DPA and apply to that transfer, with:

Module Two (controller-to-processor) where Customer is a controller, or Module Three (processor-to-processor) where Customer is a processor;
the Annexes to the SCCs populated by Annexes A–C of this DPA;
the optional docking clause, with the law of Ireland as governing law and the Irish Data Protection Commission as competent supervisory authority, as further set out in Annex D.

10. Deletion or return

On termination of the Service, Riptides will, at Customer’s choice, delete or return Customer Personal Data, and delete existing copies, except to the extent retention is required by law. This complements the Customer’s obligation under the Terms to uninstall the Agent Software.

11. Audits and information

Riptides will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.

12. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Terms.

13. Term

This DPA takes effect when the Terms are accepted (or when an offline copy is executed) and continues while Riptides processes Customer Personal Data. Provisions that should survive termination do so.

14. Order of precedence and governing law

With respect to the processing of Customer Personal Data, this DPA controls over any conflicting term in the Terms. The SCCs control over this DPA to the extent of any conflict regarding the relevant transfer. Governing law follows the Terms except where Data Protection Laws or the SCCs require otherwise.

Annex A — Details of the processing

Subject matter: provision of the Riptides Service (Console + Agent Software), including the transmission and processing of Telemetry from Customer Infrastructure to the Console.
Duration: the term of the Service plus any retention period required by law or described in the Privacy Policy and Section 10 of this DPA.
Nature and purpose: providing, operating, securing, supporting, monitoring, and maintaining the Service; performing identity, access-control, and enforcement functions; transmitting, storing, and processing Telemetry for those purposes; and providing technical support to Customer.
Types of Customer Personal Data: to the extent the following constitute personal data in Customer’s environment —
- host, cluster, node, and tenant identifiers; hostnames and machine names;
- IP addresses (source/destination) and network metadata;
- operating system, kernel, and architecture details; agent and service/workload identifiers;
- process, container, and workload metadata (e.g., process names, command paths, parent/child relationships);
- identity and access-control records: service-account, workload-identity, and (where present in Customer’s environment) user identifiers associated with access events;
- policy definitions, policy-decision records (allow/deny), authentication and authorization events, and audit logs;
- performance metrics, error and crash diagnostics, and configuration data.
Riptides does not intend for Telemetry to include message content/payload data or credential or secret material; the precise contents are determined by the Agent Software’s behavior and Customer’s configuration.
Categories of Data Subjects: Customer’s personnel and administrators who configure or operate the Service; Customer’s developers and operators whose activity generates access events; service accounts and workload identities attributable to natural persons; and, only where identifiable from Telemetry, end users of Customer’s systems.
Special categories of data: None intended or required. The Service is not designed to process special-category data, and Customer should not configure it to transmit such data.
Frequency: continuous, on an ongoing basis for the duration of Customer’s use of the Service.

Annex B — Technical and organizational measures

Riptides maintains the following technical and organizational measures, which may be updated to reflect the evolving state of the art provided the level of protection is not materially reduced.

Access control. Role-based access control to production systems on a least-privilege, need-to-know basis; unique named accounts; mandatory multi-factor authentication for administrative and remote access; prompt revocation of access on role change or departure; periodic access reviews.
Encryption. Customer Personal Data encrypted in transit using TLS 1.2+ between the Agent Software, the Console, and clients; encryption at rest for data stored in the Console and backups using industry-standard algorithms (e.g., AES-256). Mutual TLS / authenticated channels are used for Agent-to-Console communication.
Network and environment security. Segregation of production from non-production environments; network segmentation, firewalls, and security groups; no production Customer Personal Data in development or test environments; secrets managed through a dedicated secrets manager.
Logging and monitoring. Centralized audit logging of access to production systems; security event monitoring and alerting; tamper-resistant log retention; time synchronization.
Secure development. Secure SDLC practices including peer code review, dependency and vulnerability scanning, static analysis, and separation of duties for deployment; change management and release controls.
Vulnerability and patch management. Regular vulnerability scanning, risk-based remediation timelines, and timely patching of infrastructure and dependencies, with particular attention to the kernel-level components of the Agent Software.
Multi-tenancy and data segregation. Logical separation of Customer data within the Console so that each Customer’s data is isolated and accessible only to that Customer and authorized Riptides personnel.
Personnel. Confidentiality obligations for all personnel; background checks where lawful; security and privacy awareness training; documented onboarding/offboarding.
Business continuity and resilience. Regular, encrypted backups; documented backup-restoration procedures; redundancy across availability zones; disaster-recovery planning with defined recovery objectives.
Incident response. Documented incident-response plan covering detection, triage, containment, eradication, recovery, and post-incident review; defined process for notifying Customers of Personal Data Breaches without undue delay (Section 8).
Sub-processor and supplier management. Due-diligence and contractual data-protection requirements imposed on Sub-processors (Section 6 and Annex C).
Physical security. Production infrastructure hosted with reputable cloud providers operating accredited data centers (e.g., SOC 2 / ISO 27001) with physical access controls, environmental controls, and 24/7 monitoring; Riptides does not operate its own data centers.

Annex C — Sub-processors

Riptides engages the following Sub-processors to process Customer Personal Data in connection with the Service. The current list is also available on request.

Sub-processor	Service provided	Processing location
Stripe, Inc.	Payment processing and billing (paid plans)	US / EU
PostHog, Inc.	Product analytics and usage telemetry	US / EU
HubSpot, Inc.	CRM, marketing, and customer communications	US / EU

Riptides Kft. (Hungary), an Affiliate of Riptides Labs, Inc., supports operation and provision of the Service and is treated as part of the Riptides group rather than a third-party Sub-processor.

Annex D — Standard Contractual Clauses

For transfers to which Section 9 applies, the EU SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA and completed as follows:

Modules. Module Two (Controller-to-Processor) applies where Customer acts as a controller; Module Three (Processor-to-Processor) applies where Customer acts as a processor for a third-party controller.
Clause 7 (Docking clause): applies.
Clause 9 (Use of sub-processors): Option 2 (general written authorization); the change notice period in Section 6 of this DPA applies.
Clause 11 (Redress): the optional independent-dispute-resolution language does not apply.
Clause 17 (Governing law): the law of Ireland.
Clause 18 (Forum and jurisdiction): the courts of Ireland.
Annex I.A (Parties): Customer is the data exporter; Riptides Labs, Inc. is the data importer. Contact details are those in the Terms and account record.
Annex I.B (Description of transfer): as set out in Annex A of this DPA.
Annex I.C (Competent supervisory authority): the Irish Data Protection Commission, determined in accordance with Clause 13.
Annex II (Technical and organizational measures): as set out in Annex B of this DPA.
Annex III (Sub-processors): as set out in Annex C of this DPA.

UK transfers. The UK International Data Transfer Addendum (IDTA) to the EU SCCs is incorporated for transfers subject to the UK GDPR, with the EU SCCs as completed above forming the “Approved EU SCCs.”

Swiss transfers. For transfers subject to the Swiss FADP, the EU SCCs apply with the adaptations issued by the Swiss Federal Data Protection and Information Commissioner (references to the GDPR read as references to the FADP; the FDPIC as supervisory authority; and protection extended to legal entities where applicable).