Data Processing Agreement

GDPR Article 28 Compliant Template — Last updated: April 1, 2026

This Data Processing Agreement ("DPA") is entered into between FaultRay ("Data Processor") and the Customer ("Data Controller") identified in the applicable order form or subscription agreement.

1. Definitions

•"Personal Data" — Any information relating to an identified or identifiable natural person as defined under GDPR Article 4(1).
•"Processing" — Any operation performed on Personal Data, as defined under GDPR Article 4(2).
•"Data Controller" — The Customer who determines the purposes and means of processing Personal Data.
•"Data Processor" — FaultRay, which processes Personal Data on behalf of the Data Controller.
•"Sub-processor" — Any third party engaged by FaultRay to assist in processing Personal Data.
•"GDPR" — Regulation (EU) 2016/679 of the European Parliament and of the Council.

2. Scope and Purpose

This DPA governs the processing of Personal Data by FaultRay on behalf of the Customer in connection with the provision of the FaultRay infrastructure chaos engineering platform (the "Service").

FaultRay processes Personal Data only for the purpose of providing, maintaining, and improving the Service as described in the main Terms of Service, and only on documented instructions from the Customer.

3. Nature, Purpose, and Duration of Processing

Item	Details
Subject matter	Operation of the FaultRay platform
Nature	Collection, storage, transmission, analysis, deletion
Purpose	User authentication, service delivery, support, analytics
Duration	For the term of the subscription agreement, plus 30-day retention period
Categories of data subjects	Customer employees and authorized users of the Service
Categories of personal data	Name, email address, IP address, usage logs, authentication tokens

4. Processor Obligations (GDPR Article 28)

FaultRay, as Data Processor, shall:

•Process Personal Data only on documented instructions from the Data Controller, unless required to do so by applicable law.
•Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
•Implement appropriate technical and organizational security measures in accordance with GDPR Article 32.
•Respect the conditions for engaging Sub-processors as set forth in Section 5.
•Assist the Data Controller in responding to requests from data subjects exercising their rights under GDPR Chapter III.
•Assist the Data Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIAs).
•Delete or return all Personal Data to the Data Controller upon termination of the Service, unless required to retain it by applicable law.
•Make available all information necessary to demonstrate compliance with GDPR Article 28 obligations, and allow for audits.

5. Sub-processors

The Customer grants FaultRay general authorization to engage Sub-processors, subject to the following conditions:

•FaultRay will maintain a list of current Sub-processors and provide at least 14 days' prior notice of any intended changes.
•The Customer may object to new Sub-processors on reasonable grounds within 14 days of notice.
•FaultRay imposes equivalent data protection obligations on each Sub-processor.

Current Sub-processors:

Sub-processor	Purpose	Location
Supabase	Authentication, database hosting	USA (AWS us-east-1)
Vercel	Application hosting and edge delivery	Global CDN
Stripe	Payment processing	USA
Google Analytics	Usage analytics (consent-gated)	USA

6. Security Measures (GDPR Article 32)

FaultRay implements the following technical and organizational measures to protect Personal Data:

•Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
•Access controls: role-based access, least privilege principle.
•Authentication: OAuth2/PKCE via Supabase Auth with secure session management.
•Logging and monitoring: access and security event logs retained for 90 days.
•Incident response: breach detection procedures with 72-hour notification capability.
•Regular security assessments and penetration testing.

7. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), FaultRay ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission. Customers may request copies of applicable SCCs by contacting hello@faultray.com.

8. Data Subject Rights

FaultRay will assist the Data Controller in fulfilling data subject requests within the timeframes required by GDPR, including:

•Right of access (Article 15)
•Right to rectification (Article 16)
•Right to erasure / right to be forgotten (Article 17)
•Right to restriction of processing (Article 18)
•Right to data portability (Article 20)
•Right to object (Article 21)

9. Personal Data Breach Notification

In the event of a Personal Data breach, FaultRay will notify the Data Controller without undue delay and in any event within 48 hours of becoming aware of the breach. The notification will include: (a) the nature of the breach; (b) categories and approximate number of data subjects and records concerned; (c) likely consequences; (d) measures taken or proposed to address the breach.

10. Audit Rights

The Data Controller may, upon 30 days' written notice, conduct or commission an audit of FaultRay's data processing activities to verify compliance with this DPA. Audits shall not unreasonably interfere with FaultRay's operations. FaultRay may satisfy audit requests by providing relevant certifications or third- party audit reports.

11. Term and Termination

This DPA is effective for the duration of the underlying subscription agreement. Upon termination, FaultRay will delete or return all Personal Data within 30 days, unless longer retention is required by applicable law.

12. Contact

For data protection inquiries or to execute a signed DPA for enterprise agreements, contact:

FaultRay — Data Protection

Email: hello@faultray.com

Website: https://faultray.com

Loading… / 読み込み中…