ruledoc.io v0.2
Get started
Legal · Policy ruledoc.io / dpa

Data Processing Agreement

Effective date: 2026-05-31

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between RFPvault (registered in Sweden) ("ruledoc", "Processor") and the customer that has accepted the Terms of Service ("Customer", "Controller"). It governs Processor's processing of personal data on behalf of Controller in connection with the Service.

In the event of conflict between this DPA and the Terms of Service in respect of personal-data processing, this DPA prevails. In all other respects, the Terms of Service prevail.

This DPA reflects the requirements of Article 28 GDPR (Regulation (EU) 2016/679) and applies in addition to any directly-applicable mandatory law (including the Swedish Data Protection Act 2018:218).

1. Definitions

Capitalised terms have the meaning given in the Terms of Service or, if not defined there, in the GDPR. In particular:

  • "Personal Data" has the meaning in Art. 4(1) GDPR.
  • "Processing" has the meaning in Art. 4(2) GDPR.
  • "Controller" has the meaning in Art. 4(7) GDPR - Customer.
  • "Processor" has the meaning in Art. 4(8) GDPR - ruledoc.
  • "Sub-processor" means any processor engaged by Processor to process Personal Data under this DPA.
  • "Personal Data Breach" has the meaning in Art. 4(12) GDPR.
  • "Data Subject" has the meaning in Art. 4(1) GDPR.
  • "SCCs" means the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Subject matter and duration (Art. 28(3))

2.1 Subject matter

This DPA governs the processing of Personal Data by Processor on behalf of Controller in connection with the Service: parsing of Customer-supplied firewall configurations and generation of compliance reports and audit evidence packs.

2.2 Duration

This DPA takes effect on the effective date of the Terms of Service and remains in force for as long as Processor processes Personal Data on behalf of Controller. Sections that by their nature should survive (including sections 8 (security), 9 (breach), 10 (return/deletion), and 12 (governing law)) survive termination.

3. Nature and purpose of processing (Art. 28(3))

Processor processes Personal Data only for the following purposes, and only on documented instructions from Controller (Art. 28(3)(a)):

  • (a) ingesting Customer-supplied firewall configuration files;
  • (b) parsing those files into an internal structured format;
  • (c) running compliance checks against frameworks such as NIS2, PCI-DSS, ISO 27001, CIS Benchmarks, NIST CSF, and SOC 2;
  • (d) generating PDF audit-evidence packs;
  • (e) sending minimised, parsed rule data to an authorised AI sub-processor (currently Anthropic) for text generation used in reports;
  • (f) storing Output for the retention period of Customer's Subscription Plan;
  • (g) providing support to Controller and Users.

Controller's documented instructions are: (i) the Terms of Service, (ii) this DPA, (iii) configurations Controller chooses to upload through the Service interface, and (iv) any further written instructions Controller delivers to privacy@ruledoc.io. Processor will inform Controller if, in Processor's opinion, an instruction infringes the GDPR or other applicable data-protection law (Art. 28(3) last paragraph).

4. Categories of Personal Data (Art. 28(3))

The categories of Personal Data covered by this DPA are limited to the following, all of which originate from Controller:

  • (a) Account-holder details: name, business email, organisation name;
  • (b) Personal data contained inside Customer-supplied firewall configurations - typically usernames in source-user-based policy rules, occasionally email addresses or hostnames identifying individuals;
  • (c) Service-usage metadata associated with Controller's account: IP addresses of Users, request logs.

Processor does not process special-category data (Art. 9) or criminal-conviction data (Art. 10) deliberately. Controller agrees not to upload configurations whose primary purpose is to convey such data.

5. Categories of Data Subjects (Art. 28(3))

  • (a) Controller's authorised Users (employees, contractors of Controller);
  • (b) Controller's end users whose identifiers appear in Controller's firewall policy rules (typically employees of Controller).

6. Controller obligations

Controller represents and warrants that:

  • (a) it has a valid lawful basis under Art. 6 GDPR (and, where applicable, Art. 9) for the processing it instructs Processor to perform;
  • (b) it has provided any required information to Data Subjects under Art. 13/14 and obtained any consents required;
  • (c) Personal Data uploaded to the Service is lawfully obtained and may lawfully be processed in the manner contemplated by the Service;
  • (d) Controller's instructions to Processor will not cause Processor to breach the GDPR.

Controller indemnifies Processor against any third-party claim arising from Controller's breach of this section 6, except to the extent the claim arises from Processor's breach of this DPA.

7. Processor obligations (Art. 28(3))

Processor will:

7.1 Processing on instructions only (Art. 28(3)(a))

Process Personal Data only on Controller's documented instructions, including with regard to transfers, unless required by Union or Member State law to which Processor is subject. In that case, Processor will inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

7.2 Confidentiality (Art. 28(3)(b))

Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under a statutory obligation of confidentiality.

7.3 Security (Art. 28(3)(c); Art. 32)

Implement appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation, and the risk to Data Subjects' rights and freedoms. Current measures are set out in Annex 2 to this DPA.

7.4 Sub-processors (Art. 28(2), 28(3)(d), 28(4))

Engage Sub-processors only as set out in section 11 below.

7.5 Data-subject rights assistance (Art. 28(3)(e))

Assist Controller, by appropriate technical and organisational measures and taking into account the nature of the processing, to fulfil Controller's obligation to respond to requests from Data Subjects exercising their rights under Arts. 15–22 GDPR. In particular, Processor offers Controller-facing tools to access, export, rectify, and delete Personal Data through the Service interface.

7.6 Assistance with Controller compliance obligations (Art. 28(3)(f))

Assist Controller in complying with Arts. 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to Processor. Processor may charge for assistance that exceeds reasonable amounts to be specified in writing on request.

7.7 Audit cooperation (Art. 28(3)(h))

Make available to Controller all information necessary to demonstrate compliance with Art. 28 GDPR; allow for, and contribute to, audits as set out in section 12 below.

7.8 Records (Art. 30(2))

Maintain a record of processing activities carried out on behalf of Controller, available to Controller or supervisory authorities on request.

8. Security measures (Art. 32)

Processor implements appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, and the risk to Data Subjects' rights and freedoms. Current measures are set out in Annex 2 to this DPA and cover, among other things, encryption in transit and at rest, authentication and access controls, removal of secret material from uploaded configurations before analysis or storage, logging and monitoring, vulnerability management, encrypted backups, a documented incident-response procedure, and personnel confidentiality undertakings.

Processor may update Annex 2 from time to time, provided the overall security level is not reduced.

9. Personal-Data Breach notification (Art. 33)

Processor will notify Controller of any Personal-Data Breach affecting Controller's Personal Data without undue delay after becoming aware of the Breach. The notification will include:

  • a description of the nature of the Breach, including (where possible) the categories and approximate number of Data Subjects and records affected;
  • the name and contact details of Processor's contact for further information (privacy@ruledoc.io);
  • the likely consequences of the Breach;
  • the measures taken or proposed to address the Breach and mitigate adverse effects.

Where Processor cannot provide all information at once, it will provide it in stages without further undue delay (Art. 33(4)).

This notification is intended to give Controller time to assess the Breach and, where required, to notify the supervisory authority within the GDPR timeline (Art. 33).

Processor will not, on its own initiative, notify any third party (supervisory authority, Data Subject, media) of the Breach unless required by law or pre-authorised by Controller.

10. Return or deletion at end of services (Art. 28(3)(g))

On termination of the Service in respect of Controller, Processor will, at Controller's choice expressed by email to privacy@ruledoc.io within 30 days of termination:

  • (a) return Personal Data to Controller in a structured, commonly used, machine-readable format; or
  • (b) delete Personal Data and confirm deletion in writing.

Absent an instruction by the end of that 30-day window, Processor will delete all Personal Data within 30 further days, except (i) where retention is required by Union or Member State law, or (ii) anonymised aggregate data that no longer constitutes Personal Data.

Backups containing Personal Data are subject to the rolling 30-day backup retention; deletion from backups occurs by automatic rotation within 30 days of primary deletion.

11. Sub-processors (Art. 28(2), 28(4))

11.1 General authorisation

Controller grants Processor a general written authorisation to engage Sub-processors. Current authorised Sub-processors are listed in Annex 1 and at /legal/sub-processor-list.

11.2 Notification of changes

Processor will notify Controller of any intended addition or replacement of Sub-processors at least 30 days in advance by email to the account contact (or by updating the public list with an in-Service announcement).

11.3 Right to object

Controller may object to a new Sub-processor on reasonable data-protection grounds within 14 days of notification. If the parties cannot agree on a resolution within a further 30 days, Controller may terminate the affected portion of the Service without penalty and, in accordance with section 9.5 of the Terms of Service, receive a refund of fees paid for that portion.

11.4 Equivalent obligations

Processor will impose on each Sub-processor data-protection obligations substantially equivalent to those in this DPA (Art. 28(4)).

11.5 Liability for Sub-processors

Processor remains fully liable to Controller for the performance of each Sub-processor's obligations (Art. 28(4)).

12. Audit rights (Art. 28(3)(h))

12.1 Information first

On reasonable written request, and no more than once per calendar year absent cause, Processor will provide Controller with information necessary to demonstrate compliance with this DPA, including:

  • (a) most recent third-party audit reports (e.g., SOC 2, ISO 27001) where available;
  • (b) summary of internal security testing;
  • (c) confirmation of Sub-processor compliance.

12.2 On-site audit

If the information provided under section 12.1 is insufficient and Controller has a reasonable basis to believe that Processor is in material breach of this DPA, Controller (or its authorised auditor, who must be bound by confidentiality and not be a competitor of Processor) may conduct an on-site audit on at least 30 days' written notice, during normal business hours, without disrupting Processor's normal operations, and at Controller's cost.

12.3 Limits

Audits must not require Processor to disclose data of any other customer or to breach any obligation of confidentiality to a third party.

13. International transfers (Art. 44–49)

Processor processes Personal Data primarily in the EU/EEA (Hetzner, Finland).

Where Personal Data is transferred to a Sub-processor outside the EU/EEA, Processor will ensure an appropriate transfer mechanism is in place, including:

  • (a) adequacy decision under Art. 45;
  • (b) Standard Contractual Clauses under Art. 46(2)(c) (Commission Implementing Decision (EU) 2021/914), with appropriate Module(s) and supplementary measures;
  • (c) other lawful safeguards as available under Art. 46–49.

For transfers to Anthropic, PBC (United States), the SCCs (Module Two: Controller-to-Processor) are incorporated by reference, supplemented by the data-minimisation measures described in section 4 (minimised data only; no raw configuration text; no secrets transmitted).

For transfers to Postmark (ActiveCampaign, LLC) (United States), the SCCs (Module Two: Controller-to-Processor) are incorporated by reference. The data transferred is limited to recipient email addresses and the content of transactional emails.

14. Liability

The limitation-of-liability clause in the Terms of Service (section 8 of the Terms of Service) applies to liability under this DPA, except to the extent that mandatory law (including Art. 82 GDPR liability of joint actors) provides otherwise.

Each party remains responsible for its own administrative fines under Art. 83 GDPR.

15. Governing law

This DPA is governed by Swedish law and the GDPR. Disputes are subject to the same forum and dispute-resolution provisions as the Terms of Service (section 12).

16. Order of precedence

If there is a conflict, the following order applies, from highest priority:

  1. Mandatory law (including the GDPR);
  2. The SCCs (where incorporated for international transfers);
  3. This DPA;
  4. The Terms of Service;
  5. Any Customer order form.

Annex 1 - Authorised Sub-processors

The current list of Sub-processors is published at /legal/sub-processor-list and is incorporated into this DPA by reference. At the effective date, it includes:

Sub-processor Role Location Transfer mechanism
Hetzner Online GmbH Hosting (compute, storage, DB) Finland (EU) N/A - within EEA
Anthropic, PBC AI text-generation service (report content) United States SCCs (Module Two) + data-minimisation
Postmark (ActiveCampaign, LLC) Transactional email (account, billing, password reset) United States SCCs (Module Two)

Paddle (Paddle.com Market Limited) acts as Merchant of Record and independent controller for payments, billing, and tax. It is shown on the public Sub-processor List for transparency but is not a Processor under this DPA.

Annex 2 - Technical and Organisational Measures (Art. 32)

Domain Measure
Encryption in transit TLS 1.2+ on all public endpoints; HSTS enforced
Encryption at rest Database and backup encryption (AES-256 or equivalent)
Pseudonymisation Data sent to the AI sub-processor is minimised and contains no raw configuration text or secrets
Access control Role-based access; least privilege; MFA for admin accounts
Authentication Per-user accounts (email-verified); modern password hashing
Logging Structured event logs; 30-day retention; admin-action audit log
Vulnerability management Dependency scanning; patching cadence on disclosed CVEs
Backups Nightly encrypted backups; 30-day rolling retention; off-site copy
Secret-handling in configs Secret material (PSKs, passwords, RADIUS/LDAP/TACACS shared secrets, API keys, private keys, SNMP communities, SSH host keys) is removed before a configuration is analysed or stored and replaced with non-reversible placeholders; originals are not stored or recoverable; an audit record of type and length only is retained; additional masking is applied to report evidence and to LLM input
Incident response Documented procedure; breach notification to the controller without undue delay
Personnel Confidentiality undertakings; access provisioning/de-provisioning procedures
Physical security Hetzner data-centre controls (ISO 27001 certified)
Business continuity Hetzner SLA + nightly off-site backups

Processor may update the measures in this Annex 2 from time to time provided the overall security level is not reduced.

Annex 3 - Standard Contractual Clauses (where applicable)

Where required by section 13, the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference, with the following completion:

  • Module: Module Two (Controller-to-Processor)
  • Clause 7 (docking): Optional; not invoked unless agreed
  • Clause 9(a) (Sub-processor authorisation): Option 2 - General written authorisation, with 30-day prior notice as set out in section 11.2
  • Clause 11(a) (independent dispute resolution): Optional; not invoked
  • Clause 17 (governing law): Swedish law
  • Clause 18(b) (forum): Swedish courts (Stockholms tingsrätt)
  • Annex I.A (parties): Controller = Customer (account-creation entity); Processor = RFPvault (registered in Sweden)
  • Annex I.B (description of transfer): As described in sections 3, 4, 5 of this DPA
  • Annex I.C (competent supervisory authority): Integritetsskyddsmyndigheten (IMY), Sweden
  • Annex II (security measures): As set out in Annex 2 of this DPA
  • Annex III (Sub-processors): As set out in Annex 1 of this DPA
All legal documents Operated by RFPvault · privacy@ruledoc.io