Data Protection Addendum

RUDDERSTACK DATA PROCESSING ADDENDUM (LAST UPDATED FEBRUARY 2026)

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (“Agreement”) between RudderStack, Inc. (“Processor”) and the entity identified as Customer in the Agreement (“Customer”).
This DPA applies where Processor processes Personal Data on behalf of Customer (including authorized affiliates of Customer) in connection with the Services.

1. DEFINITIONS

Capitalized terms not defined here have the meaning given in the Agreement.

1.1 “Applicable Data Protection Laws” means all laws applicable to the Processing of Personal Data under the Agreement, including:

  • Regulation (EU) 2016/679 (“GDPR”)
  • UK GDPR and Data Protection Act 2018
  • Swiss Federal Act on Data Protection (revFADP)
  • U.S. state privacy laws (including CCPA/CPRA)
  • Any successor or replacement legislation


1.2 “Controller”, “Processor”, “Subprocessor”, “Personal Data”, “Data Subject” and “Processing” each have the meanings given in Applicable Data Protection Laws.


1.3 “Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Processor. The definition specifically excludes unsuccessful attempts that do not compromise Personal Data.

2. ROLE OF THE PARTIES

2.1 Controller–Processor Relationship
With respect to Customer Personal Data:

  • Customer acts as Controller or Processor.
  • Processor acts solely as Processor (or Subprocessor, where Customer is a Processor and has documented authority from a Controller).

Processor shall process Personal Data:

  • Only on documented instructions from Customer;
  • For the purpose of providing the Services;
  • In compliance with Article 28(3) GDPR and equivalent UK and Swiss requirements.

2.2 Processor Restrictions

Processor shall not sell Personal Data, process Personal Data for its own marketing or analytics purposes, or determine independent purposes of processing.

2.3 CCPA and CPRA Compliance

For the purposes of the CCPA and CPRA, Processor acts as a 'Service Provider' and shall not: (i) 'sell' or 'share' Personal Data (as those terms are defined by the CCPA); (ii) retain, use, or disclose Personal Data for any purpose other than for the specific business purposes of providing the Services ; or (iii) combine Personal Data received from Customer with Personal Data received from other sources, except as expressly permitted by the CCPA.

3. SUBJECT MATTER AND DETAILS OF PROCESSING

Details of processing are described in Annex I (incorporated below), including:

  • Nature and purpose
  • Categories of Data Subjects
  • Categories of Personal Data
  • Duration

Sensitive data (if any)

4. PROCESSOR OBLIGATIONS

Processor shall:

  • Process Personal Data only on documented instructions.
  • Ensure personnel are bound by appropriate confidentiality provisions.
  • Implement appropriate technical and organizational measures (as set forth in Annex II).
  • Provide reasonable assistance to Customer in responding to Data Subject requests.
  • Provide reasonable assistance to Customer with DPIAs and regulator consultations.
  • Notify Customer without undue delay after becoming aware of a Security Incident.
  • Delete or return Personal Data upon termination (Section 10).

Maintain records of processing as required by law.

5. SUBPROCESSORS

5.1 General Authorization

Customer provides general authorization for Processor to engage Subprocessors.


5.2 Subprocessor Safeguards

Processor shall:

  • Enter into written agreements with Subprocessors imposing data protection obligations equivalent to those in this DPA as required under Article 28(4) GDPR.
  • Remain fully liable for Subprocessor performance, subject to any limitations set forth in the Agreement.

5.3 Subprocessor List

Amazon Web Services (“AWS”) EU - Cloud Service Provider

Amazon Web Services (“AWS”) USA - Cloud Service Provider

Customer may choose which AWS provider shall serve as RudderStack’s Subprocessor in any Agreement by noting it on an Order Form. AWS USA shall be the default Cloud Service Provider under any Agreement absent any language in the Order Form.

5.4 Notification of Changes

Processor shall:

  • Provide at least 30 days’ prior notice of new Subprocessors.
  • Notify via email to signatory of Customer or via Processor’s Website if no such signatory exists.
  • Customer may object within 20 days on reasonable data protection grounds.

If Customer objection cannot be resolved:

  • Parties will work in good faith to implement alternative safeguards.
  • If no resolution is possible, Customer may suspend the affected Services.
  • Termination applies only if no reasonable alternative exists.

6. INTERNATIONAL DATA TRANSFERS

6.1 Data Privacy Framework (DPF)

Processor maintains certification under the EU-U.S. Data Privacy Framework, such certification shall serve as a valid transfer mechanism for transfers from the EEA and UK (as applicable). SCCs apply regardless of DPF where required by law.

6.2 EU Transfers

Where required, the 2021 EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) are incorporated as follows:

  • Module Two (Controller to Processor)
  • Module Three (Processor to Processor)
  • Docking clause enabled
  • Governing law: Ireland (unless otherwise agreed)
  • Annex I = Annex I of this DPA
  • Annex II = Annex II of this DPA

6.3 UK Transfers

The UK International Data Transfer Addendum to the EU SCCs is incorporated and deemed executed.

6.4 Switzerland

EU SCCs apply with modifications required under Swiss law.

7. SECURITY MEASURES

Processor shall implement technical and organizational measures appropriate to the risk assumed by Processor as further set forth in Annex II, including:

  • Encryption (TLS 1.2+ in transit; AES-256 at rest)
  • Role-based access control
  • Multi-tenant logical separation
  • Logging and monitoring
  • Regular vulnerability testing
  • Incident response procedures
  • Secure backup and disaster recovery
  • Personnel screening and training
  • Other details as set forth in Annex II.

Security measures will not materially decrease during the term.

8. SECURITY INCIDENTS

Processor shall notify, if Customer is impacted, without undue delay and within 72 hours of confirmation, where feasible, and provide the following details:

  • Nature of incident
  • Categories and approximate volume
  • Likely consequences
  • Remediation measures

Processor shall reasonably cooperate with Customer in fulfilling regulatory notification obligations, although notification does not constitute admission of liability by Processor.

9. AUDITS

9.1 Audit Reports

Subject to reasonable confidentiality provisions, Processor shall make available:

  • SOC 2 Type II (or equivalent)
  • Summary security and privacy documentation

9.2 Audit Rights

If required under Article 28 GDPR:

  • Customer may conduct an audit once per year.
  • Audit must be remote as RudderStack has no physical location, although audits shall include access to relevant personnel and system logs necessary to demonstrate compliance with GDPR Article 28.
  • Audit must not compromise other customers’ data.
  • Costs borne by Customer unless material non-compliance found.

10. DATA RETENTION AND DELETION

Upon termination, Customer may export Personal Data, if applicable.

Upon Customer request, Processor shall delete or return Personal Data within 30 days of such request, except backup systems (deleted within standard backup cycle, not exceeding 90 days). If Customer requests deletion, Processor shall certify deletion upon request.

11. DATA SUBJECT REQUESTS

Processor shall:

  • Notify Customer of requests received in a timely manner.
  • Provide reasonable assistance to Customer in responding to such requests.

12. LIABILITY

Liability under this DPA shall be subject to the liability limitations in the Agreement. Nothing in this DPA limits liability where such limitation is prohibited by Applicable Data Protection Laws. Each party remains responsible for administrative fines imposed due to its own violations.

13. CONFIDENTIALITY

All information exchanged under this DPA is confidential under the Agreement.

14. TERM

This DPA remains in effect for the duration of the Agreement and for as long as Processor processes Personal Data.