Legal

Data Processing Addendum

Last Updated: 2026-05-16

This DPA describes how Run Wild processes Customer Personal Data on behalf of Customers using the Service, including roles, sub-processors, international transfers, and security.

At a Glance

  • Processor Role — Run Wild acts as a data processor for customer-controlled personal data, processing it only on documented instructions.
  • Sub-processors — We engage a limited set of sub-processors (e.g. Stripe, Telnyx, AWS, Sentry) and maintain an up-to-date list customers can review.
  • Security & SCCs — Industry-standard technical and organizational measures, with EU Standard Contractual Clauses for international transfers where applicable.

1. Definitions and scope

This Data Processing Addendum ("DPA") forms part of the agreement between Run Wild and the Customer, governing the processing of Personal Data by Run Wild on the Customer's behalf in connection with the Run Wild Services.

Capitalized terms not defined here have the meanings given in the GDPR, the UK GDPR, the CCPA/CPRA, and other applicable data protection laws, as relevant to the Customer's use of the Service.

2. Roles of the parties

For Customer Personal Data processed in connection with the Service, Customer is the Controller (or, where applicable, Business) and Run Wild is the Processor (or Service Provider).

Run Wild processes Customer Personal Data solely on the documented instructions of the Customer, including with regard to international transfers, except as required by applicable law.

3. Sub-processors

The Customer authorizes Run Wild to engage Sub-processors to assist in providing the Service. Run Wild maintains a current list of Sub-processors and provides reasonable prior notice of any new Sub-processor, allowing the Customer to object on reasonable grounds.

Run Wild remains responsible for the acts and omissions of its Sub-processors and ensures each Sub-processor is bound by data protection obligations no less protective than this DPA.

4. International data transfers

Where Personal Data of EEA, UK, or Swiss data subjects is transferred outside the relevant jurisdiction, the parties rely on the European Commission's Standard Contractual Clauses (and the UK Addendum, where applicable) incorporated by reference into this DPA.

Run Wild applies supplementary measures (encryption in transit and at rest, access controls, transfer impact assessments) consistent with EDPB guidance.

5. Security measures

Run Wild implements and maintains appropriate technical and organizational measures, including encryption, access controls, audit logging, vulnerability management, secure software development practices, and incident response procedures.

The Customer acknowledges that the Service's security configuration described in Run Wild's public documentation is appropriate, having regard to the nature, scope, context, and purposes of processing.

6. Personal data breaches

Run Wild notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information reasonably necessary for the Customer to meet its own notification obligations under applicable law.

7. Data subject rights

Taking into account the nature of the processing, Run Wild assists the Customer by appropriate technical and organizational measures, so far as possible, in fulfilling its obligation to respond to data subject requests for access, rectification, erasure, portability, restriction, and objection.

8. Audit rights

Upon the Customer's reasonable written request, Run Wild makes available information necessary to demonstrate compliance with this DPA, including by providing copies of relevant third-party audit reports (e.g. SOC 2). On-site audits may be conducted no more than once per year and with reasonable notice, subject to Run Wild's confidentiality and security requirements.

9. Return and deletion

On termination or expiry of the Service, Run Wild deletes or returns Customer Personal Data in accordance with the Customer's instructions and applicable retention requirements, except where retention is required by law.

10. Contact

For DPA-related inquiries, contact privacy@runwild.ai. A signed DPA is available on request for customers in regulated jurisdictions.