Data Processing Agreement (DPA)

Effective date: Feb 10, 2026 · Version: 1.0

This Data Processing Agreement (“DPA”) explains how Rakenne processes personal data on behalf of customers who use the Rakenne platform at rakenne.app (the “Service”). It supplements and is incorporated into the Terms of Usage or another written or electronic agreement between you and Rakenne (the “Principal Agreement”).

Where this DPA and the Principal Agreement conflict on the subject matter of data processing, this DPA controls. By continuing to use the Service after the effective date above, you agree to this DPA. If you need a signed copy, contact privacy@rakenne.app .

1.1 Who does what

  • You act as a “controller” of personal data under the GDPR and other applicable data protection laws.
  • Rakenne acts as a “processor” when it handles personal data on your behalf while operating the Service.

You determine what data is uploaded, how long it is kept, which workspaces you create, and who has access on your side. We operate the infrastructure and process personal data only to deliver and protect the Service, in line with your documented instructions.

1.2 What this DPA covers

This DPA applies whenever:

  • You use the Service to store or handle personal data; and
  • The GDPR or similar data protection laws treat Rakenne as your processor.

It describes:

  • What types of personal data we process and for which high‑level purposes
  • The security measures and safeguards we apply
  • How we work with subprocessors and handle international data transfers
  • How we help you meet your own obligations as controller

1.3 High‑level description of processing

Rakenne is an AI‑assisted environment for building and running document workflows. In that context, we:

  • Host tenants, projects, and workspaces
  • Store and process documents, workflows, and chat interactions
  • Run AI inference with selected third‑party model providers
  • Maintain logs and operational data to secure and improve the Service

We do not use the personal data we process on your behalf to train general‑purpose AI models, and we do not sell or rent that data.

2. Types of Data and Processing Operations

2.1 Categories of personal data

Depending on your configuration and usage, we may process:

  • User and account data – names, email addresses, login identifiers, role and workspace membership
  • Content data – documents, workflows, comments, prompts, and conversation transcripts you or your users create or upload
  • Usage and technical data – activity logs, timestamps, feature usage metrics, IP addresses, browser information, and device identifiers that may qualify as personal data
  • Billing data – limited billing details handled mainly by our payment provider (Stripe), such as payment identifiers and subscription details
  • Potentially sensitive data – information that could fall into special categories under Article 9 GDPR or other sensitive data, where you choose to include it (see section 5.2)

You decide what information is entered into the Service and are responsible for ensuring that doing so is lawful.

2.2 Nature and purpose of processing

We perform a range of operations on personal data on your behalf, including:

  • Storage, retrieval, and organization of content and account data
  • Transmission of data between the Service and your users’ devices
  • AI‑based analysis and generation (inference only) using third‑party model providers configured by us or by you (Bring Your Own Key)
  • Logging, monitoring, and troubleshooting to keep the Service reliable and secure
  • Backups and data recovery, subject to the retention limits described in this DPA and in our Privacy Policy

We carry out these operations exclusively:

  • To provide, support, secure, and maintain the Service
  • To comply with our own legal obligations

3. Instructions, Confidentiality, and Security

3.1 Your instructions

We process personal data strictly in line with:

  • This DPA and the Principal Agreement
  • Your configuration and use of the Service (e.g. tenants, workspaces, roles, model settings, retention options)
  • Your written requests provided through documented support channels

If we reasonably believe that an instruction conflicts with applicable data protection law, we will let you know and may pause the relevant processing until we receive clarified instructions or are permitted to proceed.

3.2 Confidentiality

Only personnel who need access to fulfil their duties may handle personal data. Those individuals:

  • Are bound by confidentiality obligations (by contract or law)
  • Receive training appropriate to their roles
  • Access data only via authenticated, logged channels

3.3 Security measures

We maintain technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures evolve over time but include, at a minimum:

  • Access and segmentation

    • Authentication for user and admin access
    • Tenant and workspace isolation to avoid cross‑tenant data leakage
    • Role‑based access controls for staff with the principle of least privilege

  • Encryption

    • Encryption in transit using modern TLS
    • Encryption at rest within our storage and database systems
    • Proper key management and secret storage

  • Resilience and continuity

    • Use of reputable cloud infrastructure (currently Google Cloud in US regions)
    • Scheduled and tested backups
    • Monitoring, alerting, and incident response procedures

  • Governance and testing

    • Regular review of security posture
    • Logging and monitoring of important security events
    • Remediation of identified vulnerabilities on a prioritized basis

Further details can be provided on request, subject to reasonable confidentiality commitments.

4. Subprocessors and Third‑Party Services

4.1 Use of subprocessors

We rely on carefully selected third parties (“subprocessors”) to perform certain processing activities that are necessary to deliver the Service. You authorize us to engage these subprocessors, provided that:

  • Each subprocessor is bound by data protection terms that are no less protective than this DPA; and
  • We remain responsible for the performance of our subprocessors’ obligations towards you.

4.2 Typical subprocessors

Our core subprocessors generally include:

  • Google Cloud – hosting, databases, and storage
  • Stripe – subscription billing and payment processing
  • LLM providers – Anthropic, OpenAI, or Google when we supply the API key and you do not use Bring Your Own Key

Additional subprocessors may be used for logging, monitoring, support operations, or other ancillary functions. A detailed, regularly updated register of our vendors, their roles, locations, and data categories is available on our Subprocessors & Data Processing Overview page, which should be read together with this DPA.

4.3 Changes and objections

If we intend to add or replace a subprocessor that will process personal data on your behalf, we will provide advance notice (for example via email, in‑app notifications, or an updated public listing) at least 30 days before the change takes effect, unless operational urgency requires a shorter period that does not materially reduce the level of protection.

If you have a reasonable objection based on data protection concerns, notify us during that period. We will work with you in good faith to address your concerns, which may include adjusting the configuration for your account. If no acceptable solution is available, your exclusive remedy is to terminate the affected part of the Service in accordance with the Principal Agreement.

5. Your Responsibilities as Controller

You are responsible for:

  • Identifying and documenting a valid legal basis for each processing activity you carry out using the Service
  • Informing data subjects about how you use the Service and how Rakenne acts as your processor
  • Ensuring that your own policies, notices, and practices are consistent with this DPA and applicable law

5.2 Special categories and sensitive data

The Service is designed for professional document workflows, not for large‑scale handling of highly sensitive personal data. If you choose to upload special categories of data under Article 9 GDPR (e.g. data about health, ethnicity, or beliefs) or other sensitive data:

  • You must ensure that the specific conditions for processing such data under applicable law are met (for example, explicit consent or legal claims)
  • You should configure access and retention in a way that reflects the heightened risk profile

As a general rule, we recommend avoiding unnecessary inclusion of special‑category or highly sensitive data in the Service.

5.3 Configuration, retention, and housekeeping

You control how long most categories of personal data remain in the Service. In particular, you should:

  • Configure workspaces, permissions, and retention settings to align with your own policies
  • Regularly review and remove data that is no longer needed
  • Use the export and deletion mechanisms we provide as part of your data lifecycle management

5.4 Data subject requests and regulatory communication

You are the primary contact for data subjects and regulators. You are responsible for:

  • Receiving and responding to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection)
  • Determining whether and how to notify supervisory authorities or affected individuals about incidents

We will assist you as described in section 6 below.

6. Assistance, Breach Handling, and DPIAs

6.1 Support with data subject rights

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance, through tools or support, to help you:

  • Locate, export, correct, or delete personal data held in the Service, where technically feasible
  • Respond to data subject requests that relate to processing performed by us as your processor

If we receive a request directly from a data subject that clearly concerns personal data we process on your behalf, we will, where legally permitted, forward it to you rather than responding independently.

6.2 Personal data breaches

If we become aware of a personal data breach affecting personal data processed on your behalf, we will:

  • Notify you without undue delay after confirming the breach; and
  • Share information we can reasonably provide at that stage, including:
    • A description of the nature of the breach (where known)
    • Categories and approximate numbers of affected data subjects and records (if determinable)
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach and mitigate its effects

We will cooperate with you to support your assessment and any notifications you decide to make to supervisory authorities or affected individuals. You remain responsible for complying with statutory breach notification duties.

6.3 DPIAs and prior consultations

Where you are required to carry out a Data Protection Impact Assessment (DPIA) or consult with a supervisory authority in relation to your use of the Service, we will provide reasonable assistance by:

  • Supplying information about our processing activities, security controls, and subprocessors; and
  • Answering reasonable written questionnaires related to the Service.

7. Data Location and International Transfers

7.1 Where data is processed

The Service is currently hosted on Google Cloud in the United States. As a result, personal data may be stored or processed in the US and other jurisdictions where our subprocessors operate.

7.2 Transfer safeguards

When the GDPR or similar laws treat a transfer as “international” (for example, from the EEA, UK, or Switzerland to a country without an adequacy decision), we will ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses adopted by the European Commission; and/or
  • Other legally recognized transfer tools and supplementary technical and organizational measures.

Information on the safeguards used by key subprocessors (Google Cloud, Stripe, and LLM providers) is available in their public documentation and, where appropriate, via our privacy materials or on request.

8. Data Retention, Deletion, and Audit Rights

8.1 Retention and deletion at the end of the relationship

When the Principal Agreement ends or when you instruct us in writing, we will, subject to any legal retention duties:

  • Delete personal data processed on your behalf from active systems within a commercially reasonable period (typically within 30 days); or
  • Return personal data to you in a commonly used, machine‑readable format if requested before deletion; and
  • Remove personal data from backups through our standard backup rotation (normally within 90 days).

We may retain data that has been irreversibly anonymized or aggregated such that it is no longer personal data.

8.2 Audit and verification

To allow you to verify compliance with this DPA, we will:

  • Maintain documentation describing our relevant technical and organizational measures; and
  • Respond to reasonable security and privacy questionnaires.

If this is not sufficient, you (or an independent auditor you appoint and we approve, such approval not to be unreasonably withheld) may, no more than once every 12 months unless otherwise required by law or justified by a confirmed breach, conduct an audit that is:

  • Limited in scope to our processing of your personal data under this DPA
  • Conducted during normal business hours with reasonable advance notice
  • Designed to avoid undue disruption to our operations

You are responsible for your own costs and our reasonable, documented costs in supporting such an audit, unless the audit reveals a material breach of this DPA attributable to us.

9. Liability, Term, and Changes

9.1 Liability framework

The allocation and limitation of liability between you and Rakenne for matters arising from or in connection with this DPA follow the rules set out in the Principal Agreement, together with Article 82 GDPR where applicable. In particular, we are liable only for the part of the damage caused by processing where we:

  • Have failed to comply with obligations specifically directed at processors under data protection law; or
  • Have acted outside or contrary to your lawful instructions.

9.2 Indemnity

You agree to indemnify and hold Rakenne harmless from claims, fines, or losses arising from:

  • Your breach of applicable data protection laws in relation to personal data processed through the Service; or
  • Your instructions that are unlawful or inconsistent with those laws; or
  • Your failure to provide required notices or obtain necessary consents from data subjects.

9.3 Duration of this DPA

This DPA takes effect on the date shown at the top and stays in force for as long as we process personal data on your behalf under the Principal Agreement, including any post‑termination processing for deletion or return as described above.

9.4 Updates to the DPA

We may revise this DPA from time to time, for example to reflect:

  • Changes in applicable data protection laws or regulatory guidance
  • Adjustments in how the Service operates or which subprocessors we use
  • Clarifications or improvements in how we describe our commitments

If we make material changes, we will notify you in advance (for example, at least 30 days before the change takes effect). If you object in writing and we cannot reasonably accommodate your concerns, your exclusive remedy is to stop using the affected Service and, where applicable, terminate it under the Principal Agreement.

10. Governing Law and Contact Details

10.1 Governing law and venue

This DPA is governed by the same law that governs the Principal Agreement, and disputes arising from it are handled in the same courts or arbitration forum, without limiting the rights of data subjects or supervisory authorities under applicable law.

10.2 How to reach us

If you have questions about this DPA or need to exercise rights or instructions that relate to our role as processor, contact:

Please include “DPA” in the subject line and provide enough information for us to identify your account and respond efficiently.

Ready to let your expertise drive the workflow?

Stop wrestling with rigid templates and generic chatbots. Describe your process, let the agent handle the rest.

Get Started Free — No Sign-Up