Release Logo

Data Processing Agreement

Last updated: December 30, 2024

This Data Processing Agreement ("DPA") forms part of the Agreement between Release Technologies, Inc. ("Release," "Processor," "we," "us," or "our") and the Customer ("Controller," "you," or "your") for the provision of Release's ephemeral environments platform services.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Laws.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and any other applicable privacy laws.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

"Controller" means the entity that determines the purposes and means of Processing Personal Data.

"Processor" means the entity that Processes Personal Data on behalf of the Controller.

"Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

"Data Subject" means the individual to whom Personal Data relates.

"Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers.

2. Scope and Nature of Processing

2.1 Scope

This DPA applies to all Processing of Personal Data by Release on behalf of Customer in connection with the provision of Release's ephemeral environments platform services.

2.2 Nature and Purpose of Processing

Release will Process Personal Data solely for the purpose of providing the Services as described in the Agreement, which includes:

  • Provisioning and managing ephemeral development environments
  • User authentication and access management
  • Service monitoring and performance optimization
  • Customer support and communication
  • Billing and account management

2.3 Categories of Data Subjects

The Personal Data Processed may relate to the following categories of Data Subjects:

  • Customer employees and contractors
  • Customer end-users
  • Other individuals whose Personal Data is included in Customer's development environments

2.4 Types of Personal Data

The types of Personal Data Processed may include:

  • Contact information (name, email address)
  • Account credentials and authentication data
  • Usage data and activity logs
  • IP addresses and device identifiers
  • Any Personal Data included by Customer in their development environments

2.5 Duration of Processing

Release will Process Personal Data for the duration of the Agreement, unless otherwise required by applicable law.

3. Processor Obligations

3.1 Processing Instructions

Release shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Immediately inform the Controller if, in Release's opinion, an instruction infringes Data Protection Laws
  • Maintain records of Processing activities as required by applicable Data Protection Laws

3.2 Confidentiality

Release shall ensure that persons authorized to Process Personal Data:

  • Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Process Personal Data only as instructed by the Controller
  • Receive appropriate training on data protection requirements

3.3 Security Measures

Release implements and maintains appropriate technical and organizational security measures, including:

Technical Measures:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256 encryption
  • Secure key management using AWS Key Management Service (KMS)
  • Network security controls and firewalls
  • Regular security assessments and penetration testing
  • Automated vulnerability scanning
  • Multi-factor authentication (MFA) for system access

Organizational Measures:

  • Role-based access control (RBAC)
  • Principle of least privilege enforcement
  • Background checks for employees with data access
  • Regular security awareness training
  • Documented security policies and procedures
  • Incident response procedures

Release maintains SOC 2 Type 2 certification, which validates our security controls across the Trust Service Criteria of Security, Availability, Processing Integrity, Confidentiality, and Privacy.

3.4 Sub-processor Requirements

Release shall:

  • Not engage a Sub-processor without prior written authorization from the Controller
  • Maintain a list of approved Sub-processors at release.com/legal/subprocessors
  • Provide at least 30 days' notice before adding or replacing Sub-processors
  • Ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA
  • Remain fully liable for the acts and omissions of its Sub-processors

3.5 Data Subject Rights

Release shall assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including rights to:

  • Access their Personal Data
  • Rectify inaccurate Personal Data
  • Erase Personal Data ("right to be forgotten")
  • Restrict Processing
  • Data portability
  • Object to Processing

Release shall notify the Controller promptly upon receiving any Data Subject request and shall not respond directly unless authorized by the Controller.

3.6 Assistance with Compliance

Release shall assist the Controller in ensuring compliance with obligations under Data Protection Laws, including:

  • Conducting data protection impact assessments
  • Prior consultation with supervisory authorities
  • Implementing appropriate security measures
  • Maintaining records of Processing activities

3.7 Deletion and Return of Data

Upon termination of the Agreement, Release shall, at the Controller's choice:

  • Return all Personal Data to the Controller in a commonly used format
  • Delete all Personal Data and existing copies, unless storage is required by applicable law

Release will complete deletion within 90 days of termination, unless otherwise agreed or required by law.

3.8 Audit Rights

Release shall:

  • Make available to the Controller all information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
  • Provide the Controller with copies of relevant audit reports (such as SOC 2 reports) upon request and subject to confidentiality obligations

Audits shall be conducted with reasonable notice during normal business hours and shall not unreasonably disrupt Release's operations.

4. Controller Obligations

The Controller shall:

  • Ensure there is a lawful basis for Processing Personal Data
  • Provide documented instructions for Processing
  • Ensure compliance with Data Protection Laws applicable to the Controller
  • Notify Release of any changes to applicable Data Protection Laws that may affect Release's obligations
  • Be responsible for the accuracy, quality, and legality of Personal Data provided to Release

5. International Data Transfers

5.1 Data Location

Release primarily processes data in the United States. Customer data may be transferred to and processed in the United States and other countries where Release or its Sub-processors operate.

5.2 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries not deemed adequate by the relevant authorities, Release relies on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Any successor mechanism approved under applicable Data Protection Laws

5.3 Standard Contractual Clauses

Where applicable, the parties agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor), which are incorporated into this DPA by reference. Customer acts as the "data exporter" and Release acts as the "data importer."

6. Personal Data Breach Notification

6.1 Notification Requirements

In the event of a Personal Data Breach, Release shall:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide information about the nature of the breach, categories of data affected, and approximate number of Data Subjects affected
  • Describe the likely consequences of the breach
  • Describe the measures taken or proposed to address the breach

6.2 Cooperation

Release shall cooperate with the Controller in investigating and mitigating the effects of any Personal Data Breach, including:

  • Assisting with notifications to supervisory authorities and Data Subjects
  • Preserving evidence related to the breach
  • Implementing measures to prevent future breaches

7. Term and Termination

7.1 Term

This DPA shall remain in effect for the duration of the Agreement between the parties.

7.2 Survival

The provisions of this DPA that by their nature should survive termination shall survive, including obligations related to data deletion, confidentiality, and liability.

8. Liability

8.1 Limitations

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

8.2 Indemnification

Each party shall indemnify the other against any costs, claims, damages, or expenses arising from any breach of this DPA by the indemnifying party.

9. General Provisions

9.1 Governing Law

This DPA shall be governed by the laws specified in the Agreement, except that the Standard Contractual Clauses shall be governed by the law of the EU Member State specified therein.

9.2 Amendments

This DPA may be amended by Release with at least 30 days' notice to reflect changes in Data Protection Laws or regulatory guidance. Continued use of the Services after such notice constitutes acceptance of the amended DPA.

9.3 Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters of data protection.

9.4 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

10. Contact Information

For questions about this DPA or to exercise your rights:

Release Technologies, Inc. Email: security@release.com

This Data Processing Agreement is effective as of the date Customer accepts the Agreement or begins using the Services, whichever is earlier.