I. SCOPE AND APPLICATION

This DPA applies whenever RunInfra processes personal data on the Customer's behalf in connection with the Service. RunInfra acts as a processor; the Customer acts as the controller and determines the purpose and means of the processing.

Where the Customer is itself a processor acting on behalf of a third-party controller, RunInfra acts as a sub-processor and the Customer represents that it has obtained the controller's prior authorization for RunInfra's engagement.

RunInfra processes personal data for its own purposes (account administration, billing, security, product improvement on aggregated and anonymized data) as a controller. Those activities are governed by the Privacy Policy and not by this DPA.

II. DEFINITIONS

• Personal Data, Processing, Controller, Processor, Data Subject, Personal Data Breach, Supervisory Authority have the meanings given in the GDPR.
• Customer Personal Data means personal data the Customer submits to or generates through the Service.
• Sub-processor means any third party engaged by RunInfra to process Customer Personal Data, as listed in the Privacy Policy sub-processors table.
• Standard Contractual Clauses (“SCCs”) means the European Commission's standard contractual clauses for the transfer of personal data to third countries (Module Two, Controller-to-Processor, 2021/914).
• UK IDTAmeans the UK Information Commissioner's International Data Transfer Addendum, version B.1.0.

III. SUBJECT MATTER AND DURATION

Subject matter. RunInfra processes Customer Personal Data to provide the Service: profiling models, optimizing inference pipelines, deploying managed endpoints, routing inference traffic, and the supporting operations described in the documentation.

Duration. Processing lasts for the term of the underlying agreement and any period thereafter required to return or delete Customer Personal Data per Section XII.

Nature and purpose. Storing, hosting, transmitting, transforming, and benchmarking Customer Personal Data only to the extent necessary to deliver the Service the Customer has configured.

IV. CATEGORIES OF DATA AND DATA SUBJECTS

Categories of personal data typically processed:

• Identification and contact data of the Customer's users (name, work email, IP address, user agent).
• Authentication data (hashed passwords are never processed; OAuth tokens for the providers the Customer connects).
• Inference inputs and outputs the Customer submits via the API or through deployed pipelines, which may contain personal data depending on what the Customer chooses to send.
• Usage data and telemetry generated by the Service (request counts, latency, error rates).

Categories of data subjects may include:

• The Customer's employees, contractors, and authorized users.
• End users of the Customer's products that route through inference pipelines built on the Service.
• Any data subject whose personal data is contained in the inputs the Customer sends to the Service.

Special categories. The Customer is responsible for not submitting special categories of personal data (GDPR Article 9) through the Service unless the Customer has a lawful basis under Article 9 and has notified RunInfra in advance so we can confirm the Service's suitability.

V. PROCESSOR OBLIGATIONS

RunInfra shall:

• Process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers outside the EU or the UK, unless required to do otherwise by EU or Member State law to which RunInfra is subject. In that case, RunInfra will inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
• Ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Take all measures required pursuant to Article 32 GDPR (security of processing) as described in Section VII.
• Respect the conditions for engaging sub-processors set out in Section VI.
• Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising data subject rights.
• Assist the Customer in ensuring compliance with Articles 32 to 36 GDPR taking into account the nature of processing and the information available to RunInfra.
• At the choice of the Customer, delete or return all Customer Personal Data after the end of the provision of services relating to processing, and delete existing copies unless EU or Member State law requires retention.
• Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits as set out in Section XI.

RunInfra will not sell Customer Personal Data or share Customer Personal Data for cross-context behavioral advertising as those terms are defined under the CCPA.

VI. SUB-PROCESSORS

The Customer authorizes RunInfra to engage the sub-processors listed in the Privacy Policy sub-processors table to provide the Service. RunInfra will:

• Impose contractual obligations on each sub-processor that are no less protective than the obligations in this DPA, including the GDPR Article 28(3) terms.
• Remain fully liable to the Customer for each sub-processor's performance.
• Give the Customer at least 30 days' advance notice (via the platform or by email) of any new sub-processor that will process Customer Personal Data.
• If the Customer reasonably objects to a new sub-processor on data-protection grounds, the Customer may, as its sole remedy, terminate the affected portion of the Service for convenience and receive a pro-rata refund of any prepaid fees.

VII. SECURITY MEASURES

RunInfra implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by Article 32 GDPR. A description of those measures is published on the Security page and includes encryption in transit and at rest, role-based access control, audit logging, vulnerability management, and the SOC 2 Type II controls covered by our most recent attestation.

The measures may be updated from time to time to reflect improvements; updates will not materially reduce the overall protection of Customer Personal Data.

VIII. DATA SUBJECT RIGHTS

Where a data subject submits a request directly to RunInfra concerning Customer Personal Data, RunInfra will promptly forward the request to the Customer and will not respond to the data subject directly except to acknowledge receipt and redirect the request, unless legally compelled to act.

RunInfra will, on the Customer's written request and at the Customer's expense, provide reasonable assistance to enable the Customer to respond to requests to exercise data subject rights, taking into account the nature of the processing.

IX. PERSONAL DATA BREACH NOTIFICATION

RunInfra will notify the Customer without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known at the time:

• The nature of the breach, including the categories and approximate number of data subjects and records concerned.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its possible adverse effects.
• The point of contact for further information.

Where the information cannot be provided at the same time, it may be provided in phases without further undue delay. RunInfra will document every Personal Data Breach and make the documentation available to the Customer and supervisory authorities on reasonable request.

X. INTERNATIONAL DATA TRANSFERS

Customer Personal Data is processed primarily in the United States. Where Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to or accessed from a country that has not received an adequacy decision, the transfer is governed by the Standard Contractual Clauses (Module Two, controller-to-processor) and, for transfers from the United Kingdom, the UK IDTA. The SCCs are incorporated into this DPA by reference, with the following selections:

• Clause 7 (Docking Clause): applies.
• Clause 9 (Sub-processors): Option 2 (general written authorization) with 30 days' notice as set out in Section VI.
• Clause 11 (Independent dispute resolution): the optional language is not selected.
• Clause 17 (Governing law): Ireland.
• Clause 18 (Choice of forum and jurisdiction): the courts of Ireland.
• Annex I (Parties, processing, competent supervisory authority): as described in this DPA. The competent supervisory authority is the Data Protection Commission of Ireland.
• Annex II (Security measures): as described on the Security page.
• Annex III (Sub-processors): as listed in the sub-processors table.

RunInfra has performed and maintains transfer impact assessments for the destination countries and the supplementary measures required to protect Customer Personal Data. Copies are available to enterprise customers on request to privacy@runinfra.ai.

XI. AUDIT RIGHTS

RunInfra will make available to the Customer, on reasonable request and no more than once per year except where required by a supervisory authority or following a Personal Data Breach, the most recent independent third-party audit reports relevant to the Service (currently a SOC 2 Type II report). The Customer agrees to treat the audit reports as confidential information.

Where the audit reports do not provide sufficient information for the Customer to demonstrate compliance, the Customer may request an on-site audit. The on-site audit will be conducted during normal business hours, with reasonable prior notice (at least 30 days unless a supervisory authority requires sooner), and subject to a mutually agreed scope and confidentiality terms. Customer bears its own audit costs.

XII. TERM AND RETURN OR DELETION

This DPA remains in effect for as long as RunInfra processes Customer Personal Data. On termination or expiry of the underlying agreement, RunInfra will, at the Customer's choice and within 30 days, return all Customer Personal Data in a commonly used format or delete it. Backups containing Customer Personal Data are purged on the standard rolling schedule (no later than 90 days from termination).

Where RunInfra is required by EU or Member State law to retain certain Customer Personal Data beyond termination, RunInfra will continue to protect that data in accordance with this DPA until deletion is lawful.

XIII. CONTACT US

All notices to RunInfra under this DPA, including questions about scope, requests for signed enterprise copies, sub-processor objections, and audit requests, can be sent to privacy@runinfra.ai with a copy to legal@runinfra.ai.

RightNow AI, Inc.
131 Continental Dr
Newark, DE 19713
United States