Data Processing Agreement (DPA)

1. Definitions

Terms defined in the GDPR have the same meaning in this DPA. In addition:

• Customer Personal Data: Any personal data processed on your behalf through the Service, including files you upload or sync from third-party sources.
• Service: The renamed.to application, APIs, background workers, and related support.
• Subprocessor: A third party engaged by the Processor to process Customer Personal Data on your behalf.
• Microsoft OneDrive Integration: The optional feature that uses Microsoft Graph webhooks and APIs to process your files stored in Microsoft OneDrive.

2. Subject matter, duration, nature, and purpose

• Subject matter: Processing Customer Personal Data to deliver file renaming, organization, and related automation features.
• Duration: For the term of your use of the Service until deletion or return of Customer Personal Data in accordance with Section 11.
• Nature and purpose: Hosting, analyzing, transforming, renaming, moving, and auditing files and metadata as directed by you, including actions triggered by optional Dropbox and Microsoft OneDrive integrations.

3. Categories of data subjects and personal data

The categories depend on how you use the Service and may include:

• Data subjects: Your employees, contractors, clients, counterparties, and other individuals whose personal data is contained in the files you process.
• Personal data categories: File content (e.g., PDF documents), file names, metadata, email addresses, identifiers from connected services (Dropbox or Microsoft account IDs), audit logs, and usage telemetry.
• Special categories: You are responsible for assessing whether special category data is uploaded. The Service is not intended for processing categories requiring heightened protection (e.g., health, biometric, or criminal data). If you choose to process such data, you confirm you have a lawful basis and appropriate safeguards in place.

4. Controller responsibilities

• Ensure you have a valid legal basis for all Customer Personal Data processed.
• Configure integrations (Dropbox or Microsoft OneDrive) and watched folders in accordance with your internal policies and data minimisation principles.
• Provide timely instructions for deletion, export, or return of Customer Personal Data.
• Inform data subjects about the processing activities described in this DPA and our Privacy Policy.

5. Processor obligations

• Process Customer Personal Data only on your documented instructions.
• Ensure personnel with access to Customer Personal Data are bound by confidentiality.
• Implement the technical and organisational measures in Section 6 and maintain evidence of their effectiveness.
• Assist you with data subject requests, DPIAs, and consultations with authorities.
• Notify you without undue delay of any personal data breach as described in Section 9.
• CCPA/CPRA compliance: Refrain from selling or sharing Customer Personal Data as defined by the California Consumer Privacy Act and California Privacy Rights Act. We certify that we process Customer Personal Data solely for the business purpose specified in this DPA and the Terms of Service. We will notify you promptly if we determine we can no longer meet our CCPA/CPRA obligations.

6. Technical and organisational measures

We maintain appropriate safeguards tailored to the Service, including the OneDrive integration:

• Encryption: Access and refresh tokens for Dropbox and OneDrive are encrypted at rest using server-side encryption keys. Data in transit uses TLS 1.2 or higher.
• Least privilege access: Microsoft Graph subscriptions are scoped to the folder IDs you select. Webhook notifications are verified with clientState values before processing.
• Transient processing: Files downloaded from OneDrive are temporarily stored in secure, region-appropriate cloud storage during processing, then automatically deleted. Rate limiting and caching mechanisms expire according to configured retention policies.
• Auditability: We log processing events, including original and suggested filenames, timestamps, job identifiers, and folder references. Logs exclude file contents and support forensic analysis and user-facing audit trails.
• Rate limiting and resilience: Queue management enforces per-user throttles, exponential backoff, and Retry-After handling to prevent overuse of Microsoft Graph and to isolate faults.
• Secure development: Changes to the OneDrive integration undergo code review, automated testing, and logging to ensure continued compliance with this DPA.

7. Subprocessors

We rely on the following subprocessors to deliver the Service. We remain responsible for their performance and will notify you of any material changes:

Controller and processor roles: Polar acts as an independent controller (Merchant of Record) for payment processing and is listed above for transparency. Microsoft acts as an independent controller for your OneDrive storage and authentication under your Microsoft 365 agreement. However, when we access OneDrive via Microsoft Graph API subscriptions you authorize to execute rename jobs, Microsoft processes file operations on our documented instruction and functions as a subprocessor for that limited purpose. The same applies to Dropbox for its integration. The subprocessor arrangements are governed by Microsoft's and Dropbox's respective data processing terms, which incorporate EU Standard Contractual Clauses.

8. International data transfers

Where Customer Personal Data is transferred outside the EEA, Switzerland, or the UK, we rely on EU Standard Contractual Clauses (SCCs), the UK Addendum, or other approved safeguards. Supplementary measures include encryption in transit and at rest, access controls, contractual audit rights, and Transfer Impact Assessments (TIAs) for US-based providers such as Microsoft Graph and OpenAI. We have conducted TIAs to assess surveillance risks under US law (including FISA 702) and have implemented additional safeguards including: (a) ephemeral processing where file contents are not retained, (b) encryption of data at rest and in transit, (c) contractual commitments from subprocessors not to use data for training or secondary purposes, and (d) regular reviews of subprocessor security practices. TIA summaries are available upon request to enterprise customers.

9. Personal data breach

We will notify you without undue delay, and no later than 72 hours after discovery where feasible, after becoming aware of a personal data breach involving Customer Personal Data. Our notification will describe the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and the measures taken or proposed to mitigate adverse effects. We will provide the name and contact details of our data protection contact and will cooperate with you to fulfill your own notification obligations under GDPR Art. 33 and Art. 34 or applicable US state breach notification laws.

10. Assistance with data subject rights and DPIAs

Taking into account the nature of processing, we will assist you with responding to data subject requests, cooperating with supervisory authorities, and performing data protection impact assessments or prior consultations as required.

11. Return or deletion

Upon termination of the Service, you may export your data or request deletion. We will delete Customer Personal Data (including OneDrive sync records, Redis keys, and job queues) within 30 days, unless EU or member state law requires storage. Audit logs may be retained for up to 24 months for security and billing reconciliation, after which they are anonymised or deleted.

12. Audit rights

We make available documentation demonstrating compliance with this DPA, including security policies, penetration test summaries, data flow diagrams for the OneDrive webhook pipeline, and evidence of subprocessor due diligence.

• Standard customers: Upon reasonable written request, we will provide a SOC 2 Type II report, ISO 27001 certificate (if available), or similar third-party attestation. We may provide such reports under our standard confidentiality terms.
• Enterprise customers: By separate written agreement and with at least 30 days' advance notice, you may perform (or appoint an independent auditor to perform) an on-site or remote audit, no more than once per year unless required by a supervisory authority or in response to a breach. The audit must be conducted during business hours, must not unreasonably disrupt operations, and is subject to a confidentiality agreement. You are responsible for audit costs unless the audit reveals a material breach of this DPA.

13. OneDrive-specific controls

• Webhooks: We validate Microsoft Graph webhooks using the clientState value and ignore events that fail validation or reference unknown subscriptions. Validation tokens are echoed without persisting request bodies.
• Scoped processing: The worker processes only PDF files within watched folders. Non-PDF items are skipped automatically, reducing exposure of unrelated data.
• Token lifecycle: Refresh tokens are rotated when Microsoft issues new credentials and are marked inactive when refresh attempts fail, preventing further access.
• Pause and disconnect: You can pause webhook processing globally or disconnect a specific OneDrive account. Disconnecting deletes stored tokens, delta checkpoints, and queued jobs.
• Error handling: Rate limiting and retry logic respect Microsoft's Retry-After headers. Failed jobs are retried up to five times and then quarantined for manual review.
• Logging: Audit logs capture original and suggested filenames, folder IDs, and job identifiers, but never the file content. Logs help demonstrate accountability under Art. 30 and Art. 32 GDPR.

14. Miscellaneous

• In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection obligations.
• German law governs this DPA. Exclusive venue is Berlin, Germany, unless mandatory law designates another forum for consumers.
• Updates will be communicated via email or in-app notice. Continued use of the Service after an update constitutes acceptance.