Data Processing Addendum
Last Updated: May 23, 2026. This Data Processing Addendum ("DPA") governs the processing of customer personal data by DataFuse Inc. under international regulations.
1. Scope & Applicability
This DPA applies when and to the extent that DataFuse processes Customer Personal Data (as defined below) that is subject to Data Protection Laws (including GDPR, UK GDPR, and CCPA) in the course of providing our services to the Customer under the main Terms of Service .
This DPA is incorporated into the main Terms of Service and forms a legally binding covenant between the Customer and DataFuse Inc.
2. Legal Definitions
In this DPA, the following terms shall have matching meanings as defined here:
- "Customer Personal Data": Any personal data provided by Customer or Customer's end-users that is processed by DataFuse to perform its gateway integration routing.
- "Data Protection Laws": All applicable international privacy regulations including the EU General Data Protection Regulation (2016/679) ("GDPR"), California Consumer Privacy Act ("CCPA"), and related laws.
- "Subprocessor": Any third-party data processor engaged by DataFuse to assist in executing the SaaS features.
3. Roles of the Parties
The parties agree that for all processing of Customer Personal Data:
- Customer is the Data Controller: Customer retains ownership and decides the purposes, API endpoints, integration channels, and configurations for data processing.
- DataFuse is the Data Processor: DataFuse processes Customer Personal Data strictly under written instructions from the Customer, including configurations parsed via our YAML studio tools.
4. Processor Obligations
DataFuse covenants that it will:
- Instruction Bound: Process Customer Personal Data solely to deliver the compiled integrations under Customer configurations.
- Confidentiality: Ensure all employees, contractors, and engineers engaged in handling Customer data are bound by strict corporate confidentiality agreements.
- Data Subject Rights Assistance: Provide Dashboard tools or direct API support to assist the Customer in addressing GDPR deletion or export requests.
- Security Incident Response: Notify Customer within forty-eight (48) hours of establishing a verified security breach impacting Customer Personal Data.
5. Subprocessors Vetting & Changes
Customer grants DataFuse general authorization to engage subprocessors to provide infrastructure, databases, payment portals, and analytical monitors. Our active subprocessors list is located on our Trust Center Page .
Notification of Changes: We will provide written notification to Customer (via console alerts or email) at least thirty (30) days prior to adding or replacing any subprocessor. Customer may object to the new subprocessor in writing within ten (10) days of receipt on reasonable security grounds.
6. Technical and Organizational Security Measures (TOMs)
DataFuse maintains state-of-the-art technical and organizational measures to prevent unauthorized data loss, scanning, or credential compromise:
- Cryptographically Decoupled Proxies: By architecture, customer data and credentials do not linger in production gateway memory and are automatically stripped from return streams.
- Multi-Region HSM Vaults: Secure hardware-isolated credentials storage with automatic key-rotation cycles.
- Least Privilege IAM: Infrastructure operators have zero persistent access to the production key-management vaults.
- Daily Backups: Database instances are backed up daily with AES-256 backup file encryption.
7. International Transfers & SCCs
Our main data centers are situated within the United States. To the extent that Customer Personal Data originates from the European Economic Area (EEA), the United Kingdom, or Switzerland and is transferred to DataFuse in the US:
The parties agree to execute and comply with the **European Commission Standard Contractual Clauses (SCCs)** (Controller-to-Processor module), which are incorporated by reference herein.
For queries regarding the DPA, custom SCC signatures, or enterprise audits, please contact our legal team at: