Data Processing Agreement
Last updated: April 2026 | Effective upon execution
This Data Processing Agreement ("DPA") forms part of the Terms of Service between ScaleRight Ltd ("Processor", "we") and the Customer ("Controller", "you") for the Fencepost managed hosting service.
1. Scope
This DPA applies where we process personal data on your behalf in connection with the Fencepost service. It does not apply to the Lifetime Deal (self-hosted) product, where you are both Controller and Processor.
2. Definitions
Terms used in this DPA have the meanings given in the UK GDPR and the Data Protection Act 2018. "Personal data", "processing", "controller", "processor", and "data subject" have the meanings set out in Article 4 of the UK GDPR.
3. Data Processing Details
| Subject matter | AI cost control, usage tracking, budget enforcement |
| Duration | For the term of the subscription, plus 30 days for deletion |
| Nature & purpose | Logging AI API call metadata (model, tokens, cost, timestamps) to enforce budgets and provide analytics |
| Categories of data | API call metadata, cost data, IP addresses for license binding, email addresses for accounts |
| Data subjects | Customer's employees and agents using the AI systems |
| Location | EU (Hetzner, Nuremberg, Germany) |
4. Processor Obligations
- Process personal data only on documented instructions from the Controller
- Ensure persons authorised to process data are under confidentiality obligations
- Implement appropriate technical and organisational security measures (encryption at rest and in transit, access controls, regular backups)
- Not engage sub-processors without prior written authorisation (see Section 6)
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
- Delete or return all personal data upon termination, at Controller's choice
- Make available all information necessary to demonstrate compliance and allow audits
5. Security Measures
- Dedicated single-tenant VPS per customer (no shared infrastructure)
- HTTPS/TLS for all data in transit
- SQLite database with WAL mode, stored on encrypted volumes
- BYOK model: customer API keys are stored only on the customer's VPS
- No access to LLM request/response content — only metadata (model, tokens, cost)
- Automated backups with 7-day retention
- Access limited to authorised ScaleRight personnel via SSH key authentication
6. Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | VPS hosting | Nuremberg, Germany (EU) |
| Cloudflare Inc. | DDoS protection, DNS, TLS | Global (EU primary) |
| Stripe Inc. | Payment processing | EU/US |
| Supabase Inc. | Provisioning database (no customer AI data) | EU |
We will notify you before adding or replacing sub-processors, giving you 30 days to object.
7. Data Breach Notification
We will notify you without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting your data, including the nature of the breach, categories of data affected, and measures taken.
8. International Transfers
All customer data is processed within the EU (Hetzner, Germany). Where transfers outside the EU/UK are necessary (e.g., Stripe payment processing), appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
9. Termination
Upon termination of the service, we will delete all personal data within 30 days unless legally required to retain it. You may request a data export (SQLite database file) before termination.
10. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service.
11. Governing Law
This DPA is governed by the laws of England and Wales.
To execute this DPA, email legal@scaleright.ai with your company details. A countersigned copy will be returned within 2 business days.