Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SideFuel Ltda. ("Processor", "we", "us") and the customer ("Controller", "you") using the Relayers webhook routing platform ("Service").

This DPA applies when you, as the Controller, process personal data of individuals located in the European Economic Area (EEA), United Kingdom, Switzerland, or Brazil through the Service.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by GDPR Art. 4(1) and LGPD Art. 5(I)
• "Processing" means any operation performed on Personal Data, including collection, storage, transmission, modification, and deletion
• "Controller" means the entity that determines the purposes and means of Processing — in this context, the customer using the Service
• "Processor" means the entity that processes Personal Data on behalf of the Controller — in this context, SideFuel
• "Sub-Processor" means a third party engaged by the Processor to process Personal Data
• "Data Subject" means the individual whose Personal Data is processed
• "Breach" means a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data

2. Scope of Processing

2.1 Roles

With respect to webhook data transmitted through the Service, you are the Controller and SideFuel is the Processor. SideFuel processes webhook payloads solely to provide the routing, transformation, and delivery services you have configured.

With respect to your account data (name, email, billing information), SideFuel acts as a Controller for its own business purposes as described in our Privacy Policy.

2.2 Subject Matter and Duration

The Processor processes Personal Data contained in webhook payloads and headers for the duration of the Controller's use of the Service, plus the applicable retention period (7-90 days depending on plan).

2.3 Nature and Purpose

• Receiving, routing, and delivering webhook HTTP requests
• Applying JQ-based filtering rules and payload transformations
• Temporary storage for retry and debugging purposes
• WebSocket tunnel delivery to localhost endpoints

2.4 Categories of Data Subjects

Determined by the Controller. May include the Controller's end users, customers, employees, or any individuals whose data is contained in webhook payloads.

2.5 Types of Personal Data

Determined by the Controller. May include names, email addresses, IP addresses, financial data, or any other data transmitted in webhook payloads and headers.

3. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller (i.e., the Service configuration), unless required by applicable law
• Ensure that persons authorized to process Personal Data are bound by obligations of confidentiality
• Implement appropriate technical and organizational measures to ensure the security of Personal Data (see Section 5)
• Not engage Sub-Processors without prior written authorization from the Controller (see Section 6)
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection)
• Assist the Controller in ensuring compliance with security, breach notification, impact assessments, and prior consultation obligations
• At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless retention is required by law
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 7)

4. Controller Obligations

The Controller shall:

• Ensure that the processing of Personal Data through the Service has a valid legal basis under applicable law
• Provide all necessary notices and obtain all necessary consents from Data Subjects before transmitting their Personal Data through the Service
• Be responsible for the lawfulness, accuracy, and relevance of Personal Data transmitted through webhooks
• Respond to Data Subject requests and involve the Processor only where necessary for technical implementation

5. Technical and Organizational Measures (TOMs)

The Processor implements the following measures to protect Personal Data:

5.1 Encryption

• TLS 1.2+ for all data in transit (API, WebSocket, webhook delivery)
• Passwords hashed with bcrypt
• API keys stored as SHA-256 hashes

5.2 Access Control

• Multi-tenant architecture with strict tenant isolation (every resource scoped by tenant_id)
• Role-based access control (RBAC) with owner, admin, member, and viewer roles
• Short-lived JWT tokens (15-minute TTL)
• Platform admin guard for administrative operations

5.3 Availability & Resilience

• Automatic retry with exponential backoff for failed deliveries
• Rate limiting to prevent abuse and resource exhaustion
• Health monitoring endpoints (/healthz, /readyz)

5.4 Data Minimization & Retention

• Webhook data retained only for the plan's configured retention period (7-90 days)
• Automatic cleanup of expired data via scheduled workers
• Daemon connection metadata purged after 2 minutes of inactivity

5.5 Security Headers & Hardening

• HSTS (Strict-Transport-Security)
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Referrer-Policy: strict-origin-when-cross-origin
• Restrictive Permissions-Policy

6. Sub-Processors

The Controller authorizes the Processor to engage the following Sub-Processors:

Right of objection: The Processor will notify the Controller at least 30 days before engaging a new Sub-Processor. The Controller may object to the new Sub-Processor within 14 days of notification. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service.

The Processor ensures that each Sub-Processor is bound by data protection obligations no less protective than those in this DPA.

7. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller (or its authorized third-party auditor, bound by confidentiality) may conduct an audit once per calendar year with at least 30 days written notice.

The audit shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations. The Controller shall bear the costs of the audit.

8. Data Breach Notification

In the event of a Breach affecting Personal Data processed under this DPA, the Processor shall:

• Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the Breach
• Provide the Controller with sufficient information to meet its own notification obligations under GDPR Art. 33-34 and LGPD Art. 48, including:
  • Nature of the Breach (categories and approximate number of Data Subjects and records affected)
  • Likely consequences of the Breach
  • Measures taken or proposed to address the Breach
  • Contact details of the Processor's DPO
• Cooperate with the Controller in investigating and remediating the Breach
• Document the Breach, including its effects and the remedial actions taken

9. International Transfers

Where Personal Data is transferred outside the EEA, UK, or Brazil, the Processor ensures appropriate safeguards are in place:

• EU Standard Contractual Clauses (SCCs) as approved by the European Commission
• UK International Data Transfer Agreement (IDTA) where applicable
• Compliance with LGPD Art. 33-36 for transfers from Brazil

10. Data Deletion & Return

Upon termination of the Service:

• The Controller may export their data via the API (GET /v1/account/export) within 30 days of termination
• After the 30-day export period, the Processor will permanently delete all Personal Data processed under this DPA, except where retention is required by applicable law
• The Processor will confirm deletion in writing upon the Controller's request

11. Term and Termination

This DPA is effective for the duration of the Controller's use of the Service. The obligations of the Processor regarding security and confidentiality shall survive termination until all Personal Data has been deleted.

12. Contact

For questions or requests related to this DPA:

• DPO: dpo@relayers.app
• Legal: legal@relayers.app

13. Related Documents

• Terms of Service
• Privacy Policy
• Security Policy