RunDoRunDoGet early access
Legal

Data Processing Agreement

When you use RunDo, you (the controller) entrust us (the processor) with personal data of your customers and team. This DPA explains the obligations on both sides.

Roles

You are the controller

You decide what data to collect from your customers and how to use it. RunDo carries out your instructions.

RunDo is the processor

We store and process the data on your instructions, only to deliver the service. We never use it for our own purposes.

Sub-processors

Third-party services that touch your data, with what they do.

Supabase

Primary database & file storage. Singapore region.

Stripe

Payment processing. PCI DSS Level 1 compliant.

Cloudflare

DNS, CDN, edge security. SOC 2 Type II.

Resend

Transactional email delivery (invoices, alerts, notifications).

Anthropic / OpenAI

AI message drafting. Only used when you've enabled AI features. No training on your data.

Firebase Auth

Sign-in and account security. Google's auth infrastructure.

Security measures

Encryption

AES-256 at rest, TLS 1.3 in transit. Sensitive credentials in Supabase Vault.

Access control

Production access limited to a 2-person team with quarterly reviews. Audit log on every admin action.

Backups

Every 6 hours, retained 30 days, replicated to a second region for DR.

Incident response

72-hour notification commitment for confirmed data breaches affecting customer data.

Data subject requests

If a customer of yours requests their data be deleted or exported, you can fulfil the request directly from your RunDo dashboard (Settings, Data subject requests). For requests beyond what the dashboard supports, email privacy@rundo.app and we'll assist within 7 days.

Cross-border transfers

All data is stored in Singapore (ap-southeast-1). When a sub-processor is outside Singapore (e.g., Stripe in the US, Anthropic in the US), we rely on Standard Contractual Clauses (SCCs) for the transfer.

Term and termination

This DPA stays in effect as long as RunDo processes data on your behalf. On termination, we'll delete your data within 30 days of receiving your written request, or retain only what we're legally required to keep (e.g., for tax/audit).

Ready to run on autopilot?

Drop your email, we'll send your invite as a slot opens.

Get early access