Data Processing Addendum
Last updated: February 2, 2026
Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Ragnerock Terms of Service or other written or electronic terms of service or subscription agreement (the “Agreement”) between Ragnerock, Inc. (“Ragnerock”) and the entity or person defined as “Customer” thereunder, and each Customer Affiliate that is party to an Order Form pursuant to the Agreement (collectively and individually referred to herein as “Customer”; and together with Ragnerock, collectively, the “Parties” or individually, a “Party”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
1. Definitions
“Account” means Customer’s account in the Service in which Customer stores and processes Customer Data and manages Users.
“Affiliate” has the meaning set forth in the Agreement.
“Authorized Affiliate” means a Customer Affiliate who has not signed an Order Form pursuant to the Agreement, but is either a Data Controller or Data Processor for the Customer Personal Data processed by Ragnerock pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.
“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.
“Customer Data” has the meaning set forth in the Agreement.
“Customer Personal Data” means any Customer Data that is Personal Data.
“Customer-Provided Services” has the meaning set forth in the Agreement. For the avoidance of doubt, providers of Customer-Provided Services are not Sub-processors of Ragnerock.
“Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
“Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.
“Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.
“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
“EU & UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.
“Personal Data” means any information, including opinions, relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the CCPA.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, and “Process”, “Processes” and “Processed” will be interpreted accordingly.
“Purposes” means (i) Ragnerock’s provision of the Ragnerock Offerings as described in the Agreement, including Processing initiated by Users in their use of the Ragnerock Offerings; (ii) the processing of Customer Personal Data through AI Sub-processors engaged by Ragnerock to provide the Service, as described in the Agreement and this DPA; and (iii) further documented, reasonable instructions from Customer agreed upon by the Parties.
“Security Incident” means a breach of Ragnerock’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
“Service” has the meaning set forth in the Agreement.
“Sub-processor” means any other Data Processor engaged by Ragnerock to Process Customer Personal Data, including AI Sub-processors as defined in the Agreement.
2. Scope and Applicability of this DPA
This DPA applies where and only to the extent that Ragnerock Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing the Ragnerock Offerings.
This DPA does not apply to any processing of Customer Personal Data by providers of Customer-Provided Services. Customer is solely responsible for ensuring that its use of Customer-Provided Services complies with applicable Data Protection Laws, the applicable provider’s data processing agreement and terms of use, and any other legal requirements applicable to Customer’s processing of Customer Personal Data through Customer-Provided Services.
3. Roles and Scope of Processing
3.1. Role of the Parties
As between Ragnerock and Customer, Ragnerock shall Process Customer Personal Data only as a Data Processor (or sub-processor) acting on behalf of Customer and, with respect to CCPA, as a “service provider” as defined therein, in each case regardless of whether Customer acts as a Data Controller or as a Data Processor on behalf of a third-party Data Controller (such third-party, the “Third-Party Controller”) with respect to Customer Personal Data.
To the extent any Usage Data (as defined in the Agreement) is considered Personal Data under applicable Data Protection Laws, Ragnerock is the Data Controller of such data and shall Process such data in accordance with the Agreement and applicable Data Protection Laws. For the avoidance of doubt, Usage Data expressly excludes the content of Customer Data and includes only metadata about how the Service is used (e.g., query frequency, feature utilization, and performance metrics).
3.2. Customer Instructions
Ragnerock will Process Customer Personal Data only for the Purposes. Customer shall ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. The Parties agree that the Agreement (including this DPA) sets out the exclusive and final instructions to Ragnerock for all Processing of Customer Personal Data, and (if applicable) include and are consistent with all instructions from Third-Party Controllers. Any additional requested instructions require the prior written agreement of Ragnerock. Ragnerock shall promptly notify Customer if, in Ragnerock’s opinion, such instruction violates EU & UK Data Protection Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with a Third-Party Controller.
3.3. Customer Affiliates
Ragnerock’s obligations set forth in this DPA also extend to Authorized Affiliates, subject to the following conditions:
(a) Customer must exclusively communicate any additional Processing instructions requested pursuant to Section 3.2 directly to Ragnerock, including instructions from its Authorized Affiliates;
(b) Customer shall be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer; and
(c) Authorized Affiliates shall not bring a claim directly against Ragnerock. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or other forms of complaints or proceedings against Ragnerock (“Authorized Affiliate Claim”): (i) Customer must bring such Authorized Affiliate Claim directly against Ragnerock on behalf of such Authorized Affiliate, unless Data Protection Laws require the Authorized Affiliate be a party to such claim; and (ii) all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including, but not limited to, any aggregate limitation of liability.
3.4. Processing of Personal Data
Each Party will comply with its respective obligations under Data Protection Laws. Customer agrees (i) it will use the Service in a manner designed to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; and (ii) it has obtained all consents, permissions and/or rights necessary under Data Protection Laws for Ragnerock to lawfully Process Customer Personal Data for the Purposes, including, without limitation, Customer’s sharing and/or receiving of Customer Personal Data with third parties via the Service.
3.5. Details of Customer Personal Data Processing
(a) Subject matter
The subject matter of the Processing under this DPA is the Customer Personal Data.
(b) Frequency and duration
Notwithstanding expiration or termination of the Agreement, Ragnerock will Process the Customer Personal Data continuously and until deletion of all Customer Personal Data as described in this DPA.
(c) Purpose
Ragnerock will Process the Customer Personal Data only for the Purposes, including through the use of AI Sub-processors to provide the AI processing capabilities of the Service.
(d) Nature of the Processing
Ragnerock will perform Processing as needed for the Purposes, including the transmission of Customer Personal Data to AI Sub-processors for the purpose of generating AI Outputs, and to comply with Customer’s Processing instructions as provided in accordance with the Agreement and this DPA. Ragnerock and its AI Sub-processors will not use Customer Personal Data to train, improve, or fine-tune any AI or machine learning models, unless Customer has entered into a separate written agreement with Ragnerock expressly authorizing such use.
(e) Retention Period
The period for which Customer Personal Data will be retained and the criteria used to determine that period is determined by Customer during the term of the Agreement via Customer’s use and configuration of the Service. Upon termination or expiration of the Agreement, Customer may retrieve or delete Customer Personal Data as described in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by Ragnerock promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination retrieval period described in the Agreement.
(f) Categories of Data Subjects
The categories of Data Subjects to which Customer Personal Data relate are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
(i) Prospects, customers, business partners and vendors of Customer (who are natural persons);
(ii) Employees or contact persons of Customer’s prospects, customers, business partners and vendors;
(iii) Employees, agents, advisors, and freelancers of Customer (who are natural persons); and/or
(iv) Any other natural persons whose Personal Data Customer uploads to or processes through the Service.
(g) Categories of Personal Data
The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
(i) Identification and contact data (name, address, title, contact details);
(ii) Financial information (credit card details, account details, payment information);
(iii) Employment details (employer, job title, geographic location, area of responsibility);
(iv) IT information (IP addresses, cookies data, location data); and/or
(v) Communications data (email content, chat messages, voice transcripts, and other electronic communications).
(h) Special Categories of Personal Data
Subject to any applicable restrictions and/or conditions in the Agreement or Documentation, Customer may also include “special categories of personal data” or similarly sensitive Personal Data (as described or defined in Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation.
4. Sub-processing
4.1. Authorized Sub-processors
Customer provides Ragnerock with a general authorization to engage Sub-processors, subject to Section 4.3 (Changes to Sub-processors), as well as Ragnerock’s current Sub-processors listed at https://ragnerock.com/legal/sub-processors (“Sub-processor Site”) as of the effective date of this DPA. For the avoidance of doubt, providers of Customer-Provided Services (as defined in the Agreement) are not Sub-processors of Ragnerock, and this Section 4 does not apply to such providers.
4.2. Sub-processor Obligations
Ragnerock shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data as Ragnerock’s obligations under this DPA to the extent applicable to the services provided by the Sub-processor; (ii) ensure that agreements with AI Sub-processors contain terms prohibiting the use of Customer Personal Data for training, improving, or fine-tuning any AI or machine learning models; and (iii) remain liable for each Sub-processor’s compliance with the obligations under this DPA. Upon written request, and subject to any confidentiality restrictions, Ragnerock shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.
4.3. Changes to Sub-processors
Ragnerock shall make available on its Sub-processor Site a mechanism to subscribe to notifications of new Sub-processors. Ragnerock shall provide such notification to (i) email addresses that have subscribed for notifications on the Sub-processor Site, and (ii) email addresses designated by Customer as notification recipients within the Service, at least thirty (30) days in advance of allowing the new Sub-processor to Process Customer Personal Data (the “Objection Period”). During the Objection Period, objections (if any) to Ragnerock’s appointment of the new Sub-processor must be provided to Ragnerock in writing and based on reasonable grounds. In such event, the Parties will discuss those objections in good faith with a view to achieving resolution. If it can be reasonably demonstrated to Ragnerock that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and Ragnerock cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may terminate the applicable Order Form(s) with respect to only those aspects which cannot be provided by Ragnerock without the use of the new Sub-processor by providing advance written notice to Ragnerock of such termination. Ragnerock will refund Customer the value of any unused, unexpired Credits following the effective date of such termination.
5. Security
5.1. Security Measures
Ragnerock shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data as described in the Ragnerock Security Addendum found at https://www.ragnerock.com/legal/security (“Security Addendum”).
5.2. Confidentiality of Processing
Ragnerock shall ensure that any person who is authorized by Ragnerock to Process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.3. No Assessment of Customer Personal Data by Ragnerock
Ragnerock shall have no obligation to assess the contents or accuracy of Customer Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Customer is responsible for making an independent determination as to whether its use of the Service will meet Customer’s requirements and legal obligations under Data Protection Laws. Without limiting the foregoing, Ragnerock shall have no obligation to review AI Outputs for compliance with Data Protection Laws; Customer is solely responsible for validating AI Outputs and ensuring that any use of AI Outputs complies with applicable Data Protection Laws.
5.4. Customer-Provided Services Security
Ragnerock shall have no responsibility for the security of Customer Personal Data processed or stored through Customer-Provided Services. Customer is solely responsible for ensuring that Customer-Provided Services implement appropriate technical and organizational security measures and that Customer’s use of such services complies with applicable Data Protection Laws and the applicable provider’s data processing agreement and terms of use.
6. Customer Audit Rights
6.1. Security Reports
Upon written request and at no additional cost to Customer, Ragnerock shall provide Customer, and/or its appropriately qualified third-party representative (collectively, the “Auditor”), access to reasonably requested documentation evidencing Ragnerock’s compliance with its obligations under this DPA in the form of relevant audits, certifications, or security assessments (collectively, “Reports”). Reports may include, as and when available: (i) SOC 2 Type II audit reports; (ii) third-party security certifications (e.g., ISO 27001); and (iii) Ragnerock’s most recently completed industry standard security questionnaire, such as a SIG or CAIQ. Where formal audit reports or certifications are not yet available, Ragnerock shall provide alternative evidence of its security controls, such as completed security questionnaires, penetration test summaries, or documented security policies and procedures, in order to assist Customer in evaluating Ragnerock’s security posture.
6.2. Audits
Customer may also send a written request for an audit of Ragnerock’s applicable controls, including inspection of its facilities. Following receipt by Ragnerock of such request, Ragnerock and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. Ragnerock may charge a fee (rates shall be reasonable, taking into account the resources expended by Ragnerock) for any such audit. The Reports, audit, and any information arising therefrom shall be considered Ragnerock’s Confidential Information and may only be shared with a third party (including a Third-Party Controller) with Ragnerock’s prior written agreement.
6.3. Third-Party Audits
Where the Auditor is a third party, the Auditor may be required to execute a separate confidentiality agreement with Ragnerock prior to any review of Reports or an audit of Ragnerock, and Ragnerock may object in writing to such Auditor, if in Ragnerock’s reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Ragnerock. Any such objection by Ragnerock will require Customer to either appoint another Auditor or conduct the audit itself. Any expenses incurred by an Auditor in connection with any review of Reports or an audit shall be borne exclusively by the Customer. For clarity, the exercise of audit rights under a Transfer Mechanism shall be as described in this Section 6 (Customer Audit Rights) and Customer agrees those rights are carried out on behalf of Customer and all relevant Third-Party Controllers, subject to the confidentiality and non-use restrictions of the Agreement.
7. Data Transfers
7.1. Hosting and Processing Locations
Customer Personal Data is hosted and processed in the United States. Where Customer elects to use Customer-Provided Services (such as BYO database or BYO storage), Customer Personal Data processed or stored through such services will be located wherever Customer has configured those services to host data; Customer is solely responsible for ensuring such locations comply with applicable Data Protection Laws. Ragnerock will not Process Customer Personal Data from outside the United States except as reasonably necessary to provide the Ragnerock Offerings procured by Customer, or as necessary to comply with the law or binding order of a governmental body. Customer is solely responsible for the regions from which its Users access the Customer Personal Data and for any transfer or sharing of Customer Personal Data by Customer or its Users.
7.2. Transfer Mechanisms
7.2.1. Transfer Mechanisms Prescribed by Data Protection Laws
If Data Protection Laws have prescribed specific mechanisms for the transfer of Customer Personal Data to Ragnerock and/or contract clauses for Processing of Customer Personal Data by Ragnerock (collectively, a “Transfer Mechanism”), Ragnerock shall make such specific Transfer Mechanism available (to the extent generally supported by Ragnerock) at https://ragnerock.com/legal/transfer-mechanisms (the “Transfer Mechanism Site”). A Transfer Mechanism shall not apply and shall not be incorporated into this DPA if it is not applicable to (i) transfers from Customer to Ragnerock (including where no such transfer occurs), or (ii) Processing by Ragnerock of Customer Personal Data. If a listed Transfer Mechanism is, or becomes applicable under Data Protection Laws, it shall be deemed to be signed by the Parties and is incorporated into this DPA. Subject to Section 7.2.2 (Updates Regarding Transfer Mechanism Site) below, Ragnerock may only remove an applicable Transfer Mechanism if the Transfer Mechanism has ceased being valid under the Data Protection Law or Ragnerock is offering an alternative, then-currently valid Transfer Mechanism.
7.2.2. Updates Regarding Transfer Mechanism Site
Ragnerock shall notify Customer of changes to its Transfer Mechanisms by updating the Transfer Mechanism Site and posting a summary and date of the relevant changes.
8. Security Incident Response
8.1. Security Incident Reporting
If Ragnerock becomes aware of a Security Incident, Ragnerock shall notify Customer without undue delay, and in any case, where feasible, notify Customer within seventy-two (72) hours after becoming aware. Ragnerock’s notification shall be sent to the email address of Customer’s account administrator(s) registered within the Service. Customer acknowledges that if no valid account administrator email address is registered, Ragnerock’s ability to timely notify shall be negatively impacted. Ragnerock shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.
8.2. Security Incident Communications
Ragnerock shall provide Customer timely information about the Security Incident, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Ragnerock to mitigate or contain the Security Incident, the status of Ragnerock’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Ragnerock personnel may not have visibility to the content of Customer Personal Data, it is unlikely Ragnerock can provide information as to the particular nature of the Customer Personal Data, or where applicable, the identities, number or categories of affected Data Subjects. Communications by or on behalf of Ragnerock with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Ragnerock of any fault or liability with respect to the Security Incident.
9. Cooperation
9.1. Data Subject Requests
Ragnerock shall promptly notify Customer if Ragnerock receives a request from a Data Subject that identifies Customer Personal Data or otherwise identifies Customer, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Laws (collectively, “Data Subject Request”). To the extent the Service provides Customer with self-service controls that Customer may use to assist it in responding to Data Subject Requests, Customer will be responsible for responding to any such Data Subject Requests using such controls. To the extent Customer is unable to access or manage the relevant Customer Personal Data within the Service using such controls or otherwise, Ragnerock shall (upon Customer’s written request and taking into account the nature of Ragnerock’s Processing) provide commercially reasonable cooperation to assist Customer in responding to Data Subject Requests.
9.2. Data Protection Impact Assessments
Ragnerock shall provide reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
9.3. Government and Law Enforcement Inquiries
If Ragnerock receives a demand to retain, disclose, or otherwise Process Customer Personal Data from law enforcement or any other government and/or public authority (“Governmental Inquiry”), then Ragnerock shall attempt to redirect the Governmental Inquiry to Customer. Customer agrees that Ragnerock can provide information to such third party to the extent reasonably necessary to redirect the Governmental Inquiry to Customer. If Ragnerock cannot redirect the Governmental Inquiry to Customer, then Ragnerock shall, to the extent legally permitted to do so, provide Customer reasonable notice of the Governmental Inquiry as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy. This section does not diminish Ragnerock’s obligations under any applicable Transfer Mechanisms with respect to access by public authorities.
10. Relationship with the Agreement
10.1. Prior Agreements
The Parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Ragnerock and Customer may have previously entered into in connection with the Service. Ragnerock may update this DPA from time to time, with such updated version posted to https://www.ragnerock.com/legal, or a successor website designated by Ragnerock; provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
10.2. Conflicts
Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data. Notwithstanding the foregoing, and solely to the extent applicable to any Customer Personal Data comprised of patient, medical or other protected health information regulated by HIPAA, if there is any conflict between this DPA and a business associate agreement between Customer and Ragnerock, then the business associate agreement shall prevail solely with respect to such Customer Personal Data.
10.3. Liability
Notwithstanding anything to the contrary in the Agreement or this DPA, each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Transfer Mechanisms, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting the Parties’ obligations under the Agreement, each Party agrees that any regulatory penalties incurred by one Party (the “Incurring Party”) in relation to the Customer Personal Data that arise as a result of, or in connection with, the other Party’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce the Incurring Party’s liability under the Agreement as if it were liability to the other Party under the Agreement.
10.4. No Third-Party Beneficiaries
In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA (including the Transfer Mechanisms).
10.5. Governing Law
This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement.