We're officially SOC 2 Type II Compliant
You've unlocked a referral bonus! Sign up today and you'll get a random credit bonus between $5 and $500
You've unlocked a referral bonus!
Claim Your Bonus
Claim Bonus
Legal

Data Processing Agreement

THIS DATA PROCESSING AGREEMENT (“DPA”) is entered into as of the Agreement Effective Date by and between: (1) Runpod, Inc. (“Runpod”); and (2) the entity or other person who is a counterparty to the Agreement (as defined below) into which this DPA is incorporated and forms a part (“Customer”), together the “Parties” and each a “Party”.

  1. INTERPRETATION
    1. In this DPA, the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
      1. Aggregate Data” means anonymized sets of data derived from the data of a single Runpod Customer or multiple Runpod Customers.  Aggregate Data does not include any Personal Data.
      2. Agreement” means the agreement under which Runpod has agreed to provide services to Customer entered into by and between the Parties.  
      3. Applicable Data Protection Laws “means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to Runpod’s Processing of Customer Personal Data under the Agreement (including, as and where applicable, the GDPR and or State Privacy Laws).  
      4. Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
      5. Customer Personal Data” means any Personal Data Processed by Runpod or its Sub-Processor on behalf of Customer to perform the Services under the Agreement (including, for the avoidance of doubt, any such Personal Data comprised within Customer Data).
      6. Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
      7. Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
      8. “Effective Date” means the effective date of the Agreement.
      9. GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018 and the UK Data Use and Access Act 2025), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
      10. Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws.
      11. Personal Data Breach” means a breach of Runpod’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Runpod’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
      12. Personnel” means a person’s employees, agents, consultants, contractors or other staff.
      13. Process”, and grammatical inflections thereof, means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      14. Processor” means a natural or legal person, public authority, agency or other body that Processes Personal Data on behalf of a Controller.
      15. Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EU GDPR, any country or territory outside the European Economic Area (“EEA”) which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK GDPR, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
      16. SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
      17. Services” means those services and activities to be supplied to or carried out by or on behalf of Runpod for Customer pursuant to the Agreement.
      18. State Privacy Laws” means, collectively, the comprehensive U.S. state data privacy laws currently in effect and applicable to Provider’s Processing of Personal Data under the Agreement.
      19. Sub-Processor” means any third party appointed by or on behalf of Runpod to Process Customer Personal Data.
      20. Supervisory Authority”: (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
      21. UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
    2. Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.
  2. PROCESSING OF CUSTOMER PERSONAL DATA
    1. Details and roles. The Parties acknowledge and agree that the details of Runpod’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.  Runpod may create, generate, use and disclose Aggregate Data for any lawful purpose. Runpod will not, and will not allow third parties to which it discloses Aggregate Data, re-identify Aggregate Data such that it becomes identifiable to Data Subjects.

      This DPA does not apply to Personal Data relating to an employee or other authorized representative of Customer that is collected or received by Runpod in connection with the procurement or use of, or payment for, the Services (for example, the names and email addresses of Customer’s account representatives and accounting personnel). Runpod’s use of Personal Data of such an employee or other representative is governed by the Runpod Privacy Policy, which describes how to manage individual communication preferences. The Parties shall be responsible for informing its own Authorized Users of the processing of their Personal Data as provided in the Agreement.
    2. General. Runpod shall not Process Customer Personal Data other than: (a) on Customer’s instructions set out in the Agreement and this DPA; or (b) as required by applicable laws. Customer instructs and authorizes Runpod to Process Customer Personal Data for the purposes set out in the Agreement (as further described in Annex 1 (Data Processing Details) to the DPA). This includes (i) to provide the Services; (ii) to provide customer support; and (iii) to improve and enhance the Services.  The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Runpod only pursuant to any written amendment to this DPA signed by both Parties. Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Runpod pursuant to or in connection with the Agreement shall be in strict compliance with Applicable Data Protection Laws. Where required by Applicable Data Protection Laws, if Runpod receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Runpod shall notify Customer.
  3. TECHNICAL AND ORGANIZATIONAL MEASURES; ASSISTANCE
    1. Personnel. Runpod shall take commercially reasonable steps designed to ascertain the reliability of any Runpod Personnel who Process Customer Personal Data, and shall enter into written confidentiality agreements with all Runpod Personnel who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.
    2. Security. Runpod shall implement and maintain technical and organizational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access as described in Annex 3 (Security Measures) (the “Security Measures”). Runpod may modify these Security Measures from time to time to reflect its then-current security standards and practices; provided that such modifications do not materially decrease the overall security of Services and/or relevant Customer Personal Data.
    3. Data Subject Rights. Runpod, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If Runpod receives a Data Subject Request, Customer will be responsible for responding to any such request. Runpod shall: (a) promptly notify Customer if it receives a Data Subject Request; and (b) not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Applicable Data Protection Laws.
    4. DPIAs and Consultations. If and to the extent the GDPR applies to the given Processing of Customer Personal Data, Runpod shall, taking into account the nature of the Processing and the information available to it, provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities, which are required by Article 35 or Article 36 of the GDPR (as applicable), in each case solely in relation to such Processing of Customer Personal Data by Runpod.
  4. PERSONAL DATA BREACHES
    1. Notifications. Runpod shall notify Customer without undue delay upon Runpod’s confirmation of a Personal Data Breach affecting Customer Personal Data. Runpod shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any Personal Data Breach. Runpod shall provide Customer with information (insofar as such information is within Runpod’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Runpod) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. Runpod’s notification of or response to a Personal Data Breach shall not be construed as Runpod’s acknowledgement of any fault or liability with respect to the Personal Data Breach. As between the Parties, Customer is solely responsible for complying with applicable laws (including notification laws), and fulfilling any third-party notification obligations, related to any Personal Data Breaches.
    2. Consultation with Runpod. If Customer determines that a Personal Data Breach suffered by Runpod or a Sub-Processor affecting Customer Personal Data must be notified to any Supervisory Authority, any other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws or otherwise, to the extent such notice directly or indirectly refers to or identifies Runpod, where permitted by applicable laws, Customer agrees to: (a) notify Runpod in advance; and (b) in good faith, consult with Runpod and consider any clarifications or corrections Runpod may reasonably recommend or request to any such notice, which: (i) relate to Runpod’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
  5. SUB-PROCESSING
    1. General authorization. Customer generally authorizes Runpod to appoint Sub-Processors in accordance with this Section 5. Information about Runpod’s Sub-Processors, including their functions and locations, is as shown in [INSERT] (as may be updated from time-to-time) or such other website address or Sub-Processor document as Runpod may provide to Customer from time-to-time (the “Sub-Processor List”). Without limitation, Customer authorizes Runpod engagement of the Sub-Processors listed on the Sub-Processor List as of the Effective Date.
    2. Notification. Runpod shall give Customer prior written notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor by updating the Sub-Processor List and notifying the Customer of such intended change, no later than thirty (30) days before the appointment of new Sub-Processors. If, within thirty (10) days of receipt of that notice, Customer notifies Runpod in writing of any objections to the proposed appointment (made in good faith based upon evidenced concerns that the use of that proposed Sub-Processor would cause Customer to be in material and unavoidable breach of Applicable Data Protection Laws): (a) Runpod shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and (b) where: (i) such a change cannot be made within thirty (30) days from Runpod’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then Runpod may terminate the Agreement without liability to Customer beyond reimbursing any pre-paid fees on a pro-rated basis. If Customer does not object to Runpod’s appointment of a Sub-Processor during the objection period referred to in this Section 5.2, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
    3. Runpod Responsibilities. With respect to each Sub-Processor, Runpod shall maintain a written contract between Runpod and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA. Runpod shall remain liable for any breach of this DPA caused by a Sub-Processor.
  6. DATA TRANSFERS
    1. Entry into SCCs. In respect of any Restricted Transfer of Customer Personal Data from Customer to Runpod under this DPA: (a) that is an EU Restricted Transfer, the Parties hereby enter into and agree to comply with their respective obligations set out in the SCCs as populated in accordance to clause 6.2 below; and/or (b) that is a UK Restricted Transfer, the Parties hereby enter into and agree to comply with their respective obligations set out in the SCCs as varied by the UK Transfer Addendum as populated in accordance to clause 6.3 below.  
    2. Population of SCCs. In respect of any SCCs entered into pursuant to Section 6.1, the Parties agree as follows: (a) each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; (b)  as applicable: (i) Module Two of the SCCs applies to any relevant EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and (ii) Module Three of the SCCs applies to any relevant EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is itself a Processor; (c) as and where applicable to the relevant Module of the SCCs and the Clauses thereof: (i) in Clause 7: the optional ‘Docking Clause’ is not used; (ii) in Clause 9: ‘OPTION 2: GENERAL WRITTEN AUTHORISATION’ applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 5.2;  (iii) in Clause 11: the optional language is not used; (iv) in Clause 13: all square brackets are removed and all text therein is retained; (v) in Clause 17: ‘OPTION 1’ applies, and the Parties agree that the SCCs shall be governed by the law of: (A) Ireland in relation to any EU Restricted Transfer; (vi) in Clause 18(b): the Parties agree that any dispute arising from the SCCs shall be resolved by the courts of Ireland.

      In respect of the Annexes to the Appendix to the SCCs: (i) Annex I is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA with Customer being the ‘data exporter’ and Runpod being the ‘data importer’; (ii) part C of Annex I is populated with the following “Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, Ireland; and (iii) Annex II is populated with reference to the information contained in and determined by Section 3.2 of the DPA (including the Security Measures).
    3. Population of UK Transfer Addendum. Where relevant in accordance with Section 6.1(b), the SCCs apply to any UK Restricted Transfers as varied by the UK Transfer Addendum in the following manner: (i) ’Part 1 to the UK Transfer Addendum’: (A) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and Section 6.2; and (B) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked; and (ii) ‘Part 2 to the UK Transfer Addendum’: the Parties agree to be bound by the UK Mandatory Clauses and that the SCCs shall apply to any UK Restricted Transfers as varied in accordance with those Mandatory Clauses.

      As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in clause 6.3; provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses). In relation to any UK Restricted Transfer to which they apply, where the context permits and requires any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in clause 6.3 above.
    4. Adoption of new transfer mechanism. Runpod may on notice vary this DPA and replace the relevant SCCs with: (i) any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g. standard data protection clauses adopted by the European Commission for use specifically in respect of transfer to data importers subject to Article 3(2) of the EU GDPR); or (ii) another transfer mechanisms, other than the SCCs, that enables the lawful transfer of Customer Personal Data to Vendor under this DPA in compliance with Chapter V of the GDPR.
    5. Provision of the full-form SCCs. In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority or Data Subject – on specific written request and accompanied by suitable supporting evidence of the relevant request - Runpod shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with clause 6.2) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.
  7. AUDITS
    1. Information provision and audits. Runpod shall make available to Customer on request, such information as Runpod (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. Subject to Sections 7.2 to 7.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that such information is not sufficient in the circumstances to demonstrate Runpod’s compliance with this DPA, at Customer’s expense, Runpod shall allow for and contribute to audits by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Runpod up to once per year.
    2. Customer responsibilities. Customer shall give Runpod reasonable notice of any audit to be conducted under Section 7.1 (which shall in no event be less than thirty (30) days’ notice, unless a shorter notice period is specifically required under Applicable Data Protection Laws relevant to the audit concerned) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Runpod’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Runpod’s other customers or the availability of Runpod’s services to such other customers).
    3. Audit plans. Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Runpod will review the proposed audit plan and provide Customer with any feedback, concerns or questions (for example, any request for information that could compromise Runpod security, privacy, employment or other relevant policies). Runpod will work cooperatively with Customer to agree on a final audit plan.  
    4. Limitations. Runpod need not give access to its premises for the purposes of any audit under this Section 7: (a) where a third-party audit report or certification (e.g., SOC 2 Type 2, ISO 2700x, NIST or similar audit report or certification) is provided in lieu of such access (acceptance of which for this purpose not to be unreasonably withheld, delayed or conditioned by Customer); (b) to any individual unless they produce reasonable evidence of their identity; (c) to any auditor whom Runpod has not approved in advance (acting reasonably); (d) to any individual who has not entered into a non-disclosure agreement with Runpod on terms acceptable to Runpod (acting reasonably); (e) outside normal business hours at those premises; or (f) on more than one occasion in any calendar year during the term of the Agreement, except for any audits which Customer is required to carry out under Applicable Data Protection Laws or by a Supervisory Authority. Nothing in this DPA shall require Runpod to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers. Nothing in this Section 7 shall be construed to obligate Runpod to breach any duty of confidentiality.
  8. RETURN AND DELETION
    1. General. Upon expiration or earlier termination of the Agreement, Runpod shall return and/or delete all Customer Personal Data in Runpod’s care, custody or control. To the extent that deletion of any Customer Personal Data contained in any back-ups’ maintained by or on behalf of Runpod is not technically feasible within the timeframe set out in Customer’s instructions, Runpod shall (a) securely delete such Customer Personal Data in accordance with any relevant scheduled back-up deletion routines (e.g., those contained within Runpod’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, irreversibly render anonymous all such Customer Personal Data and put such Customer Personal Data beyond use.
    2. Permitted retention. Notwithstanding the foregoing, Runpod may retain Customer Personal Data where required by applicable laws, provided that Runpod shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.
  9. CUSTOMER’S RESPONSIBILITIES
    1. Security. Customer agrees that, without limiting Runpod’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Runpod uses to provide the Services; and (d) backing up Customer Personal Data.
    2. Compliance. Customer shall ensure: (a) that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Runpod of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and (b) that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Runpod of Customer Personal Data.
    3. Restricted Data. Customer shall not provide or otherwise make available to Runpod any Customer Personal Data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts; (f) any payment card information subject to the Payment Card Industry Data Security Standard; (g) credentials to any financial accounts; (h) tax return data; (i) Personal Data of children under 13 years of age; or (j) any other information that falls within any special categories of personal data (as defined in GDPR) and/or data relating to criminal convictions and offences or related security measures (together, “Restricted Data”).
  10. VARIOUS
    1. Incorporation and Application. This DPA shall be incorporated into and form part of the Agreement with effect on and from the Effective Date. This DPA: (a) applies only if and to the extent Applicable Data Protection Laws govern Runpod’s Processing of Customer Personal Data in performance of the Service(s) as a ‘processor’, ‘service provider’ or similar role defined under Applicable Data Protection Laws; and (b) does not apply to Runpod’s Processing of any Personal Data for its own business/customer relationship administration purposes, its own marketing or service analytics, its own information and systems security purposes supporting the operation of the Services, nor its own legal, regulatory or compliance purposes.
    2. State Privacy Laws. Annex 2 (State Privacy Laws Annex) applies if and to the extent Runpod’s Processing of Customer Personal Data on behalf of Customer under the Agreement is subject to any of the State Privacy Laws.
    3. Costs. Except to the extent prohibited by Applicable Data Protection Laws, Customer shall compensate Runpod at Runpod’s then-current professional services rates for, and reimburse any costs reasonably incurred by Runpod in the course of providing, cooperation, information, or assistance requested by Customer pursuant to Sections 3.3 (Data Subject Rights), 3.4 (DPIAs and Consultations) and 7 (Audits) of this DPA (provided that Runpod shall bear its own costs in the event that any audit or inspection conducted in accordance with that Section 7 reveals any material non-compliance by Runpod with this DPA and/or Applicable Data Protection Laws. This provision applies, in each case, beyond providing self-service features included as part of, or in connection with, the Services.
    4. LIABILITY. THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY TOWARDS THE OTHER PARTY, HOWSOEVER ARISING, UNDER OR IN CONNECTION WITH THE AGREEMENT, THIS DPA AND THE SCCS (IF AND AS THEY APPLY) WILL UNDER NO CIRCUMSTANCES EXCEED ANY LIMITATIONS OR CAPS ON, AND SHALL BE SUBJECT TO ANY EXCLUSIONS OF, LIABILITY AND LOSS AGREED BY THE PARTIES IN THE AGREEMENT; PROVIDED THAT, NOTHING IN THIS SECTION 10.4 WILL AFFECT ANY PERSON’S LIABILITY TO DATA SUBJECTS UNDER THE THIRD-PARTY BENEFICIARY PROVISIONS OF THE SCCS (IF AND AS THEY APPLY).
    5. Required Updates. Each Party shall act in good faith to agree variations to this DPA that are reasonably necessary to address the requirements of Applicable Data Protection Laws from time to time (including to apply a new transfer mechanism to comply with relevant requirements of the GDPR).  
    6. Prevail. This DPA shall be incorporated into and form part of the Agreement with effect on and from the Effective Date. In the event of any conflict or inconsistency between: (a) this DPA and the Agreement, this DPA shall prevail; or (b) any SCCs entered into pursuant to Section 6 and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

RUNPOD / ‘DATA IMPORTER’ DETAILS

Name: Runpod, Inc.
Address: 1181 Nixon Dr #1158, Moorestown, NJ 08057
Contact Details for Data Protection: chris.love@Runpod.io
Runpod Activities: Activities relevant to the data transferred under this DPA
Role: Processor

CUSTOMER / ‘DATA EXPORTER’ DETAILS

Name: The entity or other person who is a counterparty to the Agreement
Address: Customer’s address is:
• the address shown in the Agreement entered into by and between the Customer and Runpod; or
• if the Agreement does not include the address, the Customer’s principal business trading address unless otherwise notified to Runpod’s Contacts identified above.
Contact Details
for Data Protection:		 Customer’s contact details are:
• the contact details shown in the Agreement; or
• if the Agreement does not include the contact details, Customer’s contact details submitted by Customer and associated with Customer’s account for the Services.
Customer
Activities:		 Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role: • Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and
• Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person (including, where applicable, its affiliates or Customer’s own customers for whom Customer is a Processor).
Categories of
Data Subjects:		 Customer may submit Customer Personal Data to Runpod relating to various categories of data subjects, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to:
(i) Customer’s current, past, and prospective customers and clients;
(ii) Customer’s employees, contractors, and other personnel of the foregoing entities; and
(iii) Customer’s suppliers and service providers.
Categories of
Personal Data:		 Customer may submit Customer Personal Data to Runpod, the extent of which is determined and controlled by Customer in its sole discretion and may vary depending on the Services, but which may include:
identification and contact data (name, address, title, contact details, company information);
professional information (employer, job title, geographic location, area of responsibility);
IT usage data (user ID and roles);
technical data (IP addresses, device information, browser data);
communication data (email);
and any other Personal Data elements that Customer chooses to input into or otherwise provide to the Services.
Sensitive Categories of Data,
and associated additional
restrictions/safeguards: 		Categories of sensitive data:
None – as noted in Section 9.3 of the DPA, Customer agrees that Restricted Data, which includes ‘sensitive data’ (as defined in Clause 8.7 of the SCCs) must not be submitted to the Services.

Additional safeguards for sensitive data:
N/A
Frequency of
transfer:		 Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of
the Processing:		 Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of
the Processing:		 Customer Personal Data will be Processed:
(i) to provide the Services;
(ii) to provide customer support; and
(iii) to improve and enhance the Services.
Duration of
Processing / Retention Period:		 For the period determined in accordance with the Agreement and DPA, including Section 8 of the DPA.
Transfers to
(sub-)processors:		 Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List.

State Privacy Laws Annex

In this Annex 2, the terms “business,” “business purpose,” “commercial purpose,” “consumer,” sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Customer Personal Data that constitutes “personal information” as defined in and that is subject to the State Privacy Laws.

  1. The business purposes and services for which Runpod is Processing personal information are for Runpod to provide the Services to and on behalf of Customer as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details) to the DPA.
  2. It is the Parties’ intent that with respect to any personal information, Runpod is a service provider. Runpod (a) acknowledges that personal information is disclosed by Customer only for limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State Privacy Laws; (c) agrees that Customer has the right to take reasonable and appropriate steps under and subject to Section 6 (Audits) of the DPA to help ensure that Runpod’s use of personal information is consistent with Customer’s obligations under the State Privacy Laws; (d) shall notify Customer in writing of any determination made by Runpod that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.  
  3. Runpod shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by State Privacy Laws; (c) retain, use or disclose the personal information outside of the direct business relationship between Runpod and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Runpod’s own interaction with any consumer to whom such personal information pertains except as and to the extent necessary as part of Runpod’s provision of the Services.
  4. Runpod shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Customer, in accordance with Section 3.2 (Security Measures) of the DPA.
  5. When Runpod engages any Sub-Processor, Runpod shall notify Customer of such Sub-Processor engagements in accordance with Section 5 (Sub-Processing) of the DPA and that such notice shall satisfy Runpod’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.
  6. Runpod agrees that Customer may conduct audits, in accordance with Section 9 of the DPA, to help ensure that Runpod’s use of personal information is consistent with Runpod’s obligations under the State Privacy Laws.
  7. The parties acknowledge that Runpod’s retention, use and disclosure of personal information by Customer’s instructions documented in the Agreement and DPA are integral to Runpod’s provision of the Services and the business relationship between the Parties.

The Parties acknowledge that Runpod’s Processing of Customer Personal Data authorized by Customer under this DPA is integral to the Services and the business relationship between the Parties.

Security Measures

Action Description Technical & Organizational Measures
Pseudonymization and Anonymization Runpod employs tools to selectively anonymize certain data, which may include Personal Data.
Encryption Encryption is used for data at rest, and this encryption is provided by Amazon Web Services Inc. (“AWS”) and Secure Cloud data centers, approved Sub-Processors ([INSERT]). Runpod also encrypts data in transit.
Confidentiality All Runpod employees are required to sign a confidentiality agreement and accept company policies and procedures upon hire.
Integrity The Services provide administrative controls for Customer to control who can access files within their firm. Runpod does not have these rights.

An access control policy and procedures are in place to review access control lists.

Runpod conducts periodic risk assessments to identify, rank, treat, and manage risks to an acceptable level.
Availability Monitoring is performed through capacity management monitoring solutions.

Quality assurance processes are in place and under regular review, to mitigate against potential downtime.
Resilience of Processing Systems The Services are hosted on AWS platform and Secure Cloud data centers. These hosting platforms are ISO 27001 and SOC 2 Type 2 certified for security, confidentiality, integrity, privacy and availability.
Restoration Backup policy and procedures are in place, with daily automated backup reports to ensure restoration is achievable. Reports are monitored by an operational team.

An Information Security Incident Response Policy & Procedure is in place to address actual and potential Data Breaches.
Auditing/Testing Regular audits and assessments take place for purposes of SOC 2 compliance. In addition, from time to time Runpod engages with a third party, for penetration testing services and vulnerability assessments.
Detection and monitoring Runpod deploys firewalls and threat detection services to monitor, filter, and protect Runpod systems. Security is incorporated into the software development lifecycle and change processes.

Runpod may update or modify these Security Measures, on written notice to Customer, from time to time; provided that such updates and modifications do not decrease the overall security of Customer Personal Data and associated technology and information systems or assets.

Build what’s next.

The most cost-effective platform for building, training, and scaling machine learning models—ready when you are.

Get started ->
Request a demo

You’ve unlocked a
referral bonus!

Sign up today and you’ll get a random credit bonus between $5 and $500 when you spend your first $10 on Runpod.
Claim Your Bonus
We use cookies to provide the content and functionality of this website
Accept
Reject
Cookie Preferences
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cancel
Save