DashboardSign inStart your trial

Data Processing Agreement

Last updated:

Introduction

This Data Processing Agreement ("DPA") forms part of the Rills Terms of Service between Rills AI, LLC, a Delaware limited liability company with its registered address at 131 Continental Dr, Suite 305, Newark, DE 19713, United States ("Rills"), and the customer that has agreed to the Terms ("Customer").

This DPA applies whenever and to the extent Rills processes personal data on Customer's behalf in the course of providing the Service, and that processing is subject to Data Protection Laws. It is incorporated into the Terms automatically — no signature is required for it to take effect. If Customer's procurement or compliance process requires a countersigned copy, email privacy@rills.ai and we will return an executed copy of this DPA.

If there is a conflict between this DPA and the Terms with respect to the processing of personal data, this DPA controls. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control.

Definitions

  • "Data Protection Laws" means all laws applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"), the GDPR as incorporated into United Kingdom law ("UK GDPR"), and the Swiss Federal Act on Data Protection ("FADP"), in each case as amended from time to time.
  • "Customer Data" means personal data that Customer, or anyone acting on its behalf, submits to or routes through the Service — for example contact records, workflow trigger data, message content, and table rows.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914.
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office.
  • "Subprocessor" means a third party engaged by Rills to process Customer Data on Rills's behalf.
  • The terms "personal data", "controller", "processor", "data subject", "processing", and "personal data breach" have the meanings given in the GDPR.

Roles of the Parties

For Customer Data, Customer is the controller (or a processor acting on behalf of another controller) and Rills is the processor. Customer is responsible for having a lawful basis for the Customer Data it processes through the Service and for the accuracy and lawfulness of its processing instructions.

Rills acts as an independent controller for the personal data described in our Privacy Policy — account registration details, billing records, support communications, and site and product analytics. That processing is governed by the Privacy Policy, not this DPA.

Details of Processing

  • Subject matter: the provision of the Rills workflow automation and approval platform described in the Terms.
  • Duration: the term of the Terms, plus the deletion period described in Deletion & Return.
  • Nature and purpose: storing, organizing, and transmitting Customer Data as needed to execute Customer's workflows; presenting proposed actions for human approval; recording approval decisions; processing Customer Data with the AI models Customer selects; and providing related features such as tables, run history, and workflow optimization.
  • Categories of data subjects: individuals whose personal data Customer routes through the Service, such as Customer's prospects, customers, contacts, employees, and other business partners.
  • Categories of personal data: identification and contact data (names, email addresses, phone numbers, employers, job titles), business and CRM records, communication content, and any other personal data Customer chooses to include in its workflows and tables.
  • Special categories: the Service is not designed for special categories of personal data (Article 9 GDPR), and Customer agrees not to submit them.

Processing Instructions

Rills processes Customer Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law that applies to Rills — in which case Rills will inform Customer of that legal requirement before processing, unless the law prohibits doing so.

Customer's instructions are: the Terms, this DPA, and the configuration choices Customer makes in the Service — the workflows Customer builds, the integrations it connects, the AI models it selects, and the approval thresholds it sets. Rills will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

Confidentiality

Rills ensures that every person it authorizes to process Customer Data is bound by a contractual or statutory obligation of confidentiality, and that access to Customer Data is limited to what each person needs to operate, support, and secure the Service.

Security Measures

Rills implements and maintains appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art and the nature of the data. These measures include:

  • Encryption in transit: all traffic between clients and the Service, and between the Service and third-party providers, is encrypted with HTTPS/TLS.
  • Encryption at rest: database storage is encrypted with AES-256. Stored credentials and API keys receive an additional layer of application-level AES-256-GCM encryption with versioned, rotatable keys, and are decrypted only at the moment of use.
  • Tenant isolation: every record is scoped to a workspace, and Row-Level Security policies are enforced at the database layer in addition to application-level checks.
  • Sandboxed code execution: customer-authored code runs in isolated sandbox environments with memory, time, and network restrictions, and no persistent state between executions.
  • Access controls: authentication with securely hashed credentials, httpOnly session cookies, scoped API keys, and workspace-scoped service identities for automated access.
  • Auditability: approval decisions and access to stored secrets are recorded in audit logs.

A fuller description of our security program is published on the Security page, which is incorporated into this DPA as its description of technical and organizational measures. Rills will assist Customer, to a reasonable extent and taking the nature of the processing into account, in meeting Customer's own obligations under Articles 32 to 36 GDPR.

Subprocessors

Customer grants Rills general authorization to engage Subprocessors to provide the Service. The current list of Subprocessors, including each provider's function and location, is published at rills.ai/subprocessors.

Before a new Subprocessor begins processing Customer Data, Rills will update that list and notify workspace owners by email at least 30 days in advance. Customer may object to a new Subprocessor on reasonable data protection grounds within that notice period by emailing privacy@rills.ai. The parties will then work together in good faith to find a resolution; if none is available, Customer may terminate the Terms and receive a pro-rata refund of any prepaid, unused fees.

Rills imposes data protection obligations on each Subprocessor that are materially equivalent to those in this DPA, and remains responsible to Customer for each Subprocessor's performance of them.

Data Subject Requests

Taking the nature of the processing into account, Rills will assist Customer through appropriate technical and organizational measures in fulfilling Customer's obligation to respond to data subject requests — access, rectification, erasure, restriction, portability, and objection. Much of this is self-serve: Customer can view, correct, export, and delete Customer Data directly in the Service.

If a data subject contacts Rills directly about Customer Data, Rills will not respond substantively (except to direct them to Customer) and will forward the request to Customer without undue delay.

Breach Notification

Rills will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notification will describe, to the extent then known, the nature of the breach, the categories and approximate volume of data and data subjects concerned, the likely consequences, and the measures taken or proposed to address it. Rills will provide reasonable assistance with Customer's own notification obligations under Articles 33 and 34 GDPR.

International Transfers

Rills processes Customer Data in the United States. Where Customer Data protected by the GDPR is transferred to Rills in the United States, the SCCs are incorporated into this DPA and apply as follows: Module Two (controller to processor) applies, with Customer as data exporter and Rills as data importer; Clause 7 (docking) is not included; under Clause 9, Option 2 (general written authorisation) applies with the 30-day notice period described in Subprocessors; the optional language in Clause 11 is not included; under Clause 17, the SCCs are governed by the law of Ireland; and under Clause 18, disputes are resolved before the courts of Ireland.

Annex I of the SCCs is completed by the Details of Processing section and the parties' details in the Introduction; Annex II is completed by the Security Measures section; Annex III is the Subprocessor list.

For transfers subject to the UK GDPR, the UK Addendum is incorporated and amends the SCCs as set out in its mandatory clauses. For transfers subject to the Swiss FADP, the SCCs apply with the adaptations required by the Swiss Federal Data Protection and Information Commissioner: references to the GDPR are read as references to the FADP, the competent supervisory authority is the FDPIC, and data subjects in Switzerland may enforce their rights in Switzerland.

Audits

Rills will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, including responses to written security questionnaires and copies of relevant documentation. Where Data Protection Laws grant Customer an audit right that cannot be satisfied this way, Customer may conduct an audit no more than once in any 12-month period, on at least 30 days' written notice, during normal business hours, at Customer's expense, and in a manner that does not access other customers' data or disrupt the Service.

Deletion & Return

Customer can export Customer Data from the Service at any time during the term. Upon termination or expiry of the Terms, Rills will delete Customer Data within 30 days, unless applicable law requires continued storage — in which case Rills will protect the retained data as required by this DPA and delete it once the legal requirement ends. Residual copies in encrypted backups are purged in the ordinary course of the backup cycle.

Liability

Each party's liability arising out of or related to this DPA, including the SCCs, is subject to the exclusions and limitations of liability in the Terms. Nothing in this section limits a data subject's rights under the SCCs or Data Protection Laws.

Changes to This DPA

Rills may update this DPA from time to time, for example to reflect changes in Data Protection Laws or in approved transfer mechanisms. Updates will not materially reduce the protections in this DPA. If a change is material, we will notify Customer by email or in-app notice before it takes effect, as described in the Terms.

Contact

Questions about this DPA, requests for a countersigned copy, and Subprocessor objections all go to privacy@rills.ai. You can also write to Rills AI, LLC, 131 Continental Dr, Suite 305, Newark, DE 19713, United States.