Data Processing Addendum
RunLLM Inc. (d/b/a Herald)
This Data Processing Addendum (“DPA”) establishes terms for processing personal data on behalf of customers and is incorporated into the Agreement between RunLLM Inc. (d/b/a Herald) (“Company”) and the Customer.
Parties:
- Company: RunLLM Inc. (d/b/a Herald), 16 N San Mateo Drive, San Mateo, CA 94401
- Customer: As defined in the executed Agreement
1. Definitions
1.1 Authorized Affiliate
Any entity that directly or indirectly controls, is controlled by, or shares common control with the subject entity, where control means the capacity to direct the entity’s operations through voting securities, contract, or other means.
1.2 Applicable Data Protection Laws
Privacy, data protection, and data security regulations across all applicable jurisdictions, including European Data Protection Laws, UK GDPR, and U.S. regulations including the CCPA.
1.3 CCPA
The California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020, including all amendments and regulations promulgated thereunder.
1.4 EEA
The European Economic Area.
1.5 European Data Protection Laws
GDPR and other data protection regulations across the EEA, European Union, and Member States, insofar as they apply to Processing under the Agreement.
1.6 GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April governing personal data protection and free movement of such data.
1.7 Information Security Incident
A confirmed breach causing accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in Company’s possession. Unsuccessful attempts (failed logins, pings, port scans, denial of service attacks, network attacks on firewalls) are excluded.
1.8 Personal Data
Customer Data constituting personal data, personal information, or personally identifiable information under Applicable Data Protection Laws, provided such data is electronic information submitted by or for Customer to the Services.
1.9 Public Authority
Government agencies, law enforcement authorities, and judicial authorities.
1.10 Processing / Process
Any operation performed on Personal Data or sets of Personal Data, automated or not, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
1.11 Security Measures
Administrative, technical, and physical safeguards implemented and maintained by Company to protect Personal Data security and integrity and prevent Information Security Incidents, as described in Schedule 2 Annex III and required by Applicable Data Protection Laws.
1.12 Standard Contractual Clauses
Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) approved by European Commission Implementing Decision (EU) 2021/914 of June 4, 2021.
1.13 Subprocessors
Third-party processors engaged by Company to Process Personal Data in relation to the Services.
1.14 UK GDPR
GDPR saved into United Kingdom law by the European Union (Withdrawal) Act 2018 and the Data Protection Act 2019.
2. Duration and Scope of DPA
This DPA remains effective during Company’s Processing of Personal Data, regardless of Agreement expiration or termination.
- Schedules 1 and 2: Apply to Processing subject to European Data Protection Laws
- Schedule 3: Applies to Processing subject to UK GDPR
- Schedule 4: Applies to Processing subject to CCPA where Customer qualifies as a “business”
3. Customer Instructions
Company shall Process Personal Data only according to Customer’s instructions. This DPA and Agreement constitute the complete documented instructions at signature. Additional instructions require written amendment signed by both parties.
Company shall inform Customer immediately if:
(a) An instruction appears to breach any Applicable Data Protection Laws
(b) Company is unable to follow the instruction
(c) Company has reason to believe changes in Applicable Data Protection Laws conflict with instructions or DPA terms
4. Security of Personal Data
4.1 Company Security Measures
Company may update Security Measures provided updated measures do not materially decrease overall Personal Data protection.
4.2 Information Security Incidents
Company shall notify Customer without undue delay upon awareness of any Information Security Incident. Notifications shall describe available details, mitigation steps taken, and recommended Customer actions. Notification shall not constitute Company admission of fault or liability.
4.3 Audits of Compliance & DPIAs
4.3.1 Audit Requirements
Customer may audit Company compliance only if required by European Data Protection Laws or mandated by Customer’s supervisory authority, at Customer’s sole cost, with minimum 15 days advance written notice. Audits must occur at Company’s principal place of business during regular business hours without unreasonably interfering with Company operations.
4.3.2 Company Cooperation
Company shall provide Customer or Customer’s supervisory authority information and assistance reasonably necessary for audit conduct. If a third party conducts the audit, Company may object if the auditor is, in Company’s reasonable opinion, not independent, a competitor, or manifestly unsuitable. Such objection requires Customer to appoint another auditor or conduct the audit itself.
4.3.3 Third-Party Audit Reports
If controls assessed in a requested audit are addressed in a Company SOC 2 Type 2 or similar audit report performed by a qualified third-party auditor within twelve (12) months of the audit request, and Company confirms no known material changes since the report date, Customer may accept such report instead of requesting an audit.
4.3.4 Audit Reimbursement
Customer shall reimburse Company for time expended by Company and third parties in audits/inspections at Company’s then-current professional services rates. Customer bears responsibility for any auditor fees.
4.4 Data Protection Impact Assessments (DPIAs)
Upon written request, Company shall provide reasonable cooperation and assistance needed for Customer’s DPIA obligations under Applicable Data Protection Laws, to the extent Customer lacks access to relevant information and such information is available to Company.
5. Customer’s Responsibilities
5.1 Customer Obligations
Customer bears sole responsibility for accuracy, quality, and legality of Personal Data and its acquisition means. Customer acknowledges its Services use shall not violate data subject rights, including opt-out preferences, under Applicable Data Protection Laws.
Without limiting Agreement obligations, Customer:
(a) Bears sole responsibility for Services use, including:
- Appropriate Services use ensuring security levels matching Personal Data risk
- Securing account authentication credentials, systems, and devices used to access Services
- Securing Customer systems and devices Company uses for Services provision
- Backing up Personal Data
(b) Has provided all notices to and obtained all consents from individuals to whom Personal Data pertains and other required parties for Company’s Processing as contemplated by the Agreement.
5.2 Prohibited Data
Customer represents and warrants that Customer Data shall not contain, without Company’s prior written consent:
- Social security numbers or government-issued identification numbers
- Protected health information subject to HIPAA or medical history/condition/treatment information
- Health insurance information
- Biometric information
- Online account passwords
- Financial account credentials
- Tax return data
- Credit reports or consumer reports
- Payment card information subject to PCI DSS
- Information subject to the Gramm-Leach-Bliley Act or Fair Credit Reporting Act
- Information subject to Applicable Data Protection Laws restrictions on children’s data, including all information about children under 16 years of age
- Information falling within GDPR special categories of data
6. Compliance with Laws & Data Subject Rights
6.1 Compliance with Laws
Each party shall comply with all Applicable Data Protection Laws. Customer shall comply as controller (or on controller’s behalf); Company shall comply as processor.
6.2 Personal Data Disclosures & Government Requests
Company shall not disclose Personal Data to third parties, including Public Authorities, except:
(i) As permitted under the Agreement, including this DPA; or
(ii) As necessary to comply with Applicable Data Protection Laws or valid and binding Public Authority court orders (e.g., law enforcement subpoenas)
If Company receives a binding order from a Public Authority requesting Personal Data access or disclosure, Company shall notify Customer unless legally prohibited.
6.3 Data Subject Request Assistance
Company shall provide Customer assistance reasonably necessary for Customer’s Applicable Data Protection Laws obligations to fulfill Data Subject Requests. Where permitted, Customer shall compensate Company for such assistance at Company’s then-current professional services rates.
6.4 Customer’s Responsibility for Requests
Company shall not respond to Data Subject Requests independently, except where Customer authorizes Company to redirect requests enabling Customer’s direct response. If Company receives a Data Subject Request, Company shall advise the data subject to submit to Customer, and Customer bears response responsibility.
7. European & UK Data Protection Laws Specific Provisions
7.1 GDPR
Company shall Process Personal Data according to GDPR provisions directly applicable to Company’s Services provision as provided in Schedules 1 and 2.
7.2 UK GDPR
Company shall Process Personal Data according to UK GDPR provisions directly applicable to Company’s Services provision as provided in Schedule 3.
8. Subprocessors
8.1 Consent to Subprocessor Engagement
Customer authorizes the following to Process Personal Data:
(i) Company’s Affiliates
(ii) Subprocessors listed in Schedule 2 Annex III (available at runllm.com/subprocessors)
8.2 Requirements for Subprocessor Engagement
When engaging any Subprocessor, Company shall execute a written contract containing data protection obligations no less protective than this DPA. Company bears liability for all Agreement obligations subcontracted to the Subprocessor or resulting from its actions or omissions.
8.3 Subprocessor Changes
When Company engages new Subprocessors post-Effective Date, Company shall update the Subprocessor list and notify Customer including the Subprocessor’s name, location, and activities. This section does not apply to GDPR, which is governed by Standard Contractual Clauses requirements in Schedule 1.
8.4 Opportunity to Object to Subprocessor Changes
If Customer objects in writing to new Subprocessor engagement on reasonable Personal Data protection grounds, Customer and Company shall work in good faith toward resolution. If unresolved within a reasonable timeframe, Customer’s sole exclusive remedy is Agreement termination via written notice.
9. Miscellaneous
Except as expressly modified by this DPA, Agreement terms remain fully effective. In conflicts between this DPA and other Agreement terms, this DPA governs. The parties acknowledge Company’s Personal Data access does not constitute part of consideration exchanged. Notices required or permitted under this DPA may be given: (a) per Agreement notice clauses; (b) to Company’s primary Customer contact points; or (c) to Customer-provided email addresses for Services communications. Customer bears responsibility for ensuring email address validity.
Schedule 1: Transfer Mechanisms for Standard Contractual Clauses Data Transfers
1. Definitions
EU C-to-P Transfer Clauses: Standard Contractual Clauses sections I, II, III, and IV referencing Module Two (Controller-to-Processor).
EU P-to-P Transfer Clauses: Standard Contractual Clauses sections I, II, III, and IV referencing Module Three (Processor-to-Processor).
2. International Transfer Mechanisms
If Personal Data subject to GDPR or European Data Protection Laws is transferred to countries lacking adequate data protection per European Data Protection Laws standards, the following transfer mechanisms apply and are directly enforceable:
2.1 EU C-to-P Transfer Clauses: Where Customer and/or its Authorized Affiliate is a Controller/data exporter and Company is a Processor/data importer, parties shall comply with EU C-to-P Transfer Clauses.
2.2 EU P-to-P Transfer Clauses: Where Customer and/or its Authorized Affiliate is a Processor/data exporter acting on a Controller’s behalf and Company is a Processor/data importer, parties shall comply with EU P-to-P Transfer Clauses.
3. Roles
For EU C-to-P and EU P-to-P Transfer Clauses purposes, Customer is the data exporter and Company is the data importer. If an Authorized Affiliate relies on either Clauses set, references to Customer include such Authorized Affiliate.
4. Standard Contractual Clauses Operative Provisions and Additional Terms
4.1 Reference: Standard Contractual Clauses relevant provisions are incorporated by reference. Required Annex information appears in Schedule 2.
4.2 Docking Clause: Clause 7 option shall not apply.
4.3 Instructions: This DPA and Agreement constitute Customer’s complete final documented Processing instructions. Any additional instructions must align with DPA and Agreement terms.
4.4 Certification of Deletion: Personal Data deletion certification shall be provided by Company to Customer only upon written request.
4.5 Security of Processing: Customer bears sole responsibility for determining whether Company’s technical and organizational measures satisfy Customer requirements.
4.6 Audits: Audits shall proceed per Section 4.3 DPA procedures.
4.7 General Authorization for Subprocessor Use: The data importer has general authorization for Subprocessor engagement from Schedule 2 Annex III listed entities. Company shall inform the data exporter in writing of intended changes to that list.
4.8 Notification of New Subprocessors: Customer expressly agrees Company may engage new Subprocessors per Section 4.7 above. Customer may object per DPA Section 8.4.
4.9 Redress: Clause 11 option shall not apply. Company shall inform Customer upon Data Subject Request receipt and communicate complaints to Customer without undue delay.
4.10 Liability: Company’s liability shall limit to damage caused by Processing non-compliance with GDPR obligations specifically directed at Processors, or where Company acted outside or contrary to lawful Customer instructions.
4.11 Supervision: The competent supervisory authority is determined as follows:
- Where Customer is established in an EU Member State: the supervisory authority with Customer compliance responsibility
- Where Customer is not EU-established but within GDPR scope with an Article 27 representative: the Member State supervisory authority where the representative is established
- Where Customer is established in the United Kingdom: the Information Commissioner’s Office
4.12 Notification of Government Access Requests: Company shall notify Customer only (not Data Subjects) regarding government access requests. Customer bears sole responsibility for notifying Data Subjects as necessary.
4.13 Governing Law: Clause 17 governing law shall be the Agreement-designated law. If not EU Member State law, Standard Contractual Clauses shall be governed by Ireland law, or United Kingdom law where the Agreement designates the United Kingdom.
4.14 Choice of Forum and Jurisdiction: If the Agreement does not designate an EU Member State court, parties agree Ireland courts (or United Kingdom courts where applicable) shall have exclusive jurisdiction over Standard Contractual Clauses disputes.
4.15 Conflict: Upon conflict between this DPA body and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
5. Additional Terms for EU P-to-P Transfer Clauses
5.1 Instructions: Customer warrants its Processing instructions were authorized by the relevant Controller and bears sole responsibility for forwarding Company notifications to the relevant Controller.
5.2 Security of Processing: Company shall notify Customer of Information Security Incidents concerning Company-Processed Personal Data.
5.3 Documentation and Compliance: All relevant Controller inquiries shall be provided to Company via Customer.
5.4 Data Subject Rights: Company shall notify Customer regarding direct Data Subject requests but shall not notify the relevant Controller. Customer bears sole responsibility for cooperating with the relevant Controller to fulfill response obligations.
Schedule 2: Annexes I–III to the Standard Contractual Clauses
Annex I: List of Parties and Description of Transfer
Data Exporter: Customer, as defined in the order form
Data Importer: RunLLM Inc. (d/b/a Herald)
| Field | Details |
|---|---|
| Categories of data subjects | Customer, its employees, and its customers |
| Categories of personal data | Contact information of employees and customers |
| Sensitive data | None expected; if transferred, subject to DPA restrictions |
| Frequency of transfer | Continuous, as determined by the controller |
| Nature of processing | Analysis and processing of provided data (including by third-party generative AI services) for the purpose of providing advanced technical support |
| Purpose of transfer | To provide the Services to the controller as required under the Agreement |
| Retention period | For the Agreement term, or per criteria determining retention period |
| Subprocessor transfers | For the Agreement term, subject to the sub-matter, nature, and duration of processing |
Competent Supervisory Authority: As identified in Schedule 1 Section 4.11.
Annex II: Technical and Organisational Measures
Company processes all Personal Data received under this DPA in conformity with the following technical and organizational measures:
| Measure | Evidence |
|---|---|
| Pseudonymisation and encryption | All data encrypted in transit using TLS 1.2; Personal Data encrypted at rest using 256-bit encryption; all datastores configured per industry-recognized system-hardening standards |
| Confidentiality, integrity, availability, and resilience | Formal security event handling procedure; post-mortem analysis after incidents; reliance on Google Cloud Platform with globally redundant services; dynamic infrastructure scaling; all infrastructure components designed for high availability; deleted Customer Data removed per NIST SP 800-88 Rev 1 |
| Regular testing and assessment | Regular security systems testing; minimum annual application vulnerability scans; minimum annual independent third-party penetration tests |
| User identification and authorization | Single Sign-On (SSO); MFA protecting all Customer Data-processing system access; least-privilege access; quarterly minimum access list reviews; strong password requirements (minimum 10 characters) |
| Data protection during transmission | All data encrypted in transit; all services run in cloud; servers within VPC with network ACLs |
| Data protection during storage | Network firewall; anti-malware software; endpoint security; system input logging; Access Control Lists; MFA |
| Physical security | Services hosted in GCP facilities per GCP security protocols; access restricted to approved personnel |
| System configuration | Continuous automation for application and OS deployment; integration and unit testing on every build |
| Data minimization | Data collection limited to Processing purposes; least-privilege access |
| Data quality | Process enabling data subjects to exercise privacy rights including amendment and update rights |
| Accountability | Implemented data protection policies; relevant codes of conduct adherence |
| Incident response | Formal security event procedure; escalation to emergency alias; post-mortem analysis; written notification upon verified security breach affecting Customer data |
| Build process automation | Functioning automation for safe and reliable change rollout within minutes; dozens of weekly code deployments |
| Authentication | 100% HTTPS; two-factor authentication and strong password policies on all cloud services |
| Application monitoring | Application-level audit logs for all activity; all Company application access logged and audited |
Annex III: List of Sub-Processors
The Controller has authorized use of the Subprocessors listed at runllm.com/subprocessors.
Schedule 3: Transfer Mechanisms for UK GDPR
1. Definitions
UK GDPR IDTA: “International Data Transfer Agreement” issued pursuant to Data Protection Act 2018 Section 119A.
UK Addendum: “International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers” issued pursuant to Data Protection Act 2018 Section 119A.
2. International Transfer Mechanisms
If Personal Data subject to UK GDPR is transferred out of the United Kingdom to countries lacking adequate data protection, the UK GDPR IDTA and/or UK Addendum shall apply to such transfers and are directly enforceable by the Parties.
3. Appendix Information
Annex I through III set forth in Schedule 2 contain Appendix Information for the UK IDTA and UK Addendum and are incorporated therein by reference.
Schedule 4: United States Schedule
1. Purpose Limitation
The parties acknowledge Customer discloses Personal Data to Company for limited specified purposes set forth in the Agreement and DPA, and as Customer instructs.
2. Right to Stop and Remediate Unauthorized Use
Customer shall have the right to take reasonable and appropriate steps designed to stop and remediate unauthorized Personal Data use.
3. Prohibited Retention, Use, Disclosure, Sale, or Sharing
Company shall not retain, use, disclose, sell, or share Personal Data other than for providing Services per Customer’s documented instructions. Company shall not combine Personal Data with information from other entities except to perform Services purposes per Customer’s documented instructions. Company shall inform Customer if it determines it is unable to meet CCPA obligations.
4. Business Purpose and Retention Authorization
The parties acknowledge Company’s Personal Data retention, use, and disclosure authorized by Customer’s documented DPA instructions are integral to Company’s Services provision and the business relationship.