Data Processing Agreement (DPA)
Last updated: February 9, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between ReleaseGlow ("Processor") and you, the customer ("Controller"), regarding the processing of personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Definitions
For the purposes of this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by ReleaseGlow on behalf of the Controller.
- "Data Subject" means the individual to whom Personal Data relates.
- "Processing" has the meaning set forth in Article 4(2) of the GDPR.
- "Controller" means the customer who determines the purposes and means of processing Personal Data.
- "Processor" means ReleaseGlow, which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party appointed by ReleaseGlow to process Personal Data.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Scope and Roles
2.1 Controller-Processor Relationship: The parties acknowledge that with regard to the processing of Personal Data, the Controller is the data controller and ReleaseGlow is the data processor.
2.2 Nature and Purpose of Processing: ReleaseGlow will process Personal Data solely for the purpose of providing the Service as described in the Terms of Service, which includes:
- Storing and displaying changelog entries
- Delivering in-app announcements to end users
- Sending email digests to subscribers
- Processing content through AI services for rewriting and translation
- Providing analytics and reporting
2.3 Types of Personal Data: Personal Data processed may include email addresses, names, IP addresses, and usage data of the Controller's end users.
2.4 Categories of Data Subjects: Data Subjects include the Controller's customers, employees, and other end users of the Controller's services.
3. Processing Instructions
3.1 Lawful Instructions: ReleaseGlow shall process Personal Data only on documented instructions from the Controller, unless required to do so by European Union or Member State law. The Service itself constitutes the Controller's complete instructions for processing.
3.2 Unlawful Instructions: If ReleaseGlow believes that any instruction from the Controller would violate GDPR or other applicable data protection laws, ReleaseGlow will immediately inform the Controller.
3.3 Controller Obligations: The Controller warrants that it has all necessary rights and consents to provide Personal Data to ReleaseGlow for processing, and that such processing complies with applicable law.
4. Sub-processors
4.1 Authorized Sub-processors: The Controller consents to ReleaseGlow's use of the following Sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Supabase Inc. | Database & Auth | USA (AWS) |
| Stripe, Inc. | Payment Processing | USA |
| Anthropic PBC | AI Processing | USA |
| Vercel Inc. | Hosting | USA |
| PostHog Inc. | Analytics | USA |
4.2 New Sub-processors: ReleaseGlow may engage new Sub-processors upon providing at least 30 days' prior written notice to the Controller. The Controller may object to the appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying ReleaseGlow within 30 days of notice.
4.3 Sub-processor Obligations: ReleaseGlow will ensure that all Sub-processors are bound by data protection obligations substantially equivalent to those in this DPA.
5. Data Security Measures
5.1 Security Commitments: ReleaseGlow shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
- Regular security testing and vulnerability assessments
- Access controls and authentication mechanisms
- Logging and monitoring of system activity
- Regular backups with tested restoration procedures
- Employee security training and confidentiality obligations
- Physical security measures for data centers (via Sub-processors)
- Incident response and business continuity procedures
5.2 Confidentiality: ReleaseGlow shall ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.
6. Data Subject Rights Assistance
6.1 Assistance Obligations: Taking into account the nature of the processing, ReleaseGlow shall assist the Controller by implementing appropriate technical and organizational measures to fulfill the Controller's obligation to respond to requests from Data Subjects exercising their rights under GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure ("right to be forgotten") (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
6.2 Response Time: ReleaseGlow will respond to Controller requests for assistance within 10 business days. The Controller is responsible for responding to Data Subjects within the timeframes required by GDPR.
6.3 Direct Requests: If ReleaseGlow receives a request directly from a Data Subject, ReleaseGlow will redirect the Data Subject to the Controller and will not respond without the Controller's prior authorization.
7. Data Breach Notification
7.1 Notification Obligation: ReleaseGlow shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's Personal Data.
7.2 Breach Information: The notification shall include, to the extent possible:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
- Contact point for more information
7.3 Remediation: ReleaseGlow shall take reasonable steps to remediate the breach and prevent future occurrences.
7.4 Controller Notification: The Controller is responsible for notifying relevant supervisory authorities and Data Subjects as required by Articles 33 and 34 of the GDPR.
8. Audit Rights
8.1 Documentation: ReleaseGlow shall make available to the Controller information necessary to demonstrate compliance with this DPA, including:
- Security certifications and audit reports (SOC 2, ISO 27001, when available)
- Sub-processor data processing agreements
- Data security policies and procedures
8.2 Audits: ReleaseGlow shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller, subject to:
- Reasonable prior written notice (at least 30 days)
- Maximum of one audit per year (unless required by supervisory authority)
- Execution of appropriate confidentiality agreements
- Conduct during normal business hours
- Reimbursement of ReleaseGlow's reasonable costs
8.3 Limitations: Audits shall not unreasonably interfere with ReleaseGlow's business operations or compromise the security or confidentiality of other customers' data.
9. Data Deletion and Return
9.1 Deletion: Upon termination of the Service, ReleaseGlow shall, at the Controller's choice, delete or return all Personal Data to the Controller within 30 days, unless retention is required by applicable law.
9.2 Certification: Upon request, ReleaseGlow shall provide written certification of deletion or return of Personal Data.
10. International Data Transfers
For transfers of Personal Data from the European Economic Area (EEA) to countries not recognized by the European Commission as providing adequate data protection, ReleaseGlow relies on Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914. The SCCs are incorporated by reference into this DPA.
11. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service. ReleaseGlow shall be liable for the acts and omissions of its Sub-processors to the same extent as if ReleaseGlow performed the services directly.
12. Term and Termination
This DPA takes effect on the date the Controller accepts the Terms of Service and remains in effect until termination of the Service. Sections that by their nature should survive termination (including confidentiality, liability, and data deletion obligations) shall survive termination.
Contact Information
For questions about this DPA or data processing matters, contact:
Email: dpo@releaseglow.com
Data Protection Officer: dpo@releaseglow.com
Website: https://releaseglow.com