Data Processing Agreement
Last updated: April 2026
Need a signed copy for your records? Email legal@rackvio.com and we will return a countersigned PDF within 5 business days.
1. Definitions
Capitalized terms used in this Data Processing Agreement ("DPA") have the meanings given to them in the applicable data protection law, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA ("CCPA"). "Customer" means the entity that has entered into a subscription agreement with Rackvio. "Rackvio" means CalRen Solutions LLC, a Pennsylvania limited liability company trading as Rackvio.
2. Roles of the Parties
For purposes of this DPA, Customer is the Controller of Customer Personal Data and Rackvio is the Processor acting on Customer's documented instructions. To the extent Rackvio is deemed a Business under the CCPA, Customer is the relevant Business instructing Rackvio as its Service Provider.
3. Subject Matter, Duration, and Nature
The subject matter of the processing is the provision of the Rackvio Services — a cloud-based data center infrastructure management (DCIM) platform. The duration is the term of the Customer's subscription, plus the retention periods described in Section 10 (Deletion and Return). The nature and purpose of the processing is to host, store, and display asset inventory, user accounts, billing metadata, and operational telemetry that Customer imports into or generates through the Services.
4. Categories of Data Subjects and Personal Data
Data subjects are Customer's employees, contractors, and end-users whose personal data Customer chooses to upload to the Services. Categories of personal data may include:
- Names, work email addresses, and job titles of Customer users;
- Authentication metadata (password hashes, SSO identifiers, session timestamps);
- Billing metadata (company name, billing address, tax identifier) — processed on Customer's behalf by Stripe;
- IP addresses, user-agent strings, and access logs retained for security and audit purposes.
Rackvio does not collect special categories of personal data (health, biometric, genetic, political opinions, religious beliefs, or sexual orientation) through the Services.
5. Rights and Obligations of the Parties
Rackvio will:
- Process Customer Personal Data only on documented instructions from Customer, including as documented in the applicable subscription agreement and this DPA;
- Ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations;
- Assist Customer in responding to data subject rights requests and in complying with security, breach notification, and impact-assessment obligations;
- Make available to Customer the information necessary to demonstrate compliance with this DPA.
Customer is responsible for the lawfulness of the personal data it uploads and for providing any notices and obtaining any consents required for Rackvio to process the data on its behalf.
6. International Transfers
Rackvio hosts the Services on Amazon Web Services infrastructure located in the United States. Where Customer Personal Data originates from the European Economic Area, the United Kingdom, or Switzerland, transfers are covered by the European Commission's 2021 Standard Contractual Clauses (Module Two — Controller to Processor), incorporated by reference into this DPA, with the UK International Data Transfer Addendum and applicable country variations as required.
7. Sub-processors
Customer authorizes Rackvio to engage the following sub-processors in support of the Services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Hosting, storage, backups | United States |
| Stripe, Inc. | Payment processing and subscription billing | United States |
| Cloudflare, Inc. | CDN, DDoS protection, Turnstile bot-protection challenge | Global edge |
| Sentry (Functional Software, Inc.) | Error tracking and performance monitoring | United States |
| Anthropic, PBC | AI assistant and photo-based extraction (engaged only when Customer uses these optional features) | United States |
Rackvio will give Customer at least 30 days' notice of any new sub-processor. Customer may object to a new sub-processor on reasonable data-protection grounds, in which case Rackvio will work with Customer in good faith to find a commercially reasonable resolution.
8. Security Measures
Rackvio maintains appropriate technical and organizational measures to protect Customer Personal Data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 for data stored in Amazon Aurora and S3);
- Row-level security (RLS) database isolation between tenant organizations;
- Role-based access controls, least-privilege service accounts, and federated identity for operator access to production;
- Centralized log aggregation, continuous security monitoring, and vulnerability scanning of application dependencies;
- Documented incident response and business continuity procedures, with regular backup testing.
9. Personal Data Breach Notification
Rackvio will notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate number of records affected where known, the likely consequences, and the measures taken or proposed to address the breach.
10. Deletion and Return of Personal Data
Upon termination of the Services, Customer may export all Customer Personal Data via the in-product CSV export pipeline for a period of 30 days after the termination effective date. Thereafter, Rackvio will delete Customer Personal Data from production systems within 30 additional days and purge it from backup systems within 90 days, subject to retention required by applicable law.
The cloud trial lifecycle is governed by the retention schedule described in the Privacy Policy at /privacy.
11. Audit Rights
Rackvio will make available to Customer, upon reasonable written request and no more than once per year (except following a Personal Data Breach or as required by a supervisory authority), documentation sufficient to demonstrate compliance with this DPA. Rackvio may satisfy audit requests through then-current third-party certifications (such as SOC 2 attestations) once available. On-site audits are conducted only during business hours, with reasonable notice, and under a non-disclosure agreement.
12. Order of Precedence; Conflict
This DPA is incorporated into and forms part of the subscription agreement between Rackvio and Customer. In the event of a conflict between this DPA and the subscription agreement, this DPA prevails with respect to processing of Customer Personal Data. The Standard Contractual Clauses prevail over this DPA where applicable.
13. Contact
Questions about this DPA or requests for a countersigned copy should be directed to legal@rackvio.com. Data subject rights requests should be made to Customer (the Controller); Rackvio will forward any requests received directly from data subjects to the applicable Customer without undue delay.