Data Processing Agreement
Last updated: March 21, 2026
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Ionhour LLC (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) and governs the processing of personal data by Ionhour on behalf of the Controller.
This DPA applies where and only to the extent that Ionhour processes Personal Data on behalf of the Controller in the course of providing the Service, and such Personal Data is subject to applicable Data Protection Laws including the GDPR, UK GDPR, or CCPA/CPRA.
2. Definitions
- “Personal Data” — any information relating to an identified or identifiable natural person processed by Ionhour on behalf of the Controller
- “Data Protection Laws” — GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable data protection legislation
- “Sub-processor” — any third party engaged by Ionhour to process Personal Data on behalf of the Controller
- “Security Incident” — any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data
- “SCCs” — the Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914)
3. Scope and Roles
The Controller determines the purposes and means of processing. The Processor processes Personal Data only on documented instructions from the Controller.
- Categories of data subjects: Controller’s employees, team members, and end users who interact with the Service
- Types of Personal Data: names, email addresses, phone numbers, IP addresses, browser metadata, workspace configurations, and monitoring signal metadata
- Processing activities: account management, alert delivery (email, SMS, voice, Slack, webhooks), analytics, and AI-powered workspace queries (if enabled by Controller)
4. Controller Obligations
- The Controller warrants that it has a lawful basis for the processing of Personal Data under applicable Data Protection Laws
- The Controller is responsible for the accuracy, quality, and legality of Personal Data provided to Ionhour
- The Controller shall inform data subjects about the processing in accordance with applicable Data Protection Laws
5. Processor Obligations
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 7)
- Assist the Controller in responding to data subject access requests and other rights requests under Data Protection Laws
- Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required
- Delete or return all Personal Data upon termination of the Service, at the Controller’s election, within 30 days. Ionhour may retain data where required by applicable law.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits in accordance with Section 10
6. Sub-processor Management
The Controller provides general authorisation for Ionhour to engage the sub-processors listed below.
- Ionhour shall notify the Controller at least 15 days in advance of any intended addition or replacement of a sub-processor
- The Controller may object to a new sub-processor within 10 days of receiving notice. If the Controller objects on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached within 30 days, the Controller may terminate the affected Service component.
- Ionhour shall impose on each sub-processor data protection obligations no less protective than those set out in this DPA
- Ionhour remains fully liable to the Controller for the performance of each sub-processor’s obligations under this DPA
Current Sub-processors
Ionhour LLC uses the following third-party sub-processors to provide our Service. We will notify customers at least 15 days in advance of any changes to this list.
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Cloudflare | CDN, DNS, DDoS protection, and traffic optimization | Global (Anycast network) | IP addresses, HTTP request metadata, and traffic data |
| Google Cloud Platform | Cloud infrastructure, hosting, and data processing | United States, European Union, Middle East | All service data including account information, monitoring signals, and workspace configurations |
| Paddle | Merchant of record — payment processing and billing | United Kingdom | Billing information, email address, name, transaction records |
| Postmark | Transactional email delivery | United States | Email addresses, notification content |
| PostHog | Product analytics | European Union | Usage data, anonymised interaction events, session metadata |
| Amazon Web Services (SNS) | SMS alert delivery | European Union (eu-central-1) | Phone numbers, alert notification content |
| Twilio | Voice call alert delivery | United States | Phone numbers, alert notification content |
| OpenRouter | AI query processing for MCP features | United States | Workspace context and queries (only when AI features are enabled by user) |
| Ubicloud | CI/CD pipeline operations | United States | Source code build artifacts (no customer personal data) |
To receive notifications of changes to this list, please contact [email protected].
7. Security Measures
Ionhour implements the following technical and organisational measures to protect Personal Data:
- Encryption in transit: TLS 1.2 or higher for all data transmissions
- Encryption at rest: AES-256 encryption for stored data
- Access control: Role-based access control; production systems restricted to authorised personnel on a need-to-know basis
- Authentication: Self-hosted Keycloak with industry-standard password hashing; multi-factor authentication for administrative access
- Network security: Infrastructure hosted on Google Cloud Platform with network isolation between tenants
- Monitoring: Automated security monitoring and alerting on infrastructure
- Personnel: All personnel with access to Personal Data are bound by confidentiality agreements
- Incident response: Documented incident response procedures (see Section 8)
- Testing: Periodic security reviews and penetration testing
- Certifications: Ionhour’s infrastructure runs on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and ISO 27017 certifications. Ionhour’s own security practices are subject to continuous improvement. Current compliance reports are available upon request.
8. Security Incident Notification
- Ionhour shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Security Incident
- Notification shall include: the nature of the incident, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the incident
- Ionhour shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident
- Notification of a Security Incident shall not be construed as an acknowledgement of fault or liability by Ionhour
9. International Data Transfers
Personal Data may be processed in the following Google Cloud Platform regions:
- United States (us-east-1)
- European Union (eu-central-1)
- Middle East (me-central-1)
For transfers of Personal Data from the European Economic Area (EEA) or the United Kingdom to countries that have not received an adequacy decision from the European Commission, the parties agree to the Standard Contractual Clauses (SCCs):
- Module Two (Controller to Processor) shall apply
- The governing law of the SCCs shall be the law of Ireland
- Disputes arising under the SCCs shall be resolved before the courts of Ireland
Google LLC is certified under the EU-US Data Privacy Framework, providing an additional legal basis for transatlantic data transfers.
The UK International Data Transfer Addendum to the EU SCCs shall apply to transfers of Personal Data subject to the UK GDPR.
Ionhour has conducted a Transfer Impact Assessment (TIA) evaluating the legal framework and government access practices in each jurisdiction where Personal Data is processed. This assessment considers the nature of the data, the transfer mechanism in place, and supplementary measures applied. A summary of the current TIA is available upon request by contacting [email protected].
10. Audits
- The Controller may audit Ionhour’s compliance with this DPA upon 30 days’ written notice, no more than once per calendar year, during normal business hours
- Where Ionhour holds relevant certifications or audit reports (e.g., SOC 2 Type II), it may provide these in lieu of an on-site audit, provided they reasonably address the Controller’s concerns
- Costs of audits shall be borne by the Controller unless the audit reveals material non-compliance by Ionhour
11. CCPA/CPRA Specific Terms
For purposes of the California Consumer Privacy Act and the California Privacy Rights Act:
- Ionhour is a “Service Provider” and the Controller is a “Business” as those terms are defined under the CCPA/CPRA
- Ionhour shall not sell or share Personal Data
- Ionhour shall not retain, use, or disclose Personal Data for any purpose other than providing the Service as specified in this DPA and the Terms of Service
- Ionhour shall not combine Personal Data received from the Controller with personal information received from other sources, except as permitted by the CCPA/CPRA
- Ionhour certifies that it understands the restrictions in this section and will comply with them
12. Term and Termination
- This DPA shall remain in effect for the duration of the Service agreement between the parties
- Obligations relating to data deletion, confidentiality, and security shall survive termination of this DPA
- Upon termination, Ionhour shall delete or return all Personal Data within 30 days at the Controller’s election, unless retention is required by applicable law
13. Liability
Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
Nothing in this DPA limits either party’s liability for breaches of Data Protection Laws to the extent such limitation is prohibited by applicable law.
14. Contact
For DPA-related enquiries, please contact our privacy team:
- Email: [email protected]
- Company: Ionhour LLC
- Address: 16192 Coastal Highway, Lewes, Delaware 19958