Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Metricly ("Processor", "we", "us") and the customer ("Controller", "you") for the provision of the Metricly service ("Services").

This DPA reflects the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and ensures appropriate safeguards for the processing of personal data.

1. Definitions

Terms used in this DPA have the meanings given in GDPR Article 4. Additionally:

• "Customer Data" means any personal data that the Controller submits to the Services or that is processed by the Services on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to process Customer Data.
• "Data Protection Laws" means GDPR and any applicable national implementing legislation.

2. Scope and Purpose

2.1 Subject Matter

The Processor will process Customer Data solely to provide the Services, which include:

• Connecting to Controller's data warehouse to execute queries
• Processing natural language queries using AI/LLM services
• Rendering dashboards and visualizations
• Storing dashboard configurations and user preferences

2.2 Duration

Processing will continue for the duration of the subscription agreement plus 30 days for data deletion, unless otherwise required by law.

2.3 Nature of Processing

The Processor performs query execution, data transformation, caching (temporary), and visualization rendering. The Processor does not permanently store query results from the Controller's data warehouse.

3. Types of Personal Data

The categories of personal data processed depend on the Controller's configuration:

3.1 Account Data (processed by Metricly)

• User names and email addresses
• Organization names
• Authentication credentials (hashed)
• Usage logs and audit trails

3.2 Customer Business Data (controlled by you)

The Controller determines what data is accessible via their data warehouse connection. This may include personal data if the Controller's semantic layer exposes such data. The Processor processes this data only at query time and does not persistently store query results.

4. Categories of Data Subjects

• Controller's employees and authorized users
• Individuals whose data is included in Controller's data warehouse (as determined by Controller)

5. Processor Obligations

The Processor agrees to:

5.1 Processing Instructions

Process Customer Data only on documented instructions from the Controller, including transfers to third countries, unless required by law. The Processor will inform the Controller of any legal requirement before processing, unless prohibited by law.

5.2 Confidentiality

Ensure that persons authorized to process Customer Data are bound by confidentiality obligations.

5.3 Security Measures

Implement appropriate technical and organizational measures to ensure security, including:

• Encryption of data in transit (TLS 1.2+)
• Encryption of data at rest (AES-256)
• Access controls and authentication
• Regular security testing
• Incident response procedures

5.4 Sub-processors

The Controller authorizes the Processor to engage Sub-processors listed at metricly.xyz/sub-processors. The Processor will:

• Maintain an up-to-date list of Sub-processors
• Ensure Sub-processors are bound by equivalent data protection obligations
• Remain liable for Sub-processor compliance
• Notify Controller of new Sub-processors with reasonable advance notice

5.5 Data Subject Rights

Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection) taking into account the nature of processing.

5.6 Security Incident Notification

Notify the Controller without undue delay (and within 48 hours where feasible) upon becoming aware of a personal data breach affecting Customer Data. The notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Likely consequences
• Measures taken or proposed to address the breach

5.7 Audit Rights

Make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits. The Processor may satisfy audit requests through:

• Third-party audit reports (SOC 2, ISO 27001 when available)
• Completion of security questionnaires
• On-site audits (with reasonable notice and at Controller's expense)

6. Data Transfers

The Processor primarily stores data in the European Union (Google Cloud europe-west1 region). Where data is transferred outside the EU/EEA, the Processor ensures appropriate safeguards through:

• EU Standard Contractual Clauses
• Adequacy decisions where applicable
• Binding corporate rules of Sub-processors

7. Data Deletion

Upon termination of the Services, the Processor will, at the Controller's choice:

• Return all Customer Data in a standard format, and/or
• Delete all Customer Data within 30 days

The Processor may retain data where required by applicable law, in which case it will inform the Controller of such requirement.

8. Liability

Each party's liability under this DPA is subject to the limitations set forth in the main service agreement. The Processor is liable for damages caused by processing that violates this DPA or GDPR.

9. Term

This DPA is effective from the date the Controller begins using the Services and continues until all Customer Data is deleted or returned.

10. Contact

For questions about this DPA or to exercise rights under it, contact us at privacy@metricly.xyz.