Legal
Data Processing Agreement
This Data Processing Agreement (DPA) governs how TerraBog processes personal data on behalf of our customers under GDPR, CCPA, and other applicable data protection regulations. Last updated: January 15, 2026.
Sections
This Data Processing Agreement ("DPA") is incorporated into and forms part of the TerraBog Terms of Service or other agreement between TerraBog Analytics, Inc. and Customer governing Customer's use of the Service ("Agreement"). In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to the processing of personal data.
Definitions
Controller
"Controller" means the entity that determines the purposes and means of the processing of personal data. In the context of this DPA, the Customer is the Controller of Customer Personal Data.
Processor
"Processor" means the entity that processes personal data on behalf of the Controller. TerraBog acts as a Processor when processing Customer Personal Data as part of delivering the Service.
Customer Personal Data
"Customer Personal Data" means any personal data that is contained within or ingested through the TerraBog platform by the Customer or its authorized users.
Sub-processor
"Sub-processor" means any third-party processor engaged by TerraBog to assist in fulfilling its obligations under this DPA, with access to Customer Personal Data.
Data Protection Law
"Data Protection Law" means all applicable privacy and data protection legislation including the GDPR, UK GDPR, California Consumer Privacy Act (CCPA), and their implementing regulations.
Processing of Customer Personal Data
Instructions
TerraBog will process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization. The Customer's use of the Service constitutes documented instructions.
Confidentiality
TerraBog will ensure that personnel authorized to process Customer Personal Data are subject to appropriate obligations of confidentiality with respect to that data.
Purpose limitation
TerraBog will not use Customer Personal Data for any purpose other than providing the Service, unless required by applicable law.
Notification of legal requirements
TerraBog will promptly notify the Customer if it becomes aware of any legal requirement that would prevent it from complying with the Customer's processing instructions, unless prohibited from doing so by law.
Security Measures
Technical measures
TerraBog implements and maintains the following technical security measures: AES-256-GCM encryption at rest, TLS 1.3+ encryption in transit, multi-factor authentication for all internal systems, automatic key rotation via AWS KMS, and network segmentation with VPC isolation.
Organizational measures
TerraBog maintains security policies covering access control, incident response, business continuity, and personnel security. All employees with access to Customer Personal Data complete mandatory annual security training.
Security review
TerraBog undergoes annual penetration testing by accredited third-party security firms and maintains SOC 2 Type II certification. Copies of certification reports are available to Enterprise customers under NDA.
Breach notification
In the event of a confirmed personal data breach, TerraBog will notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach, providing sufficient information to allow the Customer to meet its own notification obligations.
Sub-processors
Authorization
The Customer provides general authorization to TerraBog to engage sub-processors for the provision of the Service. TerraBog will impose data protection obligations on each sub-processor equivalent to those set out in this DPA.
Change notification
TerraBog maintains a current list of sub-processors and will notify the Customer via email or in-product notification of any addition or replacement of sub-processors at least 30 days in advance. The Customer may object to any change, with TerraBog using reasonable efforts to accommodate the objection.
Current sub-processors
TerraBog's primary sub-processors include Amazon Web Services (infrastructure), Stripe (payment processing), Zendesk (customer support), Datadog (monitoring), and Sendgrid (transactional email). A complete, up-to-date list is available at terrabog.com/legal/sub-processors.
International Data Transfers
Data residency
By default, Customer Personal Data is processed in AWS regions in the United States. Enterprise customers may elect to restrict processing to AWS EU (Frankfurt) or AWS APAC (Singapore) regions.
Transfer mechanisms
For transfers of Customer Personal Data from the EEA, UK, or Switzerland to countries without an adequacy decision, TerraBog relies on the EU Standard Contractual Clauses (SCCs) in the form approved by the European Commission, incorporated into this DPA by reference.
Supplementary measures
TerraBog has conducted transfer impact assessments for all third-country transfers and has implemented the supplementary technical and organizational measures described in Annex III of this DPA.
Data Subject Rights
Assistance
TerraBog will provide reasonable assistance to the Customer in responding to requests from data subjects exercising their rights under applicable Data Protection Law, taking into account the nature of the processing.
Notification
If TerraBog receives a data subject request that relates to Customer Personal Data, it will promptly notify the Customer and refer the data subject to the Customer without responding to the request directly.
Deletion
Upon termination of the Service or upon request, TerraBog will delete or return all Customer Personal Data in its possession, unless applicable law requires TerraBog to retain the data.
Need a countersigned DPA for your procurement?
Our legal team processes DPA execution requests within 2 business days for Enterprise customers.