Data Processing Agreement
Last updated 23 March, 2026
1. Introduction
This Data Processing Agreement ("DPA") is between you, the customer using Encore Cloud ("Controller"), and Encoretivity AB, Kungsholms Strand 127, Stockholm 112 33, Sweden ("Encore" or "Processor").
As a customer, you are the Data Controller — meaning you decide what personal data is processed and why. Encore acts as your Data Processor, handling personal data only to operate and deliver the Services to you.
This DPA forms part of the Terms of Service (the "Agreement"). By using the Encore Service, you agree to this DPA.
2. Definitions
Capitalised terms not defined in this DPA have the meanings given in the Agreement. Additionally:
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- "Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Sub-Processor" have the meanings given in the GDPR.
- "Services" means the Encore Cloud platform and related services provided to the Controller under the Agreement.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision of 4 June 2021 (as may be updated from time to time).
- "EEA" means the European Economic Area.
3. Scope and Role of the Parties
The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Services. The Controller determines the purposes and means of processing. The Processor acts on the Controller's instructions as set out in this DPA and the Agreement, except where required by applicable law.
4. Details of Processing
Nature and purpose
Processing is carried out to provide the Controller with cloud infrastructure automation, application deployment, observability, and related developer tooling, as described in the Encore Cloud documentation.
Categories of Personal Data
The categories of Personal Data processed depend on the Controller's application and may include:
- Account data: name, email address, authentication tokens for users of the Encore Cloud dashboard.
- Application data: any Personal Data contained in the Controller's workloads deployed via Encore Cloud, the nature of which is determined solely by the Controller.
- Usage and telemetry data: logs, traces, and metrics generated by the Controller's applications and processed by Encore Cloud's observability features.
Categories of Data Subjects
Data Subjects may include the Controller's employees, contractors, end users, and any other individuals whose Personal Data is included in the Controller's applications or workloads.
Duration
Processing continues for the duration of the Agreement and, thereafter, until data is deleted in accordance with Section 10.
5. Controller Instructions
The Processor will process Personal Data as necessary to provide the Services, in accordance with this DPA and the Agreement. By using the Services, the Controller instructs the Processor to process Personal Data for that purpose.
Where applicable law requires the Processor to process Personal Data beyond these instructions, the Processor will endeavour to notify the Controller in advance, unless prohibited by law.
6. Security Measures
Encore maintains appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, or disclosure, as described in the Security & Compliance documentation.
7. Confidentiality
The Processor shall ensure that all persons authorised to process Personal Data are bound by an obligation of confidentiality, whether by contract or statutory obligation, which persists after termination of their employment or engagement. Access to Personal Data is restricted to personnel who require it to perform their duties in connection with the Services.
8. Sub-Processors
General authorisation
The Controller grants the Processor general authorisation to engage Sub-Processors. The Processor shall publish updates to the list of Sub-Processors below on this page and, when practical, provide notice via email or in-product notification of any intended addition or replacement. The Controller may raise concerns about a new Sub-Processor by contacting support@encore.cloud. Encore will work in good faith to address any reasonable objection. If the parties cannot reach a resolution, the Controller may terminate the relevant Services with thirty (30) days' written notice.
The Processor imposes data protection obligations on each Sub-Processor equivalent to those set out in this DPA.
Current Sub-Processors
| Sub-Processor | Country | Purpose | Certification |
|---|---|---|---|
| Google Cloud Platform (GCP) | USA | Core cloud infrastructure | ISO 27001, SOC 2 |
| Clerk | USA | User authentication and identity management | SOC 2 |
| Sentry | USA | Error monitoring and alerting | SOC 2 |
| Grafana Labs | USA | Application performance monitoring and metrics | SOC 2 |
| PostHog | EU | Product analytics and user behaviour tracking | SOC 2 |
| Mixpanel | USA | Product analytics and user behaviour tracking | SOC 2 |
| Slack | USA | Internal alerting and operational communication | SOC 2 |
| Twilio, Inc. (Segment, Sendgrid) | USA | Customer data platform and analytics (Segment); primary email provider for verification and transactional email messages (Sendgrid) | SOC 2 |
| Plain | UK | Customer support conversations and messaging (support operations/inbox and threads) | SOC 2 |
| Neon | USA | Managed Postgres database hosting (optional feature) | SOC 2 |
Where Sub-Processors are located outside the EEA, transfers are subject to appropriate safeguards, including Standard Contractual Clauses or an applicable EU adequacy decision. See Section 13.
9. Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
Where the Processor receives a Data Subject request that clearly relates to the Controller's data, it will endeavour to forward that request to the Controller in a timely manner. The Controller is responsible for responding to Data Subject requests.
10. Deletion and Return of Data
Upon termination of the Agreement, the Processor will make the Controller's data available for electronic retrieval for thirty (30) days, after which it may be deleted. The Controller may request earlier deletion by contacting support@encore.cloud.
For technical reasons, data may remain in encrypted backups for a period after deletion. Any such residual data remains subject to the security obligations in this DPA. The Processor is not required to delete data where retention is required by applicable law.
11. Audit Rights and Assistance
Encore will respond to reasonable information requests regarding compliance with this DPA. Audit obligations may be satisfied by Encore providing its current security self-assessment, third-party security documentation, or audit reports where available. The parties agree this is sufficient to demonstrate compliance.
Encore will provide reasonable assistance to the Controller in connection with its obligations under Articles 32–36 of the GDPR, to the extent such assistance relates to Encore's own processing activities and the information available to Encore.
12. Personal Data Breaches
Where Encore becomes aware of a Personal Data breach affecting the Controller's data, Encore will notify the Controller without undue delay. Notification will be sent to the email address registered on the Controller's Encore Cloud account and will include, to the extent then available, a description of the incident and the steps being taken to address it. Additional information may follow as the investigation progresses.
Encore's notification does not constitute an admission of fault or liability. The Controller is responsible for any notifications to supervisory authorities or Data Subjects required by applicable law.
13. International Data Transfers
Encore's core production infrastructure is hosted in the US East region (GCP us-east-1). Backups are maintained across multiple US regions. Processing by Sub-Processors may take place outside the EEA.
Where Personal Data is transferred outside the EEA to a country without an EU adequacy decision, Encore ensures appropriate safeguards are in place, such as Standard Contractual Clauses with Sub-Processors. The Controller may request further information about applicable transfer mechanisms by contacting support@encore.cloud.
14. Liability
Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability for damages caused by intentional misconduct or gross negligence, or where liability cannot lawfully be limited or excluded.
15. Term and Termination
This DPA comes into effect on the date the Controller accepts the Agreement (or, for existing customers, on the date this DPA is published) and remains in force for the duration of the Agreement. Termination of the Agreement automatically terminates this DPA, without prejudice to any obligations that survive termination by their nature, including confidentiality (Section 7) and deletion obligations (Section 10).
16. Governing Law and Jurisdiction
This DPA is governed by the laws of Sweden, without regard to conflict of law principles, and subject to the exclusive jurisdiction of the courts of Stockholm, Sweden, except where mandatory EU data protection law requires otherwise.
17. Acceptance
By using the Encore Service, you agree to this DPA. No separate signature is required. If your organisation requires a countersigned DPA, contact support@encore.cloud.
Contact Us
Questions? Contact us at support@encore.cloud or in writing at Encoretivity AB, Kungsholms Strand 127, Stockholm 112 33, Sweden.