Data Processing Agreement
Last updated: [DATE]
This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Customer") and Reunit SA, a société anonyme incorporated in Luxembourg, with registered office at 177 Rue de Luxembourg, L-8077 Bertrange, Grand Duchy of Luxembourg ("Reunit SA", "Rerun", "we", "us" or "our"), governing your use of the Rerun service available at https://rerun.build (the "Service").
This DPA reflects the parties' agreement on the processing of personal data carried out by Reunit SA on the Customer's behalf in connection with the Service, in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR"). Where there is a conflict between this DPA and the main agreement, this DPA prevails on matters of data protection.
1. Definitions
Terms such as "personal data", "processing", "controller", "processor", "sub-processor", "data subject", "personal data breach" and "supervisory authority" have the meaning given to them in the GDPR. "Customer Content" means the personal data contained in the missions, instructions, files, messages and connected-service data that the Customer's agents process through the Service. "Applicable Data Protection Law" means the GDPR and any national data protection law that applies to the processing under this DPA.
2. Roles of the parties
2.1 For Customer Content processed by agents running on Rerun's cloud infrastructure ("Cloud Mode"), the Customer acts as the controller (or as a processor acting on behalf of its own controller) and Reunit SA acts as the processor. This DPA governs that processing.
2.2 For account, billing and website data, Reunit SA acts as the controller. That processing is governed by the Rerun Privacy Policy, not by this DPA.
2.3 In self-hosted mode (Scale plan), the Rerun engine runs on the Customer's own infrastructure and Customer Content does not leave the Customer's machines. Reunit SA does not process Customer Content in self-hosted mode, and Sections 3 to 12 of this DPA apply only to the limited account and dashboard data described in the Privacy Policy.
3. Scope, subject matter and duration
3.1 The subject matter of the processing is the provision of the Service. The nature and purpose of the processing is the execution of autonomous AI agents that carry out missions defined by the Customer, including connecting to third-party services on the Customer's behalf.
3.2 Reunit SA processes Customer Content only for the duration of the agreement and only as necessary to provide the Service, plus any limited retention period required to comply with law. The categories of data subjects and personal data are described in Annex I.
4. Customer instructions
4.1 Reunit SA processes Customer Content only on documented instructions from the Customer, including with regard to international transfers, unless required to act by a law to which Reunit SA is subject. In that case, Reunit SA informs the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
4.2 The Customer's instructions are set out in this DPA, the main agreement, and the configuration choices the Customer makes in the Service (including which agents to run, which third-party services to connect, and which AI model to use). The Customer is responsible for ensuring it has a lawful basis for the Customer Content it submits and that its instructions comply with Applicable Data Protection Law.
4.3 Reunit SA informs the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
5. Confidentiality
Reunit SA ensures that persons authorised to process Customer Content are bound by an appropriate duty of confidentiality and process Customer Content only as instructed.
6. Security measures
6.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, Reunit SA implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A description of those measures is set out in Annex II.
6.2 Reunit SA may update its security measures from time to time, provided that the updated measures do not materially reduce the overall level of protection of Customer Content.
7. Sub-processors
7.1 The Customer provides general authorisation for Reunit SA to engage sub-processors to process Customer Content. The current sub-processors are listed in Annex III.
7.2 Reunit SA imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, in particular regarding security measures, and remains liable to the Customer for the performance of each sub-processor's obligations.
7.3 Reunit SA informs the Customer of any intended addition or replacement of a sub-processor, giving the Customer the opportunity to object on reasonable data protection grounds. If the Customer objects and the parties cannot agree on a resolution, the Customer may terminate the affected part of the Service.
8. Assistance to the Customer
8.1 Taking into account the nature of the processing, Reunit SA assists the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability and objection).
8.2 Reunit SA assists the Customer in ensuring compliance with the obligations relating to security of processing, personal data breach notification, data protection impact assessments and prior consultation with supervisory authorities (Articles 32 to 36 GDPR), taking into account the nature of the processing and the information available to Reunit SA.
9. Personal data breach
Reunit SA notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer Content, and provides the Customer with the information reasonably available to it to help the Customer meet its own notification obligations. Notifications are sent to the contact associated with the Customer's account.
10. International transfers
10.1 Some sub-processors listed in Annex III are located outside the European Economic Area. Where Customer Content is transferred to a country that is not the subject of an adequacy decision, Reunit SA relies on an appropriate transfer mechanism under Chapter V of the GDPR, in particular the European Commission's Standard Contractual Clauses, together with any supplementary measures required to ensure an adequate level of protection.
10.2 The Customer can reduce or avoid such transfers by selecting EU-based infrastructure and EU-based AI models where the Service offers that choice, or by using self-hosted mode.
11. Audits
11.1 Reunit SA makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
11.2 The Customer's audit rights are satisfied in the first instance by Reunit SA providing relevant documentation and answering reasonable questions. On-site inspections are limited to once per year (unless required following a personal data breach or by a supervisory authority), must be requested with reasonable prior notice, must not unreasonably disrupt Reunit SA's operations, and are subject to confidentiality.
12. Return and deletion
On termination of the Service, Reunit SA, at the Customer's choice, deletes or returns Customer Content and deletes existing copies, unless a law to which Reunit SA is subject requires further storage. Routine backups containing Customer Content are deleted in the ordinary course of Reunit SA's backup cycle.
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main agreement.
14. Governing law and jurisdiction
This DPA is governed by the laws of the Grand Duchy of Luxembourg, and the courts of Luxembourg have exclusive jurisdiction, without prejudice to any mandatory rights data subjects have under Applicable Data Protection Law.
15. Contact
Questions about this DPA, or requests relating to data protection, can be sent to help@rerun.build, or by post to Reunit SA, 177 Rue de Luxembourg, L-8077 Bertrange, Luxembourg (VAT: LU19540651). The data controller for Reunit SA's own processing is Reunit SA; there is no separately appointed Data Protection Officer.
Annex I: Details of the processing
Subject matter: Provision of the Rerun Service (autonomous AI agents executing Customer-defined missions).
Duration: For the term of the agreement, plus any limited period required by law.
Nature and purpose: Hosting, running and orchestrating AI agents; connecting to third-party services on the Customer's behalf; storing agent configuration, sessions and memory; sending operational notifications.
Categories of data subjects: The Customer's authorised users, and any individuals whose personal data is contained in the Customer Content the agents process (for example contacts, recipients or records held in connected third-party services).
Categories of personal data: Account identifiers (name, email); mission and agent content, messages and files; data retrieved from or sent to connected third-party services; agent memory and logs. The Customer controls what Customer Content it submits and should avoid submitting special categories of personal data unless strictly necessary.
Special categories of data: Not intended to be processed. If the Customer submits special categories of personal data, it does so under its own responsibility and lawful basis.
Annex II: Technical and organisational measures
- Encryption of data in transit using TLS, and encryption of data at rest provided by our infrastructure sub-processors.
- Access controls and authentication for the dashboard, with role and workspace separation.
- User secrets and credentials for connected services are not stored in Rerun's database.
- Segregation of customer workspaces and, in cloud mode, isolation of agent compute instances.
- Logical separation between EU-hosted application and database infrastructure.
- Use of vetted sub-processors bound by data protection terms (Annex III).
- Backups with defined retention, and deletion of Customer Content on termination per Section 12.
- Internal measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems, and to restore availability after an incident.
Annex III: Sub-processors
Reunit SA engages the following sub-processors to process Customer Content in cloud mode:
| Sub-processor | Purpose | Location | | --- | --- | --- | | Hetzner | Agent compute (cloud engine instances) | Germany (EU) | | Supabase | Database, authentication and file storage | European Union (Frankfurt) | | Railway | Dashboard and application hosting | European Union (Amsterdam) | | Anthropic | AI model inference for agents | United States | | OpenAI | AI model inference for agents | United States | | Google | AI model inference (Gemini) for agents | United States / European Union | | OpenRouter | AI model routing and text embeddings | United States | | Stripe | Payments and billing | United States / European Union (Ireland) | | Trigger.dev | Background job orchestration | United States | | Resend | Transactional and notification email | United States | | Crisp | Customer support chat | European Union (France) |
The AI model providers that actually process Customer Content depend on the model the Customer selects in the Service; Customers who require EU-only processing can select EU-based infrastructure and models, or use self-hosted mode, where no sub-processor in this Annex processes Customer Content.