Underlayer
Log inGet started

Legal

Data Processing Agreement

This DPA governs the processing of personal data by Underlayer on behalf of its Customers.

Last updated: June 2, 2026

1. Definitions

For the purposes of this Agreement, the following terms have the meanings set out below. Capitalised terms not defined here have the meaning given in the Terms and Conditions or in applicable data-protection law.

  • "Agreement" means this Data Processing Agreement together with any annexes and any applicable Order Form or subscription plan accepted by the Customer.
  • "Controller" means the Customer (the natural or legal person who determines the purposes and means of processing Personal Data).
  • "Processor" means Underlayer, acting on the instructions of the Controller.
  • "Personal Data"means any information relating to an identified or identifiable natural person (“Data Subject”) that the Customer transmits to, or processes through, the Service.
  • "Processing" has the meaning given in GDPR Art. 4(2).
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  • "Service" means the Underlayer platform, including the scheduler, task queue, webhook dispatching, activity log, integrations, and related APIs, as further described in the Terms.
  • "Sub-processor"means any third party engaged by Underlayer to process Personal Data on the Controller's behalf.
  • "EEA" means the European Economic Area.

2. Identity of the Processor

The Processor is the individual operating the Underlayer platform as a self-employed professional (autónomo) under Spanish law:

  • Name: [NOMBRE COMPLETO]
  • Tax ID (NIF): [NIF]
  • Address: [DIRECCIÓN COMPLETA], [CIUDAD], [CP], Spain
  • Legal contact: legal@underlayer.dev

3. Subject Matter, Nature and Purpose of Processing

Underlayer provides a cloud-based HTTP scheduling, task queuing, and webhook dispatching platform. In the course of providing the Service, Underlayer processes Personal Data contained within:

  • Task payloads (HTTP request bodies) submitted by the Customer;
  • Webhook request/response logs stored in the Activity Log;
  • Target URLs, headers, and metadata associated with scheduled tasks and cron jobs;
  • Account and billing information of the Customer's users (name, email address, payment references).

The purpose of processing is exclusively to provide, maintain, secure, and improve the Service as instructed by the Customer. Underlayer does not process Personal Data for its own marketing, advertising, or analytics purposes beyond what is strictly necessary to operate the Service.

4. Types of Personal Data and Categories of Data Subjects

The types of Personal Data and categories of Data Subjects processed under this Agreement depend entirely on the data that the Customer chooses to include in task payloads, target URLs, and other inputs to the Service. Underlayer has no visibility into or control over the content of Customer payloads.

Typical categories may include:

  • Customer end-users: identifiers, email addresses, purchase data, or other personal data included in Customer-defined webhook payloads;
  • Customer account holders: name, email address, and billing contact details used to manage workspace membership and billing.

The Customer is solely responsible for ensuring that any Personal Data submitted to the Service has a lawful basis for processing and that Data Subjects have been adequately informed in accordance with GDPR Art. 13/14.

5. Duration of Processing

Underlayer will process Personal Data for the duration of the Customer's active subscription or as otherwise agreed in writing. Upon termination of the subscription or upon the Customer's written request, Underlayer will delete or return Personal Data as described in §12 below.

Certain retention periods are determined by the Customer's tier plan (e.g. activity-log retention days). The Customer may reduce retention periods within the limits of their plan via the workspace settings.

6. Obligations of the Processor

In accordance with GDPR Art. 28(3), Underlayer shall:

  1. Act only on documented instructions. Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or international organisation. If Underlayer is required by applicable law to process Personal Data other than as instructed, it will inform the Customer in advance unless prohibited by law.
  2. Ensure confidentiality. Ensure that all persons authorised to process Personal Data are subject to a duty of confidentiality, whether by contract or by applicable statutory obligation.
  3. Implement appropriate security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in §9 below and in accordance with GDPR Art. 32.
  4. Respect conditions for engaging Sub-processors. Not engage another Sub-processor without prior general or specific written authorisation of the Customer, and impose data-protection obligations equivalent to those set out in this Agreement on any Sub-processor engaged.
  5. Assist with data-subject rights.Taking into account the nature of processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).
  6. Assist with compliance obligations. Assist the Customer in ensuring compliance with the obligations pursuant to GDPR Art. 32–36 (security, breach notification, DPIAs, and prior consultation), taking into account the nature of processing and the information available to Underlayer.
  7. Delete or return data. At the choice of the Customer, delete or return all Personal Data after the end of provision of services, and delete existing copies unless applicable law requires storage.
  8. Make information available. Make available to the Customer all information necessary to demonstrate compliance with GDPR Art. 28, and allow for and contribute to audits and inspections conducted by the Customer or a mandated auditor, as further described in §13.

7. Customer Obligations (Controller)

The Customer represents and warrants that:

  • It has a lawful basis for processing any Personal Data transmitted to the Service, and has provided all required notices to Data Subjects;
  • It will not submit Special Categories of Personal Data (GDPR Art. 9) or Personal Data relating to criminal convictions (Art. 10) to the Service unless it has obtained Underlayer's prior written consent and has verified that Underlayer's security measures are appropriate for such data;
  • It will maintain accurate account information and promptly notify Underlayer of any changes to its legal or organisational status that may affect this Agreement;
  • It will implement appropriate access controls to prevent unauthorised use of its workspace and API keys.

8. Sub-processors

The Customer grants Underlayer general authorisation to engage Sub-processors. Underlayer will maintain a current list of Sub-processors at underlayer.dev/legal/sub-processors (or via email on request). Underlayer will provide the Customer with at least 30 days' notice of any intended changes to Sub-processors (additions or replacements) by updating the Sub-processor list and notifying registered account holders via email. If the Customer objects to a new Sub-processor on reasonable data-protection grounds, it may terminate the affected Service with a pro-rata refund of prepaid fees.

Current key Sub-processors include (non-exhaustive):

  • Supabase, Inc. — Authentication, database, and storage infrastructure (EU region where available). Privacy: supabase.com/privacy.
  • Stripe, Inc. — Payment processing and subscription management. Privacy: stripe.com/privacy.
  • Hetzner Online GmbH — Cloud infrastructure and hosting (EU data centres). Privacy: hetzner.com/legal/privacy-policy.
  • Resend, Inc. — Transactional email delivery. Privacy: resend.com/legal/privacy-policy.

Each Sub-processor is bound by contractual terms at least as protective as those set out in this Agreement, including, where applicable, EU Standard Contractual Clauses.

9. Security Measures (GDPR Art. 32)

Underlayer implements and maintains the following technical and organisational security measures, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing:

  • Encryption in transit: All data transmitted between the Customer and the Service uses TLS 1.2 or higher.
  • Encryption at rest: Database content is encrypted at rest using AES-256 (via infrastructure provider).
  • Access control: Role-based access control (Owner / Admin / Member) enforced at API level; API keys scoped to workspace.
  • Authentication: Multi-factor authentication available for all user accounts; API key authentication for programmatic access.
  • Data isolation: Customer data is logically isolated by workspace and organisation; row-level security enforced at database level.
  • Vulnerability management: Dependencies monitored for known CVEs; security patches applied on a risk-based timeline.
  • Backup and recovery: Regular automated backups with point-in-time recovery capability.
  • Incident response: Internal procedure for detecting, reporting, and responding to security incidents, as described in §10.

Underlayer will review and, where necessary, update these measures on a regular basis. Customers may request an up-to-date summary of security measures by contacting security@underlayer.dev.

10. Personal Data Breach Notification

In the event of a confirmed Personal Data Breach (as defined in GDPR Art. 4(12)) affecting Customer data, Underlayer will:

  1. Notify the Customer without undue delay and, where feasible, within 48 hours of becoming aware of the breach, by email to the address registered on the affected workspace account;
  2. Provide, at minimum: a description of the nature of the breach; the categories and approximate number of Data Subjects and personal data records concerned; the likely consequences of the breach; and the measures taken or proposed to address the breach, including mitigation measures.

Underlayer's notification of a breach does not constitute an acknowledgement of fault or liability. The Customer is responsible for assessing whether the breach triggers a notification obligation to the competent supervisory authority (GDPR Art. 33) and/or to Data Subjects (Art. 34).

11. Data Protection Impact Assessments (DPIA)

Underlayer will provide reasonable assistance to the Customer in carrying out any Data Protection Impact Assessment required under GDPR Art. 35, and in consulting the competent supervisory authority in accordance with Art. 36, insofar as such assistance relates to the processing carried out by Underlayer as Processor and taking into account the information available to Underlayer.

12. Return and Deletion of Data

Upon termination of the Customer's account or subscription, or upon written request, Underlayer will:

  • Provide the Customer with an export of their data (tasks, cron jobs, activity logs, env vars) in machine-readable format via the dashboard export tools or API, for a period of 30 days following termination;
  • Delete all Personal Data from active systems within 90 days of termination, unless a longer retention period is required by applicable law or the data is included in routine backup media (which are purged on the standard backup lifecycle);
  • Upon the Customer's written request, confirm in writing that deletion has been completed.

13. Audit Rights

Underlayer will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in GDPR Art. 28, and will allow for and contribute to audits, including inspections, conducted by the Customer or a mandated third-party auditor (provided such auditor is not a competitor of Underlayer and is bound by appropriate confidentiality obligations).

In the first instance, audits shall be conducted by reviewing Underlayer's written responses to Customer questionnaires and any applicable security certifications or reports provided by Underlayer. On-site or hands-on audits require at least 30 days' prior written notice, shall occur no more than once per calendar year unless required by a supervisory authority, and shall be conducted at the Customer's expense.

14. International Data Transfers

Underlayer processes data primarily within the EEA. Where Personal Data is transferred outside the EEA (e.g., via Sub-processors with operations in third countries), Underlayer ensures that an appropriate transfer mechanism is in place, including:

  • EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision 2021/914), as applicable; or
  • An adequacy decision by the European Commission (GDPR Art. 45); or
  • Another appropriate safeguard permitted under GDPR Chapter V.

Where SCCs apply, a copy is available on request at legal@underlayer.dev.

15. Liability

Each party's liability under this Agreement is subject to the exclusions and limitations set out in the Terms and Conditions. Where Underlayer is held liable for a breach of this Agreement that is directly caused by the Customer's unlawful instructions, Underlayer may seek full indemnification from the Customer.

16. Governing Law and Supervisory Authority

This Agreement is governed by Spanish law and the laws of the European Union applicable to data protection, including the GDPR. Disputes shall be subject to the exclusive jurisdiction of the courts of Spain, without prejudice to mandatory local law provisions applicable in the Customer's jurisdiction.

Customers located in the EEA have the right to lodge a complaint with their competent supervisory authority. Underlayer's lead supervisory authority is the Agencia Española de Protección de Datos (AEPD), www.aepd.es.

17. Amendments

Underlayer may amend this Agreement from time to time. Material changes will be communicated to Customers via email to the registered account address at least 30 days before taking effect. Continued use of the Service after the effective date of any amendment constitutes acceptance of the updated Agreement. If the Customer objects to an amendment, it may terminate its subscription before the effective date and receive a pro-rata refund of prepaid fees.

18. Entire Agreement

This Agreement, together with the Terms and Conditions and Privacy Policy, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements, understandings, or representations on this subject.

19. Severability

If any provision of this Agreement is found to be unenforceable, the remaining provisions will continue in full force and effect. The unenforceable provision will be modified to the minimum extent necessary to make it enforceable.

20. Contact

For data-protection enquiries, to exercise your rights, or to request a countersigned PDF version of this Agreement, contact:

See also: Privacy Policy · Terms and Conditions