+ Data Processing Agreement

Preview

Article 28 in plain English.

When you store personal data on recover.is, you are the controller and we are the processor. The DPA governs that relationship per GDPR Article 28. The summary below shows our standing terms; a counter-signed DPA is provided alongside your MSA.

Last updated · May 2026

This page is a plain-language summary. The formal, signature-grade text ships before the first commercial contract. Until then, this represents our binding intent — if anything below conflicts with eventual signed agreements, the signed document governs.

01 /

Subject matter & duration

  • +Subject matter: storage and retrieval of personal data on the recover.is platform.
  • +Duration: the term of your agreement plus the export window after termination.
  • +Nature & purpose: backup, archive, disaster recovery, and immutable audit-evidence storage.
  • +Categories of data: defined by you. We never categorize or interpret object content.

02 /

Our obligations as processor

  • +Process personal data only on your documented instructions.
  • +Ensure persons processing data are bound by confidentiality.
  • +Implement the security measures described in our Security & Compliance page.
  • +Notify you without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach.
  • +Assist you in fulfilling data-subject requests, including the Article 17 erasure pipeline.
  • +Make available all information necessary to demonstrate compliance, including audit rights subject to reasonable scoping.

03 /

Sub-processors

  • +Our standing sub-processor list is published on the Security & Compliance page.
  • +We engage sub-processors only under written agreements that flow down equivalent data-protection obligations.
  • +We give you 30 days' notice before adding or replacing a sub-processor; you may object in writing within that window.

04 /

International transfers

  • +Object data and metadata never leave Iceland.
  • +Email-borne data (recipient addresses, message bodies) transits Resend (US). Resend is engaged under Standard Contractual Clauses and EU-US Data Privacy Framework certification.
  • +If a future sub-processor is located outside the EEA, transfer mechanisms (SCCs + supplementary measures) are contractually required.

05 /

Audit & cooperation

  • +On reasonable notice, you may audit our compliance with this DPA — directly, via independent third party, or via our SOC 2 / ISO 27001 reports once issued.
  • +We cooperate with supervisory authorities, including Persónuvernd in Iceland.
  • +We assist with Data Protection Impact Assessments where required by Article 35.

+ Questions?

Email legal@recover.is and we'll respond within one business day.

Back to recover.is