Data Processing Agreement

Last updated: May 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Processor: REDU CLOUD LTD, a company registered in England and Wales (Company No. 17013438), with registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ("redu.cloud", "we", "Processor")
• Controller: The business customer who has accepted redu.cloud's Terms of Service and uses redu.cloud services to process personal data ("Customer", "Controller")

This DPA supplements the Terms of Service and applies where redu.cloud processes personal data on behalf of the Customer in connection with the redu.cloud cloud infrastructure services.

2. Definitions

Terms used but not defined here have the meanings given in the redu.cloud Terms of Service, UK GDPR, and EU GDPR as applicable. "Data Protection Laws" means UK GDPR, EU GDPR, the Data Protection Act 2018, and any applicable successor legislation.

3. Subject Matter, Duration, and Nature of Processing

• Subject matter: Provision of cloud infrastructure services including compute, storage, networking, and associated platform features
• Duration: For the term of the Customer's use of the redu.cloud Services and as required for deletion/return obligations after termination
• Nature of processing: Hosting, storing, transmitting, and providing access to personal data that the Customer uploads or generates using the Services
• Purpose: To provide the Services as described in the Terms of Service and as instructed by the Customer

4. Types of Personal Data and Categories of Data Subjects

The types of personal data and categories of data subjects depend on the Customer's use of the Services. redu.cloud does not prescribe what personal data the Customer stores. Typical categories include:

• End users of the Customer's applications
• Employees or contractors of the Customer

Typical personal data may include identifiers, contact details, usage data, and any other personal data the Customer chooses to process using the Services.

5. Processor Obligations

redu.cloud will, as Processor:

• Process personal data only on the documented instructions of the Customer (including as set out in the Terms of Service and this DPA), unless required to do otherwise by applicable law
• Ensure that personnel authorised to process personal data are subject to appropriate confidentiality obligations
• Implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access
• Not engage additional subprocessors without informing the Customer, subject to the subprocessor provisions below
• Assist the Customer, taking into account the nature of the processing, to respond to requests from data subjects exercising their rights under Data Protection Laws
• Assist the Customer with security obligations, breach notifications, data protection impact assessments, and prior consultations, taking into account the nature of processing and information available to redu.cloud
• Delete or return all personal data to the Customer at the end of the provision of services, and delete existing copies, unless applicable law requires retention
• Make available to the Customer all information necessary to demonstrate compliance with the obligations in Article 28 GDPR and allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and confidentiality arrangements

6. Security Measures

redu.cloud implements technical and organisational security measures appropriate to the risk, including as described on our Security page. These measures are reviewed and updated as appropriate. The Customer acknowledges that security measures are shared-responsibility as described on the Security page.

7. Subprocessors

The Customer provides general authorisation for redu.cloud to engage subprocessors. Our current subprocessors are listed on the Subprocessors page.

redu.cloud will inform the Customer of any intended changes concerning the addition or replacement of subprocessors by updating the Subprocessors page and, for business customers with a signed DPA, by direct notification. The Customer may object to changes within a reasonable period. All subprocessors are required to provide equivalent data protection obligations to those in this DPA.

8. International Transfers

Personal data is primarily processed in Germany, EU. Where subprocessors process personal data outside the UK or EU/EEA, redu.cloud ensures appropriate transfer safeguards are in place, including Standard Contractual Clauses, adequacy decisions, or equivalent mechanisms. See our Data Location page and Subprocessors page for details.

9. Personal Data Breach Notification

redu.cloud will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data processed under this DPA. Notifications will include: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

10. Deletion and Return of Data

Upon termination or expiry of the Customer's use of the Services, redu.cloud will, at the Customer's choice, delete or return all personal data processed under this DPA within a reasonable period, and delete existing copies, unless applicable law requires retention of the personal data.

11. Governing Law

This DPA is governed by the laws of England and Wales, consistent with the governing law provision in the Terms of Service.

12. Contact

To request a reviewed and signed DPA, or for questions about data processing, contact us at office@redu.cloud.