Data Processing Agreement
Roles
This DPA governs how Blendbyte GmbH processes personal data on your behalf when you use Tindra Managed. It forms part of the Terms of Service and supplements them where personal data is involved.
You (the Customer) are the data controller and Blendbyte GmbH is the data processor within the meaning of GDPR Art. 4. "Processing" includes storing, accessing, transmitting, and deleting the data you send to the service.
What we process
We process the personal data you send via your SDK, which may include:
| Category | Examples |
|---|---|
| Identifiers | User IDs, email addresses |
| Technical data | IP addresses, device type, browser |
| Application data | Stack traces, breadcrumbs, error messages |
| Performance data | Transaction traces, query text |
| Custom context | Any fields you attach via SDK |
You control what is sent. Configure SDK-level scrubbing to avoid transmitting more personal data than necessary. We cannot retroactively redact data already received.
Our commitments
- Instructions only. We process your data solely to provide the service, on your instructions. We do not use it for our own purposes or to improve the service for other customers.
- Confidentiality. All staff with access to personal data are bound by written confidentiality obligations. Access is restricted to those who need it to operate the service.
- Sub-processors. We use a small number of EU-based sub-processors for hosting, email delivery, and payment processing. We contractually require each sub-processor to meet data protection obligations equivalent to those in this DPA (GDPR Art. 28(4)). The full list is available on request at hi@tindra.sh. We will notify you by email at least 15 days before adding a new sub-processor. You may object in writing within that period; if we cannot resolve the objection, you may terminate without penalty.
- Data subject rights. We will assist you in responding to access, deletion, correction, restriction, and portability requests. On a written request, we will provide or delete the relevant data within 5 business days.
- Security. We maintain appropriate technical and organisational measures as described in the Annex below.
- Breach notification. If we become aware of a personal data breach affecting your data, we will notify you within 24 hours of confirming it, with enough detail for you to meet your own GDPR obligations.
- Deletion on termination. You have 30 days after termination to export your data. We will then delete it from live systems within 5 business days and from encrypted backups within 90 days. We can provide a written deletion confirmation on request.
- Audits. We will provide information necessary to demonstrate compliance with this DPA. On 30 days' written notice, we will support an audit or provide current third-party security certifications as an alternative.
- DPIA assistance. We will assist you with data protection impact assessments related to our processing, on written request.
- Data location. All data is processed and stored within the EU. We do not transfer personal data outside the EU without your prior written authorisation.
Your responsibilities
As the data controller, you are responsible for:
- Having a lawful basis under GDPR to collect and transmit the personal data you send to Tindra.
- Configuring your SDK to minimise personal data and scrub sensitive fields (such as passwords, payment card data, or health information) before transmission. We cannot retroactively redact data already received.
- Informing your end users about telemetry collection and error monitoring in your own privacy policy or consent flows.
- Notifying us before sending special category data under GDPR Art. 9 (health, biometric, religious, or similar sensitive data), so we can agree on additional safeguards.
- Ensuring that any instructions you give us regarding the processing of personal data are lawful.
Liability
Our liability under this DPA is subject to the limitations and caps set out in the Terms of Service. Nothing in this DPA extends our liability beyond what is permitted under those Terms. Where both this DPA and the Terms address the same liability, the Terms govern.
General
By accepting the Terms of Service and using the service, you are providing documented instructions to us to process personal data as described in this DPA (GDPR Art. 28(3)(a)). This DPA is governed by German law. Disputes are subject to the exclusive jurisdiction of the courts of Berlin. If any provision of this DPA is found unenforceable, the remaining provisions continue in full force. We may update this DPA with 30 days' notice for material changes; your continued use after the effective date constitutes acceptance. Questions: hi@tindra.sh.
Annex: Technical and organisational measures
- Encryption in transit. All connections are encrypted with TLS 1.2 or higher.
- Encryption at rest. All databases and backups are encrypted with AES-256 or equivalent.
- Data isolation. Each customer has a dedicated, isolated Postgres database. No shared tables between customers.
- Access control. Production access requires multi-factor authentication and is restricted to authorised Blendbyte personnel. Access is logged and reviewed quarterly. Staff do not access customer data in the normal course of operations.
- Backups. Customer databases are backed up daily and retained for a minimum of 14 days. Recovery procedures are tested at least annually.
- Incident response. A documented incident response procedure is maintained. Post-incident reviews are conducted for significant events.
- Confidentiality of staff. All personnel with access to personal data are bound by written confidentiality obligations.
- Vulnerability management. Security assessments are conducted regularly. Critical vulnerabilities are remediated promptly.
Last updated May 18, 2026. For earlier versions contact hi@tindra.sh.