Last updated: 30 March 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer and DBaaS.dev. It governs the processing of personal data by DBaaS.dev on behalf of the Customer and is intended to satisfy the requirements of GDPR Article 28 and India's Digital Personal Data Protection Act 2023 (DPDP Act).

Applicability: This DPA applies where the Customer stores personal data relating to third parties (including end users, customers, or employees) within DBaaS.dev databases. Where databases contain only non-personal data, this DPA has no operative effect, but it applies automatically as part of the Agreement.

1. Definitions

In this DPA, the following terms have the meanings given below:

"Agreement" — the DBaaS.dev Terms of Service, together with this DPA
"Customer Data" — any personal data that the Controller uploads to, or processes through, the Service
"GDPR" — EU General Data Protection Regulation 2016/679
"DPDP Act" — India's Digital Personal Data Protection Act 2023
"Personal Data" — any information relating to an identified or identifiable natural person, as defined under applicable data protection law
"Processing" — any operation performed on personal data (storage, retrieval, modification, deletion, etc.)
"Security Incident" — any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data
"Sub-processor" — any third party engaged by DBaaS.dev to process Customer Data
"Supervisory Authority" — the relevant data protection regulator for the applicable jurisdiction

2. Roles of the Parties

Data Controller

The Customer

The Customer determines the purposes and means of processing personal data stored in their databases. The Customer is responsible for compliance with applicable data protection law, including establishing a valid lawful basis for processing end-user personal data.

Data Processor

DBaaS.dev

DBaaS.dev processes Customer Data solely on the documented instructions of the Customer — namely, to host and operate the PostgreSQL databases provisioned by the Customer. DBaaS.dev has no independent interest in Customer Data and does not use it for any other purpose.

3. Scope and Purpose of Processing

Annex I — Processing Details

Subject matter	Provision of managed PostgreSQL database infrastructure
Duration	For the term of the Agreement; ephemeral databases until TTL expiry
Nature of processing	Storage, retrieval, backup (if applicable), and deletion of data in PostgreSQL databases operated by DBaaS.dev on the Customer's behalf
Purpose	To host and serve the Customer's PostgreSQL database as instructed by the Customer
Types of personal data	Whatever the Customer chooses to store — DBaaS.dev does not specify or control this
Categories of data subjects	The Customer's end users, customers, or employees — as determined by the Customer
Location of processing	United States (primary infrastructure)

4. DBaaS.dev's Obligations as Processor

DBaaS.dev undertakes to:

Process Customer Data only on documented instructions from the Customer, which consist of operating the database as provisioned. Where DBaaS.dev is legally required to process Customer Data in a manner that conflicts with those instructions, DBaaS.dev will notify the Customer in advance unless applicable law prohibits such disclosure.
Ensure that all personnel authorised to process Customer Data are bound by appropriate confidentiality obligations.
Implement and maintain the technical and organisational security measures set out in Section 6 of this DPA.
Engage Sub-processors only in accordance with Section 7 of this DPA, and impose equivalent data protection obligations on each Sub-processor by written contract.
Provide reasonable assistance to the Customer in responding to data subject rights requests (including access, rectification, erasure, and portability), to the extent technically practicable, given that the Customer manages database contents directly.
Assist the Customer in fulfilling its obligations under GDPR Articles 32–36 (security of processing, breach notification, data protection impact assessments, and prior consultation) and the corresponding provisions of the DPDP Act.
At the Customer's election, delete or return all Customer Data upon termination of the Agreement, and delete existing copies unless retention is required by applicable law.
Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and facilitate audits as described in Section 10.
Promptly notify the Customer if, in DBaaS.dev's reasonable opinion, an instruction from the Customer infringes applicable data protection law.

5. Customer's Obligations as Controller

The Customer undertakes to:

Establish and maintain a valid lawful basis for processing any personal data stored in DBaaS.dev databases.
Provide accurate and complete processing instructions to DBaaS.dev, and ensure that those instructions comply with applicable data protection law.
Bear sole responsibility for the content, accuracy, and legality of Customer Data.
Refrain from instructing DBaaS.dev to process personal data in any manner that would violate applicable law.
Ensure, to the extent required by applicable law, that any cross-border transfer of personal data to the United States (where DBaaS.dev's infrastructure is located) is supported by an appropriate transfer mechanism — for example, Standard Contractual Clauses for EU/EEA data, or any mechanism permissible under the DPDP Act for personal data originating in India.

6. Security Measures Annex II

DBaaS.dev implements and maintains the following technical and organisational measures to protect Customer Data:

Technical measures

Encryption in transit: All connections to and from database instances use TLS 1.2 or higher. Traffic between internal services uses encrypted channels.
Access controls: Each database is isolated in its own Kubernetes namespace with unique credentials. Access to the underlying infrastructure is restricted to authorised personnel only.
Network isolation: Database pods are subject to Kubernetes NetworkPolicies that restrict inbound connections to the assigned NodePort and block all outbound connections from the database pod. External access is only possible using your assigned credentials.
Unique credentials: Every database instance is provisioned with a unique username, password, and database name. No shared credentials exist across customer instances.
Secret storage: Database credentials are stored as Kubernetes Secrets (base64-encoded, access-controlled by RBAC).

Organisational measures

Access logging: All API access and administrative actions are logged.
Principle of least privilege: Personnel access to infrastructure is limited to what is necessary for their role.
Incident response: We have a process for identifying, escalating, and responding to security incidents (see Section 8).

Known limitations

Data at rest is not encrypted on Free tier databases.
Backups are not guaranteed on the Free tier.
Ephemeral databases are short-lived and non-persistent by design. Sensitive personal data must not be stored in Ephemeral databases.

7. Sub-processors Annex III

The Customer provides general authorisation for DBaaS.dev to engage the Sub-processors listed below. DBaaS.dev will provide the Customer with at least 14 days' prior notice before adding or replacing any Sub-processor, thereby affording the Customer an opportunity to object.

Sub-processor	Role	Processing location
VPS / Kubernetes provider	Hosts the Kubernetes cluster on which database pods run. Customer Data is stored on this infrastructure.	United States
Neon (neon.tech)	Hosts the DBaaS.dev metadata database (account records, resource metadata). Does not store Customer Data from your databases.	United States
Cloudflare	Provides CDN and DNS. May process request headers and IP addresses in transit. Does not store Customer Data.	Global (edge)

To receive notifications of Sub-processor changes, contact [email protected] to register for updates.

8. Security Incident & Breach Notification

Upon becoming aware of a Security Incident involving Customer Data, DBaaS.dev will:

Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the incident, consistent with GDPR Article 33. Notification will be sent to the email address registered on the Customer's account.
Notify the Data Protection Board of India (DPBI) promptly upon becoming aware of a breach involving personal data of Indian residents, in accordance with obligations under the DPDP Act.
Include in the notification, or provide as soon as reasonably practicable thereafter:
- A description of the nature of the Security Incident
- The categories and approximate number of data subjects and personal data records affected
- The likely consequences of the incident
- The measures taken or proposed to address the incident and mitigate its effects
Cooperate with the Customer in any investigation and provide reasonable assistance in connection with the Customer's own notification obligations to Supervisory Authorities and affected data subjects.

The Customer, as Data Controller, remains solely responsible for determining whether notification to Supervisory Authorities or data subjects is required, and for complying with applicable notification timelines. DBaaS.dev's notification to the Customer initiates the Customer's own compliance obligations — it does not discharge them.

9. International Data Transfers

Customer Data is stored on infrastructure located in the United States. DBaaS.dev is based in India. Depending on the location of the Customer and its end users, this may constitute a cross-border transfer of personal data.

EU/EEA customers (GDPR)

The transfer of personal data from the EU/EEA to the United States is made on the basis of contractual necessity (GDPR Article 49(1)(b)) or, where applicable, Standard Contractual Clauses. Customers requiring SCCs as a transfer mechanism should contact [email protected].

Indian customers (DPDP Act)

The transfer of personal data originating in India to DBaaS.dev's US-based infrastructure is made for the purpose of providing the service requested by the Customer. Such data is processed in accordance with the DPDP Act and any cross-border transfer rules notified by the Government of India.

10. Audit Rights

DBaaS.dev will:

Make available, upon written request, documentation reasonably necessary to demonstrate compliance with this DPA
Permit the Customer, or an independent auditor appointed by the Customer, to conduct audits of DBaaS.dev's data processing practices in relation to Customer Data, subject to reasonable advance notice of not less than 30 days, prior agreement on scope, and execution of an appropriate confidentiality agreement
Not be required to provide access to systems, data, or information pertaining to other customers

The Customer shall bear the reasonable costs of any audit it initiates. Audits may not be conducted more than once per calendar year, unless there is a well-founded suspicion of a Security Incident.

11. Data Return and Deletion

Upon termination or expiry of the Agreement, or upon written request from the Customer:

DBaaS.dev will, at the Customer's election, either return Customer Data in a standard export format (PostgreSQL dump file) or securely delete all Customer Data from its systems
Deletion will be completed within 30 days of the written request or the termination date, whichever is earlier
Ephemeral databases are automatically and permanently deleted upon TTL expiry; no further action by either party is required
DBaaS.dev will provide written certification of deletion upon request
Customer Data may be retained beyond the above period solely to the extent required by applicable law, and only for the minimum period so required

12. Amendments and Term

This DPA takes effect from the date the Customer accepts the Terms of Service and remains in force for the duration of the Agreement. Where changes to applicable data protection law necessitate amendments to this DPA, DBaaS.dev will update it and notify the Customer accordingly. Continued use of the service following notification constitutes acceptance of the amended DPA.

This DPA supersedes all prior data processing agreements between the parties with respect to the subject matter herein.

13. Governing Law

This DPA is governed by the laws of India. Disputes shall be resolved in accordance with the dispute resolution provisions of the Terms of Service. Nothing in this clause limits any rights a Customer may have under the GDPR to bring claims before the competent EU Supervisory Authorities or courts in their jurisdiction.

DPA Enquiries

For DPA-related requests, audit enquiries, or Sub-processor change notifications, please contact:

Email: [email protected]

Entity: DBaaS.dev (India)

Customers requiring a countersigned copy of this DPA, or additional contractual protections for specific compliance requirements, are welcome to contact us to discuss their needs.