Legal

Data Processing Addendum

Summary · Full executed DPA available on request.

This page summarizes the terms under which Dronrly ("Processor") processes personal data on behalf of its Customers ("Controller") in connection with the Service. A signed DPA is available to Enterprise customers on request.

Subject matter & duration

Processing is limited to the provision of the Dronrly Service for the duration of the Customer's subscription, plus a 30-day post-termination export window.

Nature & purpose

Processing activities include hosting, transmitting, storing, and displaying Customer Data; sending transactional email; generating invoices; and diagnosing product issues.

Categories of data subjects

Customer's employees, contractors, invited clients, and leads who submit the public request form.

Categories of personal data

Name, email, phone, company, IP address, authentication events, and any personal data contained in Customer Data uploaded to the Service.

Sub-processors

Current sub-processors include Stripe (payments), SMTP provider (transactional email), cloud infrastructure provider (hosting), and error-tracking provider. A current sub-processor list is maintained on request and updated with 30 days' notice of material changes.

Security measures

• Encryption of personal data in transit (TLS 1.2+) and at rest.
• Row-level tenant isolation enforced at the ORM layer.
• Passwords hashed with bcrypt; authentication via httpOnly, Secure, SameSite-Lax session cookies.
• Access controls with role-based permissions and audit logging for administrative actions.
• Regular vulnerability scanning of container images (Trivy in CI) and third-party dependencies.
• Point-in-time backups; tested restoration procedures.

Data subject requests

Processor will assist Controller in responding to data subject requests (access, rectification, erasure, portability, objection). Routine requests are included at no additional cost.

International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on Standard Contractual Clauses (2021/914) and any applicable UK International Data Transfer Addendum.

Breach notification

Processor will notify Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Customer Data.

Request a signed DPA

Enterprise and regulated-industry customers can request a signed DPA. Starter, Pro, and Max customers are covered by these terms incorporated by reference into our Terms of Service.