Rynko
Rynko
Sign InGet Started

Data Processing Agreement

Last updated: February 9, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Rynko and Customer.

1. Introduction

This Data Processing Agreement ("DPA") is entered into by and between:

  • Rynko ("Processor", "we", "us") - the provider of the document generation API platform
  • Customer ("Controller", "you") - the entity using Rynko services

This DPA applies to the processing of Personal Data by Rynko on behalf of the Customer in connection with the provision of the Rynko document generation API services.

By using Rynko services, you agree to this DPA. If you are entering into this DPA on behalf of a company or other legal entity, you represent that you have the authority to bind that entity.

2. Definitions

For the purposes of this DPA, the following definitions apply:

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Laws.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable national laws.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates (e.g., document recipients).
  • "Sub-processor" means any third party engaged by Rynko to process Personal Data on behalf of the Customer.
  • "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

3. Scope and Roles

3.1 Controller and Processor

For the purposes of this DPA:

  • The Customer is the Data Controller for Personal Data of document recipients
  • Rynko is the Data Processor, processing Personal Data on behalf of the Customer

3.2 Categories of Data Subjects

Personal Data processed under this DPA may relate to:

  • Document recipients (individuals whose data appears in documents generated via Rynko)
  • Customer's end users and customers

3.3 Types of Personal Data

Rynko processes the following categories of Personal Data:

  • Names and contact information (if provided in document templates)
  • Any Personal Data included in document content or template variables
  • Document generation metadata (timestamps, template used)
  • IP addresses and device information (for analytics)

3.4 Purpose of Processing

Rynko processes Personal Data solely for:

  • Generating PDF and Excel documents on behalf of the Customer
  • Providing document generation analytics and reporting
  • Storing generated documents temporarily for download
  • Maintaining service security and preventing abuse

4. Processor Obligations

Rynko agrees to:

4.1 Processing Instructions

  • Process Personal Data only on documented instructions from the Customer
  • Not process Personal Data for any purpose other than providing the services
  • Inform the Customer if we believe an instruction violates Data Protection Laws

4.2 Confidentiality

  • Ensure that personnel processing Personal Data are bound by confidentiality obligations
  • Limit access to Personal Data to personnel who need it to perform services

4.3 Security Measures

Rynko implements appropriate technical and organizational measures, including:

  • Encryption of data in transit (TLS via CloudFlare)
  • Encryption of data at rest (Railway infrastructure storage-level encryption)
  • Secure credential storage (bcrypt hashing for passwords and API keys)
  • Access controls and authentication (JWT, API keys, 2FA)
  • Regular security monitoring and logging
  • DDoS protection (CloudFlare WAF)

4.4 Data Retention

Rynko implements a three-tier data retention system designed for GDPR compliance:

Tier 1: Full Logs (30 Days)

  • Document content: NOT stored - processed in memory and immediately discarded after generation
  • Generated documents: Stored temporarily (configurable, default 7 days) for download via signed URLs
  • Document metadata: Full details retained for 30 days

Tier 2: Archived Data (5 Years)

  • Personal data: REMOVED after 30 days (GDPR compliance - no PII in archives)
  • Basic metadata: Template used, status, error category, timestamps
  • Document count: Number only, not individual details

Tier 3: Daily Summaries (Indefinite)

  • Aggregated metrics only: Total generated, successful, failed per day/template
  • No individual data: Cannot identify specific documents or recipients

Other Data

  • Webhook events: Retained for 30 days
  • Deleted records: Permanently removed after 30-day soft-delete period

4.5 Data Removal Requests

Data Subjects can request removal of their data directly from Rynko:

  • Submit a removal request at app.rynko.dev/data-removal
  • Email verification is required to prove identity
  • Upon verification, Rynko removes any identifiable data from our systems
  • Requests are processed within 30 days as required by GDPR
  • Note: Document logs older than 30 days already have personal data removed

4.6 Assistance with Data Subject Rights

Rynko will assist the Customer in responding to Data Subject requests by providing:

  • Data export capabilities via API
  • Data deletion upon Customer request
  • Access to document generation logs (within retention period)

5. Sub-processors

5.1 Authorized Sub-processors

The Customer authorizes Rynko to engage the sub-processors listed on our Sub-processors page.

5.2 Sub-processor Obligations

Rynko ensures that each sub-processor:

  • Is bound by data protection obligations no less protective than this DPA
  • Provides sufficient guarantees for appropriate technical and organizational measures

5.3 Changes to Sub-processors

Rynko will:

  • Maintain an up-to-date list of sub-processors on our website
  • Notify Customers of any intended changes to sub-processors via email or dashboard notification
  • Provide Customers with the opportunity to object to new sub-processors within 30 days

6. Security Incident Notification

In the event of a Security Incident affecting Personal Data, Rynko will:

  • Notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of the incident
  • Provide information about the nature of the incident, categories of data affected, and approximate number of Data Subjects
  • Describe the likely consequences and measures taken to address the incident
  • Cooperate with the Customer's investigation and mitigation efforts

Notification will be sent to the email address associated with the Customer's account.

7. International Data Transfers

Rynko and its sub-processors process data primarily in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
  • Our sub-processors maintain appropriate transfer mechanisms (SCCs, binding corporate rules, or adequacy decisions)
  • We implement supplementary measures where necessary to ensure adequate protection

8. Audits and Compliance

Rynko will:

  • Make available information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits conducted by the Customer or an independent auditor (with reasonable notice and during business hours)
  • Provide security documentation and compliance certifications upon request

9. Data Deletion and Return

Upon termination of services or upon Customer request:

  • Rynko will delete or return all Personal Data within 30 days
  • Customer may export their data using our data export features before termination
  • Rynko may retain data where required by applicable law, with continued protection under this DPA

10. Controller Obligations

The Customer agrees to:

  • Ensure a valid legal basis exists for processing Personal Data (e.g., consent, legitimate interest, contract)
  • Provide any required notices to Data Subjects about how their data will be processed
  • Respond to Data Subject requests using tools provided by Rynko
  • Not use Rynko services to generate documents containing illegal or harmful content
  • Maintain appropriate security measures for API keys and account credentials
  • Promptly notify Rynko of any Data Subject requests or complaints

11. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.

Rynko shall not be liable for any claims arising from the Customer's failure to comply with Data Protection Laws or their own privacy obligations.

12. Term

This DPA:

  • Becomes effective when the Customer begins using Rynko services
  • Remains in effect for the duration of the Customer's use of Rynko services
  • Survives termination with respect to any Personal Data retained by Rynko

13. Updates to this DPA

Rynko may update this DPA to reflect changes in Data Protection Laws or our processing activities. We will notify Customers of material changes via email or dashboard notification at least 30 days before they take effect.

14. Contact

For questions about this DPA or to exercise data protection rights, contact us at:

  • Email: privacy@rynko.dev
  • Address: Rynko, Delivstat Technology Solutions, 7/A, Thanal, Kodungoor, Vazhoor, Kottayam, Kerala, India - 686504

See our full list of sub-processors for details on third parties that process data on our behalf.

Related Documents