RunsOn Data Processing Addendum
Single procurement page covering RunsOn's narrow DPA scope, security measures, and supporting data-role disclosures.
Version 1.0 | Effective Date: March 24, 2026
How to read this page
RunsOn is not a conventional shared CI/CD SaaS. The product is installed in the customer’s AWS account, and the core runtime path normally stays there.
This page is intentionally the single procurement handoff page. It combines:
- a short data-role summary for buyers
- the operative Data Processing Addendum terms
- the security measures appendix for processor-scope handling
- the current subprocessor disclosure
- an informational controller-side vendor reference
Only the sections that describe RunsOn processing Customer Personal Data on the Customer’s behalf are operative DPA terms. The controller-side vendor reference near the end of this page is informational only and does not make those controller-side vendors DPA subprocessors.
Data roles at a glance
| Data flow | Where the data lives by default | RunsOn role | Covered by this DPA? |
|---|---|---|---|
| Runner VMs, job execution data, caches, logs, queue payloads, GitHub App credentials, and other core runtime data | Customer AWS account and customer GitHub environment | N/A | No |
Product telemetry sent to runs-on.com | RunsOn-side systems | Controller | No |
| Licensing, billing, procurement, buyer contacts, GitHub organization identifiers, GitHub usernames used for licensing or source access, and ordinary support correspondence | RunsOn-side systems | Controller | No |
| Customer-instructed support materials sent to RunsOn only for diagnostic handling on the customer’s behalf | RunsOn-side systems used for that support task | Processor, but only for the instructed support task | Yes |
Definitions
“Customer Personal Data” means personal data (as defined under applicable data protection law) that RunsOn processes on the Customer’s behalf under this DPA.
This Data Processing Addendum (“DPA”) forms part of the agreement between RunsOn (“RunsOn”, “Processor”) and the customer entity using RunsOn (“Customer”, “Controller”) to the extent RunsOn processes Customer Personal Data on the Customer’s behalf.
This DPA is intentionally narrow. RunsOn is not a standard hosted control plane for Customer CI/CD workloads. Core product runtime data normally remains in the Customer’s AWS account and is outside the scope of this DPA unless the parties expressly agree otherwise in writing.
1. Scope
RunsOn will act as a processor only for:
- customer-instructed support and diagnostic handling
- any other processing activity that the parties expressly document in writing as Customer Personal Data processed by RunsOn solely on the Customer’s behalf
Customer Personal Data outside those limited activities is not covered by this DPA.
2. Subject matter and duration
The subject matter of the processing is the provision of support, troubleshooting, and diagnostic assistance requested by the Customer.
The duration of the processing is the period during which RunsOn retains access to the relevant support materials or other documented processor-scope materials, plus any short period reasonably required to complete return, deletion, or legal hold obligations.
3. Nature and purpose of processing
RunsOn may receive, review, store, organize, and delete support materials or other documented processor-scope materials for the limited purpose of:
- diagnosing reported issues
- reproducing, investigating, or fixing support incidents
- responding to Customer support requests
- carrying out other written Customer instructions related to the same support matter
RunsOn will not use Customer Personal Data covered by this DPA for its own product analytics, marketing, or unrelated business purposes.
4. Categories of data and data subjects
The categories of data and data subjects covered by this DPA are limited to the items in Schedule 1.
Customer should avoid sending special-category data, regulated data, or unrelated personal data where not necessary for support. If such data is unavoidably included, Customer remains responsible for determining that the disclosure is lawful and appropriate.
5. Customer instructions
Customer instructs RunsOn to process Customer Personal Data only:
- as necessary to provide the scoped support or diagnostic services requested by Customer
- as set out in the applicable agreement, support request, or this DPA
- as otherwise documented in writing by Customer
RunsOn will promptly inform Customer if, in RunsOn’s opinion, an instruction infringes applicable data protection law, unless prohibited from doing so by law.
6. Customer obligations
Customer is responsible for:
- the lawfulness of the disclosure of Customer Personal Data to RunsOn
- ensuring that its instructions comply with applicable law
- using reasonable efforts to minimize the personal data included in support materials
- implementing appropriate technical and organizational measures in its own environment, including the Customer AWS environment where the core RunsOn workload operates
7. RunsOn personnel and confidentiality
RunsOn will ensure that persons authorized to process Customer Personal Data:
- are bound by confidentiality obligations; or
- are subject to an appropriate statutory duty of confidentiality.
Access will be limited to personnel who need the data to perform the relevant support or diagnostic work.
8. Security measures
RunsOn will implement appropriate technical and organizational measures for the limited processor-scope data covered by this DPA, taking into account the nature of the processing and the risks presented.
The measures currently applied are described in Schedule 2 below.
9. Subprocessors
RunsOn will not appoint a subprocessor for DPA-scoped processing without complying with this section.
RunsOn’s current standing subprocessors for DPA-scoped processing are listed in Schedule 3 below.
RunsOn will:
- maintain that public list
- update it before or when a new standing subprocessor is engaged for DPA-scoped processing
- provide Customer an opportunity to raise a reasonable objection based on data protection grounds before the new standing subprocessor is used for materially similar processing
If Customer reasonably objects and the parties cannot resolve the issue, either party may suspend the affected processor-scope support activity.
10. Assistance
Taking into account the nature of the processing, RunsOn will provide reasonable assistance to Customer with:
- data subject requests relating to DPA-scoped processing
- security incident information needed for Customer’s own compliance
- Customer’s reasonable requests for information relevant to Articles 28 through 36 GDPR or the equivalent UK GDPR provisions
RunsOn may charge reasonable fees for unusually burdensome assistance that falls outside normal support.
11. Security incidents
RunsOn will notify Customer within 72 hours after becoming aware of a confirmed personal data breach affecting Customer Personal Data processed under this DPA.
The notice will include, to the extent reasonably available at the time:
- the nature of the incident
- the categories of data involved
- the likely consequences
- the measures taken or proposed to address the incident
12. Return and deletion
At the end of the relevant support matter, or upon Customer’s written request, RunsOn will delete or return Customer Personal Data covered by this DPA within 30 days, unless applicable law requires retention.
If retention is required by law, RunsOn will continue to protect the retained data and will not actively process it except as required by law.
13. Audit and information rights
RunsOn will make available information reasonably necessary to demonstrate compliance with this DPA.
The parties agree that the following is normally sufficient for a small vendor relationship:
- this DPA and the public documents linked from it
- responses to a reasonable written questionnaire
- follow-up documentary evidence where reasonably necessary
If those materials are insufficient, Customer may request one remote audit no more than once in any twelve-month period, on reasonable notice, during business hours, and subject to confidentiality protections and measures designed to avoid disruption or access to other customers’ information.
Each party will bear its own costs in connection with any audit under this section.
14. International transfers
RunsOn will not transfer Customer Personal Data covered by this DPA in violation of applicable data protection law.
If DPA-scoped processing requires a restricted transfer outside the EEA, Switzerland, or the UK, the parties will cooperate in good faith to put in place the then-applicable transfer mechanism, which may include the EU Standard Contractual Clauses and, where relevant, the UK International Data Transfer Addendum.
15. Deletion of unsupported scope assumptions
Nothing in this DPA should be interpreted as meaning that RunsOn hosts or routinely processes the following on the Customer’s behalf:
- customer workflows or repository contents
- customer runner environments
- customer GitHub App credentials stored in the Customer AWS account
- customer caches, logs, or queue payloads that remain in the Customer deployment
- controller-side telemetry processed under RunsOn’s Privacy Policy
16. Liability and order of precedence
The liability provisions of the main agreement govern this DPA unless applicable law requires otherwise.
If there is a conflict between this DPA and the main agreement on matters relating to DPA-scoped processing, this DPA controls to the extent of that conflict.
Schedule 1: Details of processing
| Item | Description |
|---|---|
| Subject matter | Support, troubleshooting, diagnostics, and other specifically documented customer-instructed processing |
| Nature and purpose | Receiving, reviewing, storing, organizing, and deleting support materials to investigate and resolve customer-reported issues |
| Duration | For the duration of the relevant support matter, plus limited time needed for secure deletion, return, or legal retention |
| Categories of personal data | Support contact details, support case contents, uploaded logs or diagnostics, screenshots, configuration excerpts, and similar limited materials supplied by Customer |
| Data subjects | Customer personnel and any individuals whose data is included in support materials by Customer |
| Exclusions | Customer AWS runner data not transmitted to RunsOn, repository contents not shared with RunsOn, and telemetry processed under RunsOn’s Privacy Policy |
Schedule 2: Security measures
RunsOn applies measures appropriate to the narrow processing covered by this DPA, including:
- limiting the scope of processor-side processing to customer-instructed support and similarly documented tasks
- using HTTPS/TLS for RunsOn-controlled service endpoints used for telemetry and license-related communications
- restricting access to DPA-scoped materials to authorized personnel with a need to know
- keeping the product architecture customer-controlled by default so core job execution, caches, logs, queue payloads, and GitHub App credentials stay in the Customer AWS account
- asking customers to minimize personal data in support materials where possible
- maintaining separate disclosure of processor-side subprocessors and controller-side vendors
- deleting or returning DPA-scoped materials when the support task is complete, subject to legal retention requirements
Schedule 3: Current subprocessor disclosure
| Subprocessor | Service | Location | DPA-scoped purpose |
|---|---|---|---|
| Fastmail Pty Ltd | Email hosting for support inboxes | Australia | Receipt and storage of DPA-scoped support emails and attachments sent to RunsOn |
If RunsOn later appoints a standing subprocessor for DPA-scoped support processing, this schedule will be updated before or when that subprocessor is engaged.
Informational appendix: Controller-side vendor reference
This appendix is provided to reduce procurement friction. It describes vendors used by RunsOn when RunsOn acts as a controller for its own limited business and product operations.
This appendix is informational only. It is outside the operative processor terms of this DPA and does not make the vendors listed below DPA subprocessors.
| Vendor | Service used by RunsOn | Data or flow involved | RunsOn role |
|---|---|---|---|
| Cloudflare | Delivery and hosting path for runs-on.com services, including the product telemetry endpoint | Website traffic, telemetry sent to runs-on.com, and related service-delivery metadata | Controller |
| Lemon Squeezy | Subscription, billing portal, transaction records, and related commercial tooling | Buyer contact details, subscription and billing records, and changelog subscription records submitted through Lemon Squeezy forms | Controller |
| GitHub | Licensing and source-access administration tied to GitHub organizations or usernames | GitHub organization identifiers, GitHub usernames, and related entitlement records | Controller |
| Fastmail Pty Ltd | Email hosting for ordinary support and business correspondence | Support inboxes, procurement emails, and related contact records handled by RunsOn as controller | Controller |
| Slack, if used for a customer support channel | Support communications for customers using a Slack-based support channel. Support correspondence conducted via Slack is treated as ordinary business correspondence under RunsOn’s controller role, not as processor-scope handling under this DPA. | Ordinary support correspondence and related contact records | Controller |