Data Processing Addendum (DPA)

1. Scope of Services

rConfig provides network configuration management and automation software used by organisations to manage network and security infrastructure.

The rConfig platform is deployed within infrastructure controlled by the Customer, including:

• On-premises environments
• Customer private cloud environments
• Customer-managed public cloud environments

The rConfig software therefore operates entirely within the Customer's infrastructure, and the Customer remains responsible for the hosting and control of all operational data processed by the software.

This DPA applies only to the limited personal data processed by rConfig in relation to licensing, customer accounts, and support services.

2. Roles of the Parties

For the purposes of applicable data protection law:

• The Customer acts as Data Controller
• OS Informatics Limited acts as Data Processor for the limited personal data described in this DPA.

For all operational data processed within a Customer's rConfig deployment, the Customer acts as Controller and processor within its own environment.

3. Personal Data Processed by rConfig

rConfig processes only minimal business contact information necessary for the administration of software licensing and customer support.

The categories of personal data processed by rConfig are limited to:

• Customer contact names
• Customer business email addresses
• Customer organisation or company names
• Customer licensing identifiers
• Customer billing or procurement contact details where applicable

rConfig does not intentionally collect, process, or store sensitive personal data.

4. Categories of Data Subjects

Personal data processed under this DPA may relate to:

• Customer administrators
• Customer technical users
• Customer procurement contacts
• Customer billing contacts

5. Purpose of Processing

Personal data processed by rConfig is used exclusively for:

• Software licensing administration
• Customer account management
• Technical support services
• Communication regarding software updates or security notices
• Billing and subscription management

6. Customer Hosted Data

All operational data managed by the rConfig software platform is hosted and controlled exclusively by the Customer.

This includes, but is not limited to:

• Network device configuration files
• Network configuration backups
• Device credentials stored by the system
• Network infrastructure metadata
• Operational logs
• Automation execution output

OS Informatics Limited does not host, process, or store this operational data as part of the rConfig product.

7. Infrastructure Data Clarification

The rConfig software platform is designed to process technical infrastructure data relating to network devices and systems.

Such data typically relates to network hardware, configuration states, and system operations, and therefore does not normally constitute personal data under GDPR.

If the Customer introduces personal data into configuration files or operational logs, the Customer remains responsible for ensuring compliance with applicable data protection laws.

8. Infrastructure Software Positioning

The parties acknowledge that rConfig is an infrastructure management system and not a personal data processing platform.

The rConfig software platform is designed to manage technical infrastructure configurations rather than personal data.

As a result:

• In most deployments, rConfig does not act as a processor of personal data within the Customer's operational environment.
• Any personal data contained within a Customer's infrastructure data is introduced and controlled solely by the Customer.

This DPA therefore applies only to the limited personal data processed by rConfig for licensing, support, and customer account management purposes.

9. Processor Obligations

rConfig shall:

• Process personal data only on documented instructions from the Customer
• Ensure personnel authorised to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures to protect personal data
• Assist the Customer with reasonable requests relating to GDPR compliance where applicable

10. Security Measures

rConfig maintains appropriate safeguards to protect personal data processed under this DPA, including:

• Secure hosting environments for licensing and support systems
• Role-based access controls and authentication mechanisms
• Encryption of data in transit where applicable
• Secure development and operational practices

11. Sub-Processors

rConfig may use third-party service providers to support internal operational systems such as:

• Licensing platforms
• Customer support systems
• Billing systems

Where sub-processors are used, rConfig ensures that such providers maintain appropriate data protection safeguards.

12. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), rConfig will ensure appropriate safeguards are implemented in accordance with applicable data protection laws.

13. Data Retention

Personal data processed by rConfig will be retained only for as long as necessary to:

• Maintain customer licensing records
• Provide support services
• Comply with legal or accounting obligations

14. Data Subject Requests

If rConfig receives a request from a data subject relating to personal data processed on behalf of the Customer, rConfig will notify the Customer and provide reasonable assistance where appropriate.

15. Personal Data Breach

rConfig will notify the Customer without undue delay upon becoming aware of a personal data breach affecting personal data processed under this DPA.

16. Term

This DPA remains in effect for as long as rConfig processes personal data on behalf of the Customer under the applicable agreement.

17. Governing Law

This DPA shall be governed by the same law governing the primary agreement between the parties.