1. Introduction

This Data Processing Addendum (“DPA”) supplements your Remote.It Terms of Use (the “Agreement”) and forms part of your contractual relationship with remot3.it, Inc. (“Remote.It”). It applies when Remote.It processes Personal Data subject to Regulation (EU) 2016/679 (General Data Protection Regulation, or “GDPR”).

This DPA becomes binding upon your acceptance of the Terms of Use or execution of a separate agreement with Remote.It. You must be an authorized representative of a legal entity to enter into this DPA.

2. Definitions

The following definitions apply:

• Applicable Law: All laws relating to data protection, including GDPR and relevant national laws.
• Controller: The entity that determines the purposes and means of the processing of Personal Data.
• Processor: The entity that processes Personal Data on behalf of the Controller.
• Data Subject: A natural person whose Personal Data is processed.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on Personal Data.
• Sub-processor: A third-party processor engaged by Remote.It to process data on behalf of the Controller.

3. Roles of the Parties

3.1 Controller and Processor. For Business customers: You act as the Data Controller, and Remote.It acts as the Data Processor with respect to the Services. For Individual users: Remote.It acts as Data Controller for account management.

3.2 Remote.It as Joint Controller. For certain limited data uses (e.g., analytics, service improvement), Remote.It may act as a Data Controller. These activities are governed by our Privacy Policy.

3.3 Customer’s Obligations. You confirm that:

• You have the legal right to provide Personal Data to Remote.It;
• You provide documented instructions;
• You have obtained all necessary consents under GDPR.

3.4 Processing by Remote.It:

Remote.It agrees to:

• Process Personal Data only on documented instructions;
• Ensure personnel are subject to confidentiality obligations;
• Assist the Controller in fulfilling obligations under Articles 32 to 36 GDPR;
• Make available audit documentation annually upon request and under NDA;
• Support responses to Data Subject Rights requests (see Section 4).

3.5 Details of Processing: See Schedule A.

4. Data Subject Rights

Remote.It will assist you in responding to Data Subject requests (access, correction, deletion, restriction, portability, objection) in accordance with GDPR Articles 12–23. Remote.It will notify you of any requests received unless prohibited by law.

See the Privacy Policy for detailed procedures.

5. Sub-processors

5.1 Authorization. You authorize Remote.It to engage Sub-processors as necessary to provide the Services.

5.2 Obligations. All Sub-processors are bound by written agreements with data protection obligations equivalent to this DPA. Remote.It remains liable for their actions.

5.3 Current Sub-processors. See Schedule C.

5.4 Changes & Objection Rights. Remote.It will provide at least 30 days’ notice before adding new Sub-processors. You may object on reasonable grounds. If an objection is unresolved, either party may terminate the affected Services.

6. Security Measures

6.1 Remote.It implements appropriate technical and organizational measures (see Schedule B) in accordance with Article 32 GDPR.

6.2 In case of a Personal Data Breach, Remote.It will notify you within 72 hours of becoming aware, including relevant details as required by GDPR Article 33.

7. Return or Deletion of Data

Upon termination of the Services, Remote.It will delete all Personal Data within 30 days unless retention is required by law.

8. International Transfers

Remote.It may transfer Personal Data outside the EEA. Where transfers occur to countries without an adequacy decision, Remote.It uses Standard Contractual Clauses (SCCs) or other approved safeguards under Article 46 GDPR.

9. Audit Rights

You may audit Remote.It’s compliance with this DPA:

• Once annually with at least 30 days’ notice;
• Or in the event of a security incident or regulatory request;
• At your own expense, using an independent auditor under confidentiality.

10. Term and Termination

This DPA remains in effect for the duration of your Agreement with Remote.It. Obligations regarding security and data deletion will survive termination.

11. Liability

Each party’s liability is subject to the limitations set forth in the underlying Agreement. Nothing in this DPA limits your rights under GDPR Article 82.

12. Governing Law and Jurisdiction

This DPA is governed by the laws of California, USA. However, EEA-based Controllers and Data Subjects retain the right to seek remedies in their home jurisdictions as required by GDPR.

13. Exercising Your Rights

To exercise your GDPR rights, contact:

• Email: legal@remote.it
• Address: remot3.it, Inc., 1309 Ross Street, Suite A, Petaluma, CA 94954, United States

You may be asked to verify your identity and provide details to support your request.

14. Updates to This DPA

Remote.It may update this DPA to reflect legal or service changes. We will provide notice of material updates. Continued use of the Service after updates constitutes acceptance.

Schedule A: Details of Processing

• Subject Matter: Providing connectivity and network access Services
• Duration: Duration of Agreement + 30-day retention
• Categories of Data: Email address, unique user and device identifiers, transaction IDs
• Data Subjects: End users of paid and unpaid Remote.It accounts
• Purpose: Managing device connectivity and account identity verification

Schedule B: Security Measures

Technical and organizational security measures include:

• Physical and logical access controls
• Encrypted data at rest and in transit
• Role-based access management
• Logging and monitoring
• Intrusion detection
• Business continuity and disaster recovery procedures
• Regular vulnerability assessments

Schedule C: Sub-Processors

Remote.It uses the following Sub-processors:

* Changes notified 30 days in advance.