Data Processing Agreement (DPA): Vantoro
Last updated: 12 Jul 2026
This DPA forms part of the Terms of Use between Refactor Labs Pty Ltd (ABN 59 700 054 600) ("Processor", "Refactor Labs") and Customer ("Controller") and governs Refactor Labs' processing of personal data contained within Customer Data. Like the Terms of Use, this DPA is offered on a standard, non-negotiated basis to all customers.
1. Roles
Customer is the Controller of any personal data it chooses to include in Customer Data sent to the API (whether directly or via one of our open-source SDKs). Refactor Labs is the Processor, acting only on Customer's documented instructions (as effected through Customer's use of the API and dashboard configuration).
2. Subject Matter & Duration
Processing occurs for the duration of the Terms of Use, for the purpose of providing the observability/tracing Service.
3. Nature, Purpose, and Categories of Data
Because Customer determines what it sends to the API, Customer is responsible for classifying the types of personal data and data subjects involved (e.g., employees, end-users). Refactor Labs recommends using our SDKs' redaction features, where used, to exclude personal data from transmission wherever possible.
4. Processor Obligations
Refactor Labs will:
- process personal data only per Customer's instructions (as reflected in normal Service operation) and applicable law;
- ensure personnel with access are bound by confidentiality;
- implement appropriate technical/organisational security measures (see Security Annex below);
- assist Customer, where reasonably possible, in responding to data subject requests and regulatory inquiries;
- notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data;
- retain Customer Data per Customer's configured retention setting, subject to a platform-enforced maximum published in our documentation;
- delete or return Customer Data on termination, subject to legally required retention, per the retention terms in the Terms of Use.
5. Subprocessors
5.1 Customer authorises Refactor Labs to engage the subprocessors listed on its published Subprocessors page to process Customer Data.
5.2 Refactor Labs will ensure each subprocessor is bound by written obligations that are no less protective of Customer Data than the obligations imposed on Refactor Labs under this DPA, to the extent relevant to the services performed by that subprocessor.
5.3 Refactor Labs will give Customer at least 30 days' prior notice of a new subprocessor by updating the Subprocessors page or another published channel.
5.4 If Customer reasonably objects to a new subprocessor on data-protection grounds within 14 days of notice, the parties will discuss the objection in good faith. If Refactor Labs cannot reasonably address the objection, Customer may terminate the affected Service before the new subprocessor begins processing Customer Data and receive a pro-rata refund of prepaid Fees for the unused portion of the subscription period.
6. International Transfers
6.1 Refactor Labs will store Customer Data in Australia by default, except where Customer directs otherwise or a required service is not available in Australia.
6.2 Before permitting a subprocessor outside Australia to process Customer Data, Refactor Labs will take reasonable steps to ensure the overseas recipient handles Customer Data consistently with applicable privacy and data protection laws.
6.3 Where Customer Data is subject to GDPR or UK GDPR, Refactor Labs will use a valid transfer mechanism for restricted transfers, including the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum, where applicable.
6A. GDPR Module (applies where Customer or its data subjects are located in the EEA/UK)
Where this DPA covers personal data subject to GDPR or UK GDPR:
- Roles: the parties' roles as described in Section 1 correspond to "controller" and "processor" as defined in Article 4 GDPR.
- Article 28 obligations: Refactor Labs' obligations under Section 4 of this DPA are intended to satisfy the requirements of Article 28(3) GDPR, including processing only on documented instructions, confidentiality, security, sub-processor flow-down, breach notification, and assistance with data subject rights and DPIAs where reasonably required.
- Transfer mechanism: transfers of personal data from the EEA/UK to Australia or any other third country are made under the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor), or the UK International Data Transfer Addendum, incorporated by reference and available on request.
- Sub-processor transfers: Refactor Labs ensures onward transfers to sub-processors outside the EEA/UK are subject to equivalent safeguards (SCCs or an adequacy mechanism).
- EU/UK Representative: Refactor Labs has not yet appointed an Article 27 GDPR representative, as our current EU customer volume falls within the "occasional processing" exemption. We'll appoint a representative once EU customers become a regular part of our customer base, and update this section accordingly.
7. Security Documentation
On reasonable request, Refactor Labs will make available relevant security documentation to help Customer assess our processing of Customer Data. This is a standard offering provided on the same basis to all customers; Refactor Labs does not offer on-site, third-party, or bespoke audit arrangements under this Agreement.
7A. Audit and Information Rights
7A.1 On reasonable written request no more than once in any 12-month period, Refactor Labs will provide Customer with reasonably available information necessary to demonstrate compliance with this DPA.
7A.2 Refactor Labs may satisfy this obligation by providing current security documentation, independent audit reports, certifications, or responses to reasonable written security questionnaires.
7A.3 Customer may request further information only where reasonably necessary to address a demonstrated material data protection risk. Any review must be conducted remotely, during normal business hours, on reasonable notice, and must not unreasonably interfere with Refactor Labs' operations or compromise the security or confidentiality of other customers.
8. Liability
Liability under this DPA is subject to the limitation of liability in the Terms of Use.
Security Annex
Refactor Labs applies the following security measures to protect Customer Data:
- Access control: principle of least privilege for infrastructure access; no shared root credentials; multi-factor authentication required for administrative access.
- Encryption: data encrypted in transit (TLS) and at rest.
- Logging & audit trail: access and infrastructure activity logging (including AWS CloudTrail) to support incident investigation.
- Backups: daily automated backups, with periodic restore testing.
- Secrets management: credentials and API keys stored in a dedicated secrets manager, not hardcoded or committed to source control.
- Dependency management: regular review of third-party dependencies for known vulnerabilities.
- Incident response: a documented internal process for responding to and escalating security incidents, including the breach notification commitments in our Privacy Policy and this DPA.
This annex reflects our current practices as an early-stage company and will be expanded as our security program matures (e.g. formal certifications, penetration testing). Further detail is available on request at support@refactor.gg.
Contact
Refactor Labs Pty Ltd Level 1, 63-73 Ann Street, Surry Hills, NSW 2010 support@refactor.gg