re//factor

Data Processing Agreement (DPA): Vantoro

Last updated: 12 Jul 2026

This DPA forms part of the Terms of Use between Refactor Labs Pty Ltd (ABN 59 700 054 600) ("Processor", "Refactor Labs") and Customer ("Controller") and governs Refactor Labs' processing of personal data contained within Customer Data. Like the Terms of Use, this DPA is offered on a standard, non-negotiated basis to all customers.

1. Roles

Customer is the Controller of any personal data it chooses to include in Customer Data sent to the API (whether directly or via one of our open-source SDKs). Refactor Labs is the Processor, acting only on Customer's documented instructions (as effected through Customer's use of the API and dashboard configuration).

2. Subject Matter & Duration

Processing occurs for the duration of the Terms of Use, for the purpose of providing the observability/tracing Service.

3. Nature, Purpose, and Categories of Data

Because Customer determines what it sends to the API, Customer is responsible for classifying the types of personal data and data subjects involved (e.g., employees, end-users). Refactor Labs recommends using our SDKs' redaction features, where used, to exclude personal data from transmission wherever possible.

4. Processor Obligations

Refactor Labs will:

5. Subprocessors

5.1 Customer authorises Refactor Labs to engage the subprocessors listed on its published Subprocessors page to process Customer Data.

5.2 Refactor Labs will ensure each subprocessor is bound by written obligations that are no less protective of Customer Data than the obligations imposed on Refactor Labs under this DPA, to the extent relevant to the services performed by that subprocessor.

5.3 Refactor Labs will give Customer at least 30 days' prior notice of a new subprocessor by updating the Subprocessors page or another published channel.

5.4 If Customer reasonably objects to a new subprocessor on data-protection grounds within 14 days of notice, the parties will discuss the objection in good faith. If Refactor Labs cannot reasonably address the objection, Customer may terminate the affected Service before the new subprocessor begins processing Customer Data and receive a pro-rata refund of prepaid Fees for the unused portion of the subscription period.

6. International Transfers

6.1 Refactor Labs will store Customer Data in Australia by default, except where Customer directs otherwise or a required service is not available in Australia.

6.2 Before permitting a subprocessor outside Australia to process Customer Data, Refactor Labs will take reasonable steps to ensure the overseas recipient handles Customer Data consistently with applicable privacy and data protection laws.

6.3 Where Customer Data is subject to GDPR or UK GDPR, Refactor Labs will use a valid transfer mechanism for restricted transfers, including the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum, where applicable.

6A. GDPR Module (applies where Customer or its data subjects are located in the EEA/UK)

Where this DPA covers personal data subject to GDPR or UK GDPR:

7. Security Documentation

On reasonable request, Refactor Labs will make available relevant security documentation to help Customer assess our processing of Customer Data. This is a standard offering provided on the same basis to all customers; Refactor Labs does not offer on-site, third-party, or bespoke audit arrangements under this Agreement.

7A. Audit and Information Rights

7A.1 On reasonable written request no more than once in any 12-month period, Refactor Labs will provide Customer with reasonably available information necessary to demonstrate compliance with this DPA.

7A.2 Refactor Labs may satisfy this obligation by providing current security documentation, independent audit reports, certifications, or responses to reasonable written security questionnaires.

7A.3 Customer may request further information only where reasonably necessary to address a demonstrated material data protection risk. Any review must be conducted remotely, during normal business hours, on reasonable notice, and must not unreasonably interfere with Refactor Labs' operations or compromise the security or confidentiality of other customers.

8. Liability

Liability under this DPA is subject to the limitation of liability in the Terms of Use.

Security Annex

Refactor Labs applies the following security measures to protect Customer Data:

This annex reflects our current practices as an early-stage company and will be expanded as our security program matures (e.g. formal certifications, penetration testing). Further detail is available on request at support@refactor.gg.

Contact

Refactor Labs Pty Ltd Level 1, 63-73 Ann Street, Surry Hills, NSW 2010 support@refactor.gg