Data Processing Agreement

1. Scope & Roles

This Data Processing Agreement ("DPA") forms part of the PgBeam Terms of Service and governs the processing of personal data by PgBeam on behalf of the Customer.

Controller: The Customer is the Controller for all personal data contained in database queries routed through PgBeam. PgBeam is also a Controller for account data (name, email, billing information) collected directly from users.

Processor: PgBeam acts as a Processor for database traffic (queries, results, and connection metadata) that passes through the PgBeam proxy infrastructure.

2. Processing Details

Nature of processing: PostgreSQL wire protocol proxying, including connection pooling, query routing, and transient in-memory caching of query results.

Purpose: To provide the PgBeam service as described in the Terms of Service — low-latency database connectivity, connection pooling, and query caching.

Duration: For the duration of the Customer's use of the PgBeam service, plus any applicable retention periods.

Categories of data subjects: The Customer's end users and any individuals whose personal data is stored in the Customer's database and queried through PgBeam.

Types of personal data: Any personal data contained in the Customer's database queries and results. PgBeam does not inspect, parse, or classify query content — data flows through the proxy transparently.

3. Processor Obligations

PgBeam shall:

Documented instructions: Process personal data only on documented instructions from the Customer, unless required by applicable law.

Confidentiality: Ensure that persons authorized to process personal data are subject to confidentiality obligations.

Security measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 5).

Sub-processor management: Not engage another processor without prior written authorization from the Customer. Current sub-processors are listed in Section 4.

Data subject requests: Assist the Customer in responding to data subject access, rectification, erasure, and portability requests.

Deletion on termination: Upon termination of the service, delete all personal data processed on behalf of the Customer within 90 days, unless retention is required by applicable law.

4. Sub-Processors

The following sub-processors are authorized to process personal data on behalf of the Customer:

Amazon Web Services (AWS) — Infrastructure hosting across 6 global regions (US East, US West, EU Ireland, Asia Pacific Mumbai, Singapore, Tokyo). Processing includes compute, networking, and secrets management.

Vercel — Dashboard and marketing site hosting (United States).

PlanetScale — Managed PostgreSQL database for PgBeam's control plane data.

Stripe — Payment processing and subscription management.

BetterStack — Uptime monitoring and log management.

GitHub — Source code hosting and container image registry.

5. Security Measures

PgBeam implements the following technical and organizational security measures:

Encryption in transit: All connections use TLS 1.2 or higher. Client-to-proxy and proxy-to-upstream connections are encrypted using PostgreSQL-native SSL negotiation.

Encryption at rest: Database credentials are encrypted using AES-256-GCM. TLS certificates are stored in AWS Secrets Manager.

Network isolation: Each data plane region runs in a dedicated AWS VPC. Inter-region communication uses VPC peering over private network (no public internet).

Authentication: JWT-based authentication via JWKS verification. API key authentication for programmatic access. Two-factor authentication support.

Access control: Role-based access control via organization membership. Per-project resource isolation (connection limits, rate limits, cache namespaces).

Credential passthrough: PgBeam does not store or log plaintext database credentials. Client credentials are passed through transparently to the upstream database.

6. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), PgBeam relies on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism. Customers may select the data plane region closest to their database to minimize cross-border data transfers.

7. Breach Notification

PgBeam shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Contact

Questions about this DPA? Contact us at privacy@pgbeam.com.