Data Protection Addendum
Effective date: 19 July 2026
1. About this addendum
This Data Protection Addendum ("DPA") forms part of the Terms of Service between Ratelimitly Technologies - FZCO ("Ratelimitly") and the customer, and applies to the extent Ratelimitly processes personal data on the customer's behalf that is subject to data protection law, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and, where applicable, the EU/UK GDPR. "Personal data", "controller", "processor", "processing", and "data subject" have the meanings given in the applicable law.
2. Roles
For Customer Data — data the customer submits to the Service, including rate-limit configuration and traffic metadata — the customer is the controller (or a processor acting for another controller) and Ratelimitly is a processor.
For account data — the customer's own account, billing, and usage records — Ratelimitly is an independent controller, as described in the Privacy Policy.
3. Processing instructions
Ratelimitly will process Customer Data only on the customer's documented instructions — which are, principally, the Terms, this DPA, and the customer's configuration of the Service — unless processing is required by law, in which case we will inform the customer unless the law prohibits it. Personnel with access to Customer Data are bound by confidentiality obligations.
4. Security
Ratelimitly implements technical and organisational measures appropriate to the risk, as described in the Security Overview. The customer is responsible for its own configuration choices, credential handling, and for the security of systems outside Ratelimitly's control.
5. Sub-processors
The customer gives general authorisation for the sub-processors listed at /legal/sub-processors. We will update that page before adding or replacing a sub-processor and give notice of material changes (by email or in-product notice). If the customer reasonably objects on data protection grounds and no resolution is found within 30 days, the customer may terminate the affected service and receive a refund of prepaid fees for the unused period. Ratelimitly remains responsible for its sub-processors' performance.
6. Assistance
Taking into account the nature of the processing, Ratelimitly will reasonably assist the customer in responding to data subject requests and in meeting its obligations regarding security, breach notification, and data protection impact assessments. Where a data subject contacts us directly about Customer Data, we will refer them to the customer unless the law requires otherwise.
7. Personal data breaches
Ratelimitly will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably required for the customer's own notification obligations as it becomes available.
8. Return and deletion
On termination, the customer may export its exportable data for 30 days as described in the Terms; afterwards Ratelimitly deletes Customer Data in the ordinary course, except where law requires retention. Backup copies are deleted on their normal expiry cycle.
9. Audits
On written request no more than once per year, Ratelimitly will make available information reasonably necessary to demonstrate compliance with this DPA, and will allow audits required of the customer by law, conducted with reasonable notice, during business hours, without disrupting the Service, and under confidentiality.
10. International transfers
Customer Data is processed in the locations listed on the sub-processors page (primarily the United States) and by Ratelimitly from the United Arab Emirates. Where a transfer requires a safeguard under applicable law, the parties rely on the sub-processors' standard contractual clauses or equivalent mechanisms, and the relevant module of the EU standard contractual clauses is deemed incorporated between the parties where required.
11. Schedule: processing details
- Subject matter and nature: rate limiting and load shedding for the customer's APIs; hosting and processing of configuration and rate-limit check metadata.
- Duration: the term of the Terms of Service plus the export and deletion periods above.
- Categories of data: rate-limit configuration; tenant keys; counters and timing metadata; connection metadata such as IP addresses in server logs. The Service is designed not to receive the customer's application payloads.
- Data subjects: the customer's personnel and, to the extent connection metadata relates to them, the customer's end users.
12. Precedence
If this DPA conflicts with the Terms regarding the processing of personal data, this DPA prevails. Questions: contact@ratelimitly.com.