Data Processing Agreement

Last updated: April 13, 2026

This DPA is incorporated into and forms part of the Conductor Terms of Service. By using Conductor and submitting personal data to the Service, you agree to this DPA. Enterprise customers requiring a signed DPA should contact legal@conductor.software.

1. Definitions

“Controller” means the Customer (you) who determines the purposes and means of processing personal data.
“Processor” means Conductor, which processes personal data on behalf of the Controller.
“Personal Data” means any information relating to an identified or identifiable natural person processed through the Service.
“Processing” has the meaning given in the GDPR (Regulation (EU) 2016/679).
“Sub-processor” means any third party engaged by Conductor to process Personal Data.

2. Scope and Purpose

This DPA governs the processing of Personal Data by Conductor on behalf of the Controller in connection with the Conductor Service. The subject-matter, nature, purpose, and duration of processing are as described in the Privacy Policy.

Categories of data subjects: Customer's end users and team members.

Categories of personal data: Names, email addresses, account credentials, project metadata, execution logs.

Purpose: Providing software orchestration and project management services.

Duration: For the term of the subscription agreement, plus any retention period required by law.

3. Processor Obligations

Conductor, as a Processor, will:

Process Personal Data only on documented instructions from the Controller (i.e., to provide the Service).
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption in transit (TLS) and at rest.
Not engage Sub-processors without prior general or specific written authorization from the Controller, except as set out in this DPA.
Assist the Controller in responding to data subject rights requests and in fulfilling obligations under applicable data protection laws.
Delete or return all Personal Data upon termination of the Service, at the Controller's choice.
Make available all information necessary to demonstrate compliance with this DPA and allow for audits.

4. Controller Obligations

The Controller represents and warrants that:

It has a valid legal basis to transfer Personal Data to Conductor for processing.
It has provided appropriate notice to and, where required, obtained consent from data subjects.
It will comply with applicable data protection laws in its use of the Service.

5. Sub-processors

The Controller hereby provides general authorization for Conductor to engage the following Sub-processors:

Supabase Inc.

Purpose: Database hosting and authentication. Location: EU (Frankfurt, Germany).

Vercel Inc.

Purpose: Application hosting and CDN. Location: US (with EU data routing available).

LemonSqueezy LLC

Purpose: Payment processing and subscription management. Location: US.

PostHog Inc.

Purpose: Product analytics. Location: EU (EU Cloud option enabled).

Conductor will inform the Controller of any intended changes to Sub-processors with at least 14 days notice via email, providing the Controller an opportunity to object.

6. International Data Transfers

Personal Data from EEA data subjects may be transferred to third countries (including the United States) where Sub-processors are located. Conductor ensures that such transfers are made under appropriate safeguards, including Standard Contractual Clauses (SCCs) as required by GDPR Article 46.

7. Security Incidents

In the event of a Personal Data breach, Conductor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include, to the extent available: a description of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

8. Data Subject Rights Assistance

Conductor will assist the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection). Requests to Conductor should be sent to privacy@conductor.software.

9. Deletion and Return of Data

Upon termination of the Service, Conductor will, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller, and certify deletion in writing within 30 days of the request. Conductor may retain Personal Data to the extent required by applicable law.

10. Audits

Conductor will provide the Controller with all information necessary to demonstrate compliance with this DPA. The Controller may request an audit no more than once per calendar year, with at least 30 days advance written notice, at the Controller's cost. Audits must not unreasonably interfere with Conductor's operations.

11. Enterprise DPA

Enterprise customers on the Team plan or above may request a signed DPA with custom terms. To initiate this process, contact legal@conductor.software with the subject line “DPA Request”.

12. Governing Law

This DPA is governed by the law specified in the Conductor Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.