proudly made in switzerland

© 2025

romantic technology

Home / Legal / DPA

Data Processing Agreement

Last updated: February 11, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Raven GmbH ("Raven", "Processor") and the customer entity entering into Raven's Terms of Service ("Customer", "Controller"). This DPA applies only to the extent Raven processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

  • "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including, where applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection ("FADP") and its ordinances.
  • "Customer Data" has the meaning set out in the Terms of Service and includes Customer Content and account/workspace data provided in connection with the Services.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
  • "Process" / "Processing" has the meaning given under Applicable Data Protection Laws.
  • "Subprocessor" means any third party engaged by Raven to process Personal Data on behalf of Customer.
  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Raven on behalf of Customer.

2. Roles and Scope

2.1 Processor role

Raven will process Personal Data on behalf of Customer as a Processor to provide and support the Services in accordance with the Terms of Service and this DPA.

2.2 Controller role

Raven acts as an independent controller for personal data it processes for its own purposes (for example, website operation, account administration for self-serve users, billing administration, security and fraud prevention, and service improvement where permitted). Such processing is described in Raven's Privacy Policy and is not governed by this DPA.

2.3 Customer instructions

Customer is responsible for determining the purposes and means of Processing and for ensuring its instructions comply with Applicable Data Protection Laws.

3. Details of Processing

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects are described in Annex 1 (Details of Processing).

4. Processor Obligations

4.1 Instructions

Raven will Process Personal Data only on documented instructions from Customer, including as necessary to provide the Services, support, and security functions, unless required to do otherwise by applicable law. If Raven is required by law to Process Personal Data other than on Customer's instructions, Raven will notify Customer of that legal requirement unless prohibited by law.

4.2 Confidentiality

Raven will ensure that persons authorized to Process Personal Data are under an appropriate obligation of confidentiality.

4.3 Security

Raven will implement appropriate technical and organizational measures to protect Personal Data, as described in Annex 2 (Security Measures).

4.4 No model training on Customer Content

Raven does not use Customer Content (including prompts, CAD files, and generated outputs) to train or fine-tune AI/ML models.

4.5 Assistance with data subject rights

Taking into account the nature of the Processing, Raven will assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer's obligation to respond to requests for exercising data subject rights under Applicable Data Protection Laws.

4.6 Assistance with compliance

Raven will provide reasonable assistance to Customer with (i) security of Processing, (ii) notifications to supervisory authorities and affected individuals, (iii) data protection impact assessments, and (iv) prior consultations, in each case to the extent required by Applicable Data Protection Laws and taking into account the nature of the Processing and information available to Raven.

4.7 Security Incident notification

Raven will notify Customer without undue delay after becoming aware of a Security Incident and will provide information reasonably required for Customer to meet its notification obligations. Raven's notification will include, where feasible, the nature of the incident, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address the incident.

4.8 Deletion or return

Upon termination or expiration of the Services, Raven will, at Customer's choice and as applicable, delete or return Personal Data in accordance with the Terms of Service and Raven's operational retention and deletion practices, unless applicable law requires storage.

4.9 Records

Raven will maintain records of processing activities to the extent required by Applicable Data Protection Laws.

5. Subprocessing

5.1 Authorization

Customer provides Raven with general authorization to engage Subprocessors to Process Personal Data on behalf of Customer, subject to the terms of this Section 5.

5.2 Current Subprocessors

Raven's current Subprocessors are listed in Annex 3 (Subprocessor List).

5.3 Changes and notification

Raven will provide notice of any intended additions or replacements of Subprocessors by updating the Subprocessor List or otherwise providing notice through the Services. If Customer objects to a new Subprocessor on reasonable data protection grounds, the parties will work together in good faith to address the objection, which may include providing an alternative or enabling Customer to terminate the affected Services (where available) without penalty.

5.4 Flow-down

Raven will impose data protection obligations on Subprocessors that are no less protective than those in this DPA. Raven remains responsible for the performance of its Subprocessors' obligations under this DPA.

5.5 Customer-Provided Model Providers

If Customer configures a Customer-Provided Model Provider (as described in the Terms of Service), that provider is not a Subprocessor of Raven for purposes of this DPA and Customer is responsible for its relationship and compliance with that provider.

6. International Transfers

6.1 Baseline EU/Switzerland processing

Raven's Services are designed so that, to the extent Raven can control, Customer Data is hosted and processed in the EU or Switzerland.

6.2 Limited exceptions

Processing may occur outside the EU/Switzerland in limited circumstances, including where Customer configures an integration or Customer-Provided Model Provider that transfers data outside the EU/Switzerland, or where required by law.

6.3 Transfer safeguards

Where Applicable Data Protection Laws require a transfer mechanism for transfers of Personal Data to a country without an adequate level of protection, the parties will rely on an appropriate transfer mechanism, such as the then-current standard contractual clauses approved by the European Commission (and, where applicable, the UK addendum and Swiss-related amendments) or other recognized safeguards.

7. Audits and Information

7.1 Information

Upon reasonable request, Raven will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including relevant security documentation.

7.2 Audits

Customer may audit Raven's compliance with this DPA no more than once per year (unless required by law or following a Security Incident), subject to reasonable advance notice, scope limitations, and confidentiality obligations. Raven may satisfy audit requests by providing third-party audit reports or certifications where available.

8. Liability and Priority

8.1 Liability

Liability under this DPA is subject to the limitations of liability set out in the Terms of Service, unless prohibited by Applicable Data Protection Laws.

8.2 Priority

In the event of a conflict between this DPA and the Terms of Service with respect to data protection or privacy matters, this DPA will control.

8.3 Order from conflicts

If the parties execute a separate written data processing agreement for the same Processing, that agreement will control to the extent of any conflict.

9. Term and Termination

This DPA remains in effect for the term of the Services and until Raven deletes or returns Personal Data as described in Section 4.8.

10. Governing Law

This DPA is governed by the same governing law and venue provisions as the Terms of Service.

Annex 1: Details of Processing

A. Subject matter
Processing of Personal Data to provide Raven's cloud software services, applications, APIs, and related documentation (the "Services").

B. Duration
For the term of the Services, plus any limited period required for return or deletion and routine backup retention.

C. Nature and purpose of Processing
Hosting, storing, transmitting, displaying, generating outputs from, and otherwise processing Customer Data and Personal Data to (i) provide requested features, (ii) secure, maintain, and troubleshoot the Services, (iii) provide support at Customer's request, (iv) prevent abuse/fraud and enforce terms, and (v) comply with legal obligations.

D. Categories of Data Subjects
Customer's Authorized Users and Administrators; Customer's employees, contractors, or end users; and any individuals whose Personal Data is included in Customer Content.

E. Categories of Personal Data

  • Account and profile data (e.g., name, email, username, organization/workspace name, role/title if provided).
  • Workspace administration data (e.g., user lists, permissions, configuration settings, audit/admin activity).
  • Content submitted or generated within the Services to the extent it includes Personal Data (e.g., prompts, files, and outputs).
  • Device and network data and Usage Data (e.g., IP address, device/app version, feature usage events, error/crash logs, and security/audit events), to the extent such data constitutes Personal Data.

F. Special categories of data
The Services are not intended for the processing of special categories of Personal Data. Customer will not submit special categories of data or data relating to criminal convictions/offences unless agreed in writing and appropriate safeguards are implemented.

G. Processing operations
Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment/combination, restriction, erasure, and destruction.

Annex 2: Security Measures

Raven implements appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures include, as appropriate:

  • Logical access controls, least privilege, and role-based access management for production systems.
  • Authentication safeguards for administrative access (e.g., MFA where available) and credential management.
  • Encryption in transit using industry-standard protocols (e.g., TLS) and encryption at rest where supported by the underlying infrastructure.
  • Network security controls (e.g., segmentation, firewalls, monitoring) and vulnerability management processes.
  • Security logging and monitoring for abuse, integrity, and availability, including audit and security event logs.
  • Secure software development practices, change management, and separation of environments where appropriate.
  • Backups and disaster recovery processes designed to maintain availability and integrity.
  • Incident response processes to detect, investigate, and remediate security incidents.
  • Subprocessor due diligence and contractual protections consistent with this DPA.

Annex 3: Subprocessor List

Raven engages the following Subprocessors to support delivery of the Services. The primary processing location may vary based on configuration; Raven aims to use EU/Switzerland regions where available.

Subprocessor Service / purpose Personal Data involved (typical) Primary location(s)
Microsoft Azure Cloud infrastructure and hosting (compute, storage, networking); optional identity and monitoring services Customer Data stored/processed within the Services; operational telemetry as needed EU/CH (configured); may vary
Stripe Payment processing for self-serve subscriptions Billing contact details; payment status; payment method tokens/metadata (Raven does not receive full card numbers) Varies; Stripe-controlled
Outseta Customer relationship, subscription/customer management and communications tooling (as configured) Account/admin contact data; customer communications metadata Varies; vendor-controlled
PostHog Product analytics/telemetry (subject to plan settings and cookie/analytics choices where applicable) Usage Data and limited identifiers as configured EU/CH where configured; may vary
Hostpoint Domain/DNS, email and/or related hosting services (as used) Account/contact data and email metadata as applicable Switzerland

Signatures

This DPA may be executed by acceptance of the Terms of Service (including through click-accept) or by signature.

Contact

Questions about this DPA: legal@raven.build