Solutions

Pricing

Team

Blog

Docs

Log in

Sign Up

Solutions

Pricing

Team

Blog

Docs

Log in

Sign Up

Data Processing Agreement
Effective Date: December 1, 2025
This Data Processing Agreement ("DPA") supplements the existing Subscription Framework Agreement ("SFA"). It applies to the extent that We as Provider processes Personal Data on behalf of You as Controller in the course of providing the Services defined in the SFA.

  1. Definitions
    ● "Applicable Data Protection Law" means all data protection and privacy laws applicable to the Processing of Personal Data under the SFA, including, as applicable, the GDPR, the UK GDPR, US State Privacy Laws, and Israeli Privacy Laws.
    ● "CCPA" means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).
    ● "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" shall have the meanings ascribed to them in the GDPR.
    ● "EU SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, specifically Module Two (Controller to Processor) and/or Module Three (Processor to Processor), as applicable.
    ● "GDPR" means Regulation (EU) 2016/679 (the General Data Protection Regulation).
    ● "Israeli Privacy Laws" means Israel's Protection of Privacy Law, 5741-1981, and the regulations promulgated thereunder, including the Protection of Privacy (Data Security) Regulations, 5777-2017.
    ● "Sub-processor" means any third party engaged by the Provider to process Personal Data in connection with the Services.
    ● "Service Data" means data relating to Your use of the Services, including but not limited to, billing, administrative, and account management information; technical logs; telemetry data; IP addresses of Your administrators; resource IDs; API usage patterns; and metadata required for security, maintenance, and optimization of the Control Plane.
    ● "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner's Office.
    ● "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018.
    ● "US State Privacy Laws" means applicable US state data privacy laws, including the CCPA, Virginia VCDPA, Colorado CPA, Utah UCPA, and Connecticut CTDPA. US-specific terms like "Business", "Service Provider", "Sell", and "Share" shall have the meanings given in the CCPA.


  2. Roles and Processing of Personal Data
    a. Roles: The parties acknowledge that for the Processing of Personal Data, You are the Controller and We are the Processor. The Parties acknowledge further that regarding Service Data, We act as an Independent Controller (not a Joint Controller). We shall process Service Data for the following limited purposes: (i) billing, audit, and account management; (ii) security, fraud detection, and abuse prevention; (iii) complying with legal obligations applicable to Us; and (iv) analyzing and optimizing the performance and usage of the Services. We shall comply with all Applicable Data Protection Laws regarding Our processing of Service Data.

    b. Scope of Processing: We shall process Personal Data only on behalf of and in accordance with Your documented instructions for the purposes of providing the Services, as described in the SFA and this DPA. The SFA and this DPA constitute Your complete instructions.
    Hybrid Deployment Roles: The parties acknowledge the hybrid nature of the Services, which separates the "Control Plane" (management metadata, configuration, and telemetry) from the "Data Plane" (Customer's applications and payload data).
    ● Provider-Hosted Data Plane: Where You select a Provider-hosted Data Plane, We act as a Processor for Personal Data within both the Control Plane and Data Plane.
    ● Customer-Hosted Data Plane: Where You choose to host the Data Plane , We act as a Processor solely for the Personal Data contained within the Control Plane. You acknowledge that regarding the Data Plane, We have no access to, possession of, or control over the Personal Data contained therein, except for the limited purpose of remote management instructions initiated by the Control Plane. We shall not be liable for any Data Breach originating in a Customer-Hosted Data Plane unless caused directly by a compromise of our Control Plane.
    c. Processing Location: We shall process Personal Data in the geographic region(s) selected by You in the applicable Order Form ("Processing Location"). We shall not transfer Personal Data from the selected Processing Location to another country except as necessary to provide the Services (e.g., for global support or security functions) or to engage Sub-processors, and in all cases only in accordance with the international transfer mechanisms set forth in Schedule 4.
    d. Infringing Instructions: We shall immediately inform You if, in our opinion, an instruction from You infringes Applicable Data Protection Law. We are entitled to suspend the execution of the relevant instruction until such instruction is confirmed or amended by You.


  3. Details of Processing
    The subject-matter, duration, nature, purpose, and categories of Personal Data and Data Subjects are set forth in Schedule 1 (Details of Processing).


  4. Security of Processing
    a. Technical and Organizational Measures (TOMs): We shall implement and maintain the appropriate technical and organizational measures as set forth in Schedule 2 (Technical and Organizational Measures) to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. You acknowledge that the TOMs are subject to the Shared Responsibility Model described therein.
    b. Confidentiality: We shall ensure that its personnel authorized to process Personal Data are bound by a duty of confidentiality.


  5. Sub-processing
    a. General Authorization: You grant Us a general authorization (1) to engage the Sub-processors included in Schedule 3 to support the provision of the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data.
    b. Appointment and Objections: We shall inform You of any intended new Sub-processor at least fourteen (14) days in advance, giving You the opportunity to object. Such objections must be based on reasonable data protection grounds. If We and you cannot resolve the objection, either party may terminate the affected Order Form for convenience.
    c. Flow-down Obligations: We shall enter into a written agreement with each Sub-processor imposing data protection obligations that are at least as restrictive as those imposed on Us under this DPA. We shall ensure all transfers to Sub-processors are made in accordance with Schedule 4.


  6. Data Subject Rights: We acknowledge that, due to the nature of the Processing (IaaS), You control the Personal Data residing within the Data Plane via the Services' APIs and configuration tools. Therefore, You are solely responsible for handling Data Subject requests using the self-service capabilities of the Services. We shall provide reasonable technical assistance to You, insofar as this is possible and necessary, but We are not obligated to access, retrieve, or modify Customer Content in the Data Plane to fulfil a Data Subject request on Your behalf. We shall promptly forward to You any Data Subject request We receive concerning Customer Content.


  7. Personal Data Breach: We shall notify You without undue delay after becoming aware of a Personal Data Breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content or Control Plane Data. We shall provide You with reasonable assistance and information necessary to enable You to meet its breach notification obligations, excluding any obligation for Us to determine the cause, scope, or impact of a breach that originates entirely within a Customer-Hosted Data Plane.


  8. Data Protection Impact Assessment (DPIA): We shall, upon Your reasonable request, provide reasonable assistance to You with any DPIAs and prior consultations with supervisory authorities, limited to the Processing of Personal Data by Us in connection with the Services and taking into account the information available to Us.


  9. Audit and Compliance: We shall make available to You all information reasonably necessary to demonstrate compliance with this DPA. We shall allow for and contribute to audits, including inspections, conducted by You or an independent, third-party auditor mandated by You (who is not a competitor of Us) and bound by confidentiality. You agree that such audits shall, in the first instance, be satisfied by Us providing current, independent, third-party audit reports (e.g. SOC 2). An on-site audit shall only be conducted (i) where such reports are not sufficient, (ii) upon reasonable evidence of non-compliance, (iii) no more than once annually, (iv) at Your sole expense, and (v) subject to reasonable advance notice and strict confidentiality and security rules. If an audit or inspection conducted under this Section reveals a material breach of this DPA or the security obligations defined in Schedule 2 (TOMs) attributable to Us, We shall reimburse You for the reasonable, documented costs incurred for that specific audit.


  10. Deletion and Return of Data: Upon termination or expiry of the SFA, We shall delete or return all Personal Data to You in accordance with the data retrieval and deletion procedures and timelines set forth in the SFA and its Addenda (including the EU Data Act Addendum, if applicable).


  11. International Data Transfers: We shall ensure all transfers of Personal Data are made in accordance with Applicable Data Protection Law. The transfer mechanisms are detailed in Schedule 4 (International Data Transfers).


  12. Jurisdictional Modules: For data processing subject to the laws of specific jurisdictions, the following schedules shall apply and, in case of conflict, supplement or supersede the terms of this DPA:
    ● Schedule 5: UK GDPR Module
    ● Schedule 6: US State Privacy Laws Module
    ● Schedule 7: Israeli Privacy Laws Module


  13. Liability: The disclaimers and limitations of liability set forth in the SFA (including, but not limited to, Section 8) shall apply to all claims and obligations arising under this DPA. We shall be liable to You for the acts and omissions of our Sub-processors to the same extent We would be liable if performing the services of each Sub-processor directly. Notwithstanding anything to the contrary in this DPA or the SFA, We shall have no liability for any loss, destruction, alteration, or unauthorized disclosure of Personal Data residing in a Data Plane hosted, managed, or secured by You ("Customer-Hosted Data Plane"), except to the extent such event was directly caused by Our failure to secure the Control Plane in accordance with Schedule 2.


  14. Precedence: In the event of a conflict, this DPA and its Schedules shall prevail over the SFA regarding the subject matter of data protection.


    Schedule 1: Details of Processing


    A. Subject-Matter and Duration
    Subject-Matter: The provision of IaaS (Infrastructure Services) and related services as described in the SFA, enabling You to build, deploy, and manage Customer Applications.
    Duration: The term of the applicable Order Form(s).


    B. Nature and Purpose of Processing
    Nature & Purpose: Hosting, storage, transmission, and processing of Personal Data as contained within Your Data and Your Applications, as initiated and directed by You, for the sole purpose of providing the Services.

    C. Categories of Personal Data
    Customer Content (Data Plane): Any Personal Data determined and controlled exclusively by You, stored within the virtual machines, databases, or storage volumes of we, as an IaaS provider do not have knowledge of. When the Data Plane is self-hosted by You, We do not process this data except technically as required to transmit management instructions.
    Control Plane Data: Configuration data, resource identifiers, environmental variables, and technical logs required to manage the infrastructure. You agree not to place sensitive Personal Data (e.g., health data, financial data) inside Control Plane metadata fields (such as resource names or tags) that are not designed for encrypted storage.
    Administrator and Service Data: Personal Data relating to Your employees or representatives who provision, manage, or utilize the Services, which We process as an Independent Controller for Our own defined purposes.


    D. Categories of Data Subjects
    ● The categories of Data Subjects are determined and controlled exclusively by You.

    Schedule 2: Technical and Organizational Measures (TOMs)


We shall implement and maintain, at a minimum, the following TOMs:


  1. Shared Responsibility Model: The parties acknowledge the Services are provided under a Shared Responsibility Model. We are responsible for the security of the cloud infrastructure (physical hardware, network, virtualization layer, managing OS patching, network configurations, access controls) for Company-Hosted Components in the selected Processing Location.
    You are responsible for security of self-hosted Components, encryption of End-User Data, and securing Customer Applications.

  2. Access Control (Physical): Measures to prevent unauthorized physical access to data processing facilities (e.g., 24/7 security, access logs, multi-factor access control).

  3. Access Control (Logical): Measures to prevent unauthorized system access (e.g., role-based access control [RBAC], strong password policies, multi-factor authentication [MFA] for privileged access, logging of access).

  4. Encryption: Encryption of Personal Data in transit (e.g., TLS) and at rest (e.g., AES-256 for storage).

  5. Resilience: Measures to ensure the resilience of processing systems (e.g., redundant systems, backup procedures, disaster recovery plans).

  6. Testing and Auditing: Regular security assessments, vulnerability scanning, penetration testing, and third-party audits (e.g. SOC 2 Type II or equivalent).

  7. Incident Management: A formal incident response process to detect, respond to, and remediate Personal Data Breaches.

  8. Control Plane Security: (i) We implement logical isolation controls within the Control Plane designed to prevent one customer's configuration data from impacting or accessing another customer's environment. (ii) We utilize industry-standard secrets management systems to ensure that any credentials required for the Control Plane to communicate with Your Data Plane are encrypted at rest and in transit. (iii) All management instructions sent from the Control Plane to a Customer-Hosted Data Plane are transmitted over mutually authenticated, encrypted channels (e.g., mTLS).



Schedule 3: Sub-processors


You provide general authorization for the engagement of the following categories of Sub-processors:
Core Infrastructure: Co-location data centers, network providers.
Service Monitoring & Security: Logging, monitoring, and security incident management services.
Customer Support: Ticketing systems, customer communication tools.


A dated and versioned list of Sub-processors and their locations is available at tower.dev/subprocessors


Schedule 4: International Data Transfers


  1. Primary Processing Location: The primary processing location for the Services is Germany (EEA).

  2. Transfers from Customer to Provider:
    ○ From EEA: No international transfer occurs.
    ○ From UK: Transfers to Germany are permitted under the UK's adequacy regulations for the EEA.
    ○ From Israel: Transfers to Germany are permitted under Israel's adequacy findings for the EEA/EU.
    ○ From US (or other Third Countries): Where Customer transfers Personal Data from a third country (e.g., US) to Provider in Germany, Customer is responsible for ensuring it has a valid legal basis for the transfer. To the extent such data is subject to the GDPR or UK GDPR (e.g., data of EU/UK residents), the parties agree that the EU SCCs (Module Two: Controller-to-Processor), as supplemented by the UK Addendum where applicable, are incorporated by reference and shall govern such transfers.

  3. Transfers from Provider to Sub-processors:
    ○ If Provider (based in Germany) transfers Personal Data to a Sub-processor in a country without an adequacy decision (a "Third Country"), Provider shall ensure such transfer is governed by a valid transfer mechanism, such as the EU SCCs (Module Three: Processor-to-Processor).
    ○ Remote Access Acknowledgement: You acknowledge that the Control Plane (hosted in Germany) maintains persistent, secure connections to Your Data Plane for management purposes, regardless of the geographic location of Your Data Plane. You hereby authorize this remote access and the resulting transfer of technical telemetry and metadata back to the Control Plane as necessary for the provision of the Services.

    Schedule 5: UK GDPR Module


    This Schedule applies only to Personal Data subject to the UK GDPR.

    1. References in this DPA to "GDPR" shall be interpreted as "UK GDPR".

    2. References to "EU", "Union", or "Member State" shall be interpreted as "United Kingdom" or "UK".

    3. References to "EU SCCs" shall, where the transfer is subject to the UK GDPR, be interpreted as the EU SCCs as modified by the UK Addendum.

    4. For transfers from Provider to a Sub-processor (as described in Schedule 4, Section 3), where the data is subject to UK GDPR, the EU SCCs (Module Three) shall be supplemented by the UK Addendum, with the relevant Tables completed.


    Schedule 6: US State Privacy Laws Module


    This Schedule applies only to Personal Data subject to US State Privacy Laws (e.g., CCPA).

    1. Provider is a "Service Provider" for the purposes of the CCPA.

    2. Provider shall not "Sell" or "Share" Personal Data.

    3. Provider shall not retain, use, or disclose Personal Data for any purpose other than for the specific business purposes outlined in the SFA, or as otherwise permitted by US State Privacy Laws.

    4. Provider shall not combine Personal Data received from Customer with data from other sources, except as necessary to perform the Services (e.g., for security monitoring across customers) or as permitted by law.

    5. Provider shall notify Customer if it determines it can no longer meet its obligations under US State Privacy Laws.

    6. Notwithstanding the prohibition on "Selling" or "Sharing," Provider may collect, retain, and use Service Data (as defined in Section 2) to develop, improve, and protect the Services, provided that such data is de-identified or aggregated such that it does not identify You, Your End-Users, or any individual natural person.


    Schedule 7: Israeli Privacy Laws Module


    This Schedule applies only to Personal Data subject to Israeli Privacy Laws.

    1. Provider (as a "Holder" or "Outsourcing Data Processor") shall comply with the applicable provisions of the Israeli Privacy Laws, including the Protection of Privacy (Data Security) Regulations, 2017. For the avoidance of doubt, where You host the Data Plane (Self-Hosted), You are the "Database Owner," "Database Manager," and "Database Holder" of the Data Plane as defined under the Israeli Privacy Protection Law. In such cases, We act solely as a service provider for the management interface (Control Plane) and shall not be deemed a "Manager" or "Holder" of the databases residing within Your self-hosted environment.

    2. Provider confirms that the TOMs in Schedule 2 are implemented to meet or exceed the requirements for databases subject to a "Medium" or "High" level of security, as applicable to the data processed.

    3. Provider shall process Personal Data only for the purpose defined by Customer in Schedule 1 and shall not use it for any other purpose.

    4. Provider shall ensure data is deleted upon termination as specified in Section 10 of this DPA.

    5. Provider confirms that its primary processing in Germany (EEA) is recognized as an adequate jurisdiction by the Israeli Privacy Protection Authority, permitting the transfer of data from Israel to Provider.



Data Processing Agreement
Effective Date: December 1, 2025
This Data Processing Agreement ("DPA") supplements the existing Subscription Framework Agreement ("SFA"). It applies to the extent that We as Provider processes Personal Data on behalf of You as Controller in the course of providing the Services defined in the SFA.

  1. Definitions
    ● "Applicable Data Protection Law" means all data protection and privacy laws applicable to the Processing of Personal Data under the SFA, including, as applicable, the GDPR, the UK GDPR, US State Privacy Laws, and Israeli Privacy Laws.
    ● "CCPA" means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).
    ● "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" shall have the meanings ascribed to them in the GDPR.
    ● "EU SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, specifically Module Two (Controller to Processor) and/or Module Three (Processor to Processor), as applicable.
    ● "GDPR" means Regulation (EU) 2016/679 (the General Data Protection Regulation).
    ● "Israeli Privacy Laws" means Israel's Protection of Privacy Law, 5741-1981, and the regulations promulgated thereunder, including the Protection of Privacy (Data Security) Regulations, 5777-2017.
    ● "Sub-processor" means any third party engaged by the Provider to process Personal Data in connection with the Services.
    ● "Service Data" means data relating to Your use of the Services, including but not limited to, billing, administrative, and account management information; technical logs; telemetry data; IP addresses of Your administrators; resource IDs; API usage patterns; and metadata required for security, maintenance, and optimization of the Control Plane.
    ● "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner's Office.
    ● "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018.
    ● "US State Privacy Laws" means applicable US state data privacy laws, including the CCPA, Virginia VCDPA, Colorado CPA, Utah UCPA, and Connecticut CTDPA. US-specific terms like "Business", "Service Provider", "Sell", and "Share" shall have the meanings given in the CCPA.


  2. Roles and Processing of Personal Data
    a. Roles: The parties acknowledge that for the Processing of Personal Data, You are the Controller and We are the Processor. The Parties acknowledge further that regarding Service Data, We act as an Independent Controller (not a Joint Controller). We shall process Service Data for the following limited purposes: (i) billing, audit, and account management; (ii) security, fraud detection, and abuse prevention; (iii) complying with legal obligations applicable to Us; and (iv) analyzing and optimizing the performance and usage of the Services. We shall comply with all Applicable Data Protection Laws regarding Our processing of Service Data.

    b. Scope of Processing: We shall process Personal Data only on behalf of and in accordance with Your documented instructions for the purposes of providing the Services, as described in the SFA and this DPA. The SFA and this DPA constitute Your complete instructions.
    Hybrid Deployment Roles: The parties acknowledge the hybrid nature of the Services, which separates the "Control Plane" (management metadata, configuration, and telemetry) from the "Data Plane" (Customer's applications and payload data).
    ● Provider-Hosted Data Plane: Where You select a Provider-hosted Data Plane, We act as a Processor for Personal Data within both the Control Plane and Data Plane.
    ● Customer-Hosted Data Plane: Where You choose to host the Data Plane , We act as a Processor solely for the Personal Data contained within the Control Plane. You acknowledge that regarding the Data Plane, We have no access to, possession of, or control over the Personal Data contained therein, except for the limited purpose of remote management instructions initiated by the Control Plane. We shall not be liable for any Data Breach originating in a Customer-Hosted Data Plane unless caused directly by a compromise of our Control Plane.
    c. Processing Location: We shall process Personal Data in the geographic region(s) selected by You in the applicable Order Form ("Processing Location"). We shall not transfer Personal Data from the selected Processing Location to another country except as necessary to provide the Services (e.g., for global support or security functions) or to engage Sub-processors, and in all cases only in accordance with the international transfer mechanisms set forth in Schedule 4.
    d. Infringing Instructions: We shall immediately inform You if, in our opinion, an instruction from You infringes Applicable Data Protection Law. We are entitled to suspend the execution of the relevant instruction until such instruction is confirmed or amended by You.


  3. Details of Processing
    The subject-matter, duration, nature, purpose, and categories of Personal Data and Data Subjects are set forth in Schedule 1 (Details of Processing).


  4. Security of Processing
    a. Technical and Organizational Measures (TOMs): We shall implement and maintain the appropriate technical and organizational measures as set forth in Schedule 2 (Technical and Organizational Measures) to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. You acknowledge that the TOMs are subject to the Shared Responsibility Model described therein.
    b. Confidentiality: We shall ensure that its personnel authorized to process Personal Data are bound by a duty of confidentiality.


  5. Sub-processing
    a. General Authorization: You grant Us a general authorization (1) to engage the Sub-processors included in Schedule 3 to support the provision of the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data.
    b. Appointment and Objections: We shall inform You of any intended new Sub-processor at least fourteen (14) days in advance, giving You the opportunity to object. Such objections must be based on reasonable data protection grounds. If We and you cannot resolve the objection, either party may terminate the affected Order Form for convenience.
    c. Flow-down Obligations: We shall enter into a written agreement with each Sub-processor imposing data protection obligations that are at least as restrictive as those imposed on Us under this DPA. We shall ensure all transfers to Sub-processors are made in accordance with Schedule 4.


  6. Data Subject Rights: We acknowledge that, due to the nature of the Processing (IaaS), You control the Personal Data residing within the Data Plane via the Services' APIs and configuration tools. Therefore, You are solely responsible for handling Data Subject requests using the self-service capabilities of the Services. We shall provide reasonable technical assistance to You, insofar as this is possible and necessary, but We are not obligated to access, retrieve, or modify Customer Content in the Data Plane to fulfil a Data Subject request on Your behalf. We shall promptly forward to You any Data Subject request We receive concerning Customer Content.


  7. Personal Data Breach: We shall notify You without undue delay after becoming aware of a Personal Data Breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content or Control Plane Data. We shall provide You with reasonable assistance and information necessary to enable You to meet its breach notification obligations, excluding any obligation for Us to determine the cause, scope, or impact of a breach that originates entirely within a Customer-Hosted Data Plane.


  8. Data Protection Impact Assessment (DPIA): We shall, upon Your reasonable request, provide reasonable assistance to You with any DPIAs and prior consultations with supervisory authorities, limited to the Processing of Personal Data by Us in connection with the Services and taking into account the information available to Us.


  9. Audit and Compliance: We shall make available to You all information reasonably necessary to demonstrate compliance with this DPA. We shall allow for and contribute to audits, including inspections, conducted by You or an independent, third-party auditor mandated by You (who is not a competitor of Us) and bound by confidentiality. You agree that such audits shall, in the first instance, be satisfied by Us providing current, independent, third-party audit reports (e.g. SOC 2). An on-site audit shall only be conducted (i) where such reports are not sufficient, (ii) upon reasonable evidence of non-compliance, (iii) no more than once annually, (iv) at Your sole expense, and (v) subject to reasonable advance notice and strict confidentiality and security rules. If an audit or inspection conducted under this Section reveals a material breach of this DPA or the security obligations defined in Schedule 2 (TOMs) attributable to Us, We shall reimburse You for the reasonable, documented costs incurred for that specific audit.


  10. Deletion and Return of Data: Upon termination or expiry of the SFA, We shall delete or return all Personal Data to You in accordance with the data retrieval and deletion procedures and timelines set forth in the SFA and its Addenda (including the EU Data Act Addendum, if applicable).


  11. International Data Transfers: We shall ensure all transfers of Personal Data are made in accordance with Applicable Data Protection Law. The transfer mechanisms are detailed in Schedule 4 (International Data Transfers).


  12. Jurisdictional Modules: For data processing subject to the laws of specific jurisdictions, the following schedules shall apply and, in case of conflict, supplement or supersede the terms of this DPA:
    ● Schedule 5: UK GDPR Module
    ● Schedule 6: US State Privacy Laws Module
    ● Schedule 7: Israeli Privacy Laws Module


  13. Liability: The disclaimers and limitations of liability set forth in the SFA (including, but not limited to, Section 8) shall apply to all claims and obligations arising under this DPA. We shall be liable to You for the acts and omissions of our Sub-processors to the same extent We would be liable if performing the services of each Sub-processor directly. Notwithstanding anything to the contrary in this DPA or the SFA, We shall have no liability for any loss, destruction, alteration, or unauthorized disclosure of Personal Data residing in a Data Plane hosted, managed, or secured by You ("Customer-Hosted Data Plane"), except to the extent such event was directly caused by Our failure to secure the Control Plane in accordance with Schedule 2.


  14. Precedence: In the event of a conflict, this DPA and its Schedules shall prevail over the SFA regarding the subject matter of data protection.


    Schedule 1: Details of Processing


    A. Subject-Matter and Duration
    Subject-Matter: The provision of IaaS (Infrastructure Services) and related services as described in the SFA, enabling You to build, deploy, and manage Customer Applications.
    Duration: The term of the applicable Order Form(s).


    B. Nature and Purpose of Processing
    Nature & Purpose: Hosting, storage, transmission, and processing of Personal Data as contained within Your Data and Your Applications, as initiated and directed by You, for the sole purpose of providing the Services.

    C. Categories of Personal Data
    Customer Content (Data Plane): Any Personal Data determined and controlled exclusively by You, stored within the virtual machines, databases, or storage volumes of we, as an IaaS provider do not have knowledge of. When the Data Plane is self-hosted by You, We do not process this data except technically as required to transmit management instructions.
    Control Plane Data: Configuration data, resource identifiers, environmental variables, and technical logs required to manage the infrastructure. You agree not to place sensitive Personal Data (e.g., health data, financial data) inside Control Plane metadata fields (such as resource names or tags) that are not designed for encrypted storage.
    Administrator and Service Data: Personal Data relating to Your employees or representatives who provision, manage, or utilize the Services, which We process as an Independent Controller for Our own defined purposes.


    D. Categories of Data Subjects
    ● The categories of Data Subjects are determined and controlled exclusively by You.

    Schedule 2: Technical and Organizational Measures (TOMs)


We shall implement and maintain, at a minimum, the following TOMs:


  1. Shared Responsibility Model: The parties acknowledge the Services are provided under a Shared Responsibility Model. We are responsible for the security of the cloud infrastructure (physical hardware, network, virtualization layer, managing OS patching, network configurations, access controls) for Company-Hosted Components in the selected Processing Location.
    You are responsible for security of self-hosted Components, encryption of End-User Data, and securing Customer Applications.

  2. Access Control (Physical): Measures to prevent unauthorized physical access to data processing facilities (e.g., 24/7 security, access logs, multi-factor access control).

  3. Access Control (Logical): Measures to prevent unauthorized system access (e.g., role-based access control [RBAC], strong password policies, multi-factor authentication [MFA] for privileged access, logging of access).

  4. Encryption: Encryption of Personal Data in transit (e.g., TLS) and at rest (e.g., AES-256 for storage).

  5. Resilience: Measures to ensure the resilience of processing systems (e.g., redundant systems, backup procedures, disaster recovery plans).

  6. Testing and Auditing: Regular security assessments, vulnerability scanning, penetration testing, and third-party audits (e.g. SOC 2 Type II or equivalent).

  7. Incident Management: A formal incident response process to detect, respond to, and remediate Personal Data Breaches.

  8. Control Plane Security: (i) We implement logical isolation controls within the Control Plane designed to prevent one customer's configuration data from impacting or accessing another customer's environment. (ii) We utilize industry-standard secrets management systems to ensure that any credentials required for the Control Plane to communicate with Your Data Plane are encrypted at rest and in transit. (iii) All management instructions sent from the Control Plane to a Customer-Hosted Data Plane are transmitted over mutually authenticated, encrypted channels (e.g., mTLS).



Schedule 3: Sub-processors


You provide general authorization for the engagement of the following categories of Sub-processors:
Core Infrastructure: Co-location data centers, network providers.
Service Monitoring & Security: Logging, monitoring, and security incident management services.
Customer Support: Ticketing systems, customer communication tools.


A dated and versioned list of Sub-processors and their locations is available at tower.dev/subprocessors


Schedule 4: International Data Transfers


  1. Primary Processing Location: The primary processing location for the Services is Germany (EEA).

  2. Transfers from Customer to Provider:
    ○ From EEA: No international transfer occurs.
    ○ From UK: Transfers to Germany are permitted under the UK's adequacy regulations for the EEA.
    ○ From Israel: Transfers to Germany are permitted under Israel's adequacy findings for the EEA/EU.
    ○ From US (or other Third Countries): Where Customer transfers Personal Data from a third country (e.g., US) to Provider in Germany, Customer is responsible for ensuring it has a valid legal basis for the transfer. To the extent such data is subject to the GDPR or UK GDPR (e.g., data of EU/UK residents), the parties agree that the EU SCCs (Module Two: Controller-to-Processor), as supplemented by the UK Addendum where applicable, are incorporated by reference and shall govern such transfers.

  3. Transfers from Provider to Sub-processors:
    ○ If Provider (based in Germany) transfers Personal Data to a Sub-processor in a country without an adequacy decision (a "Third Country"), Provider shall ensure such transfer is governed by a valid transfer mechanism, such as the EU SCCs (Module Three: Processor-to-Processor).
    ○ Remote Access Acknowledgement: You acknowledge that the Control Plane (hosted in Germany) maintains persistent, secure connections to Your Data Plane for management purposes, regardless of the geographic location of Your Data Plane. You hereby authorize this remote access and the resulting transfer of technical telemetry and metadata back to the Control Plane as necessary for the provision of the Services.

    Schedule 5: UK GDPR Module


    This Schedule applies only to Personal Data subject to the UK GDPR.

    1. References in this DPA to "GDPR" shall be interpreted as "UK GDPR".

    2. References to "EU", "Union", or "Member State" shall be interpreted as "United Kingdom" or "UK".

    3. References to "EU SCCs" shall, where the transfer is subject to the UK GDPR, be interpreted as the EU SCCs as modified by the UK Addendum.

    4. For transfers from Provider to a Sub-processor (as described in Schedule 4, Section 3), where the data is subject to UK GDPR, the EU SCCs (Module Three) shall be supplemented by the UK Addendum, with the relevant Tables completed.


    Schedule 6: US State Privacy Laws Module


    This Schedule applies only to Personal Data subject to US State Privacy Laws (e.g., CCPA).

    1. Provider is a "Service Provider" for the purposes of the CCPA.

    2. Provider shall not "Sell" or "Share" Personal Data.

    3. Provider shall not retain, use, or disclose Personal Data for any purpose other than for the specific business purposes outlined in the SFA, or as otherwise permitted by US State Privacy Laws.

    4. Provider shall not combine Personal Data received from Customer with data from other sources, except as necessary to perform the Services (e.g., for security monitoring across customers) or as permitted by law.

    5. Provider shall notify Customer if it determines it can no longer meet its obligations under US State Privacy Laws.

    6. Notwithstanding the prohibition on "Selling" or "Sharing," Provider may collect, retain, and use Service Data (as defined in Section 2) to develop, improve, and protect the Services, provided that such data is de-identified or aggregated such that it does not identify You, Your End-Users, or any individual natural person.


    Schedule 7: Israeli Privacy Laws Module


    This Schedule applies only to Personal Data subject to Israeli Privacy Laws.

    1. Provider (as a "Holder" or "Outsourcing Data Processor") shall comply with the applicable provisions of the Israeli Privacy Laws, including the Protection of Privacy (Data Security) Regulations, 2017. For the avoidance of doubt, where You host the Data Plane (Self-Hosted), You are the "Database Owner," "Database Manager," and "Database Holder" of the Data Plane as defined under the Israeli Privacy Protection Law. In such cases, We act solely as a service provider for the management interface (Control Plane) and shall not be deemed a "Manager" or "Holder" of the databases residing within Your self-hosted environment.

    2. Provider confirms that the TOMs in Schedule 2 are implemented to meet or exceed the requirements for databases subject to a "Medium" or "High" level of security, as applicable to the data processed.

    3. Provider shall process Personal Data only for the purpose defined by Customer in Schedule 1 and shall not use it for any other purpose.

    4. Provider shall ensure data is deleted upon termination as specified in Section 10 of this DPA.

    5. Provider confirms that its primary processing in Germany (EEA) is recognized as an adequate jurisdiction by the Israeli Privacy Protection Authority, permitting the transfer of data from Israel to Provider.



Data Processing Agreement
Effective Date: December 1, 2025
This Data Processing Agreement ("DPA") supplements the existing Subscription Framework Agreement ("SFA"). It applies to the extent that We as Provider processes Personal Data on behalf of You as Controller in the course of providing the Services defined in the SFA.

  1. Definitions
    ● "Applicable Data Protection Law" means all data protection and privacy laws applicable to the Processing of Personal Data under the SFA, including, as applicable, the GDPR, the UK GDPR, US State Privacy Laws, and Israeli Privacy Laws.
    ● "CCPA" means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).
    ● "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" shall have the meanings ascribed to them in the GDPR.
    ● "EU SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, specifically Module Two (Controller to Processor) and/or Module Three (Processor to Processor), as applicable.
    ● "GDPR" means Regulation (EU) 2016/679 (the General Data Protection Regulation).
    ● "Israeli Privacy Laws" means Israel's Protection of Privacy Law, 5741-1981, and the regulations promulgated thereunder, including the Protection of Privacy (Data Security) Regulations, 5777-2017.
    ● "Sub-processor" means any third party engaged by the Provider to process Personal Data in connection with the Services.
    ● "Service Data" means data relating to Your use of the Services, including but not limited to, billing, administrative, and account management information; technical logs; telemetry data; IP addresses of Your administrators; resource IDs; API usage patterns; and metadata required for security, maintenance, and optimization of the Control Plane.
    ● "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner's Office.
    ● "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018.
    ● "US State Privacy Laws" means applicable US state data privacy laws, including the CCPA, Virginia VCDPA, Colorado CPA, Utah UCPA, and Connecticut CTDPA. US-specific terms like "Business", "Service Provider", "Sell", and "Share" shall have the meanings given in the CCPA.


  2. Roles and Processing of Personal Data
    a. Roles: The parties acknowledge that for the Processing of Personal Data, You are the Controller and We are the Processor. The Parties acknowledge further that regarding Service Data, We act as an Independent Controller (not a Joint Controller). We shall process Service Data for the following limited purposes: (i) billing, audit, and account management; (ii) security, fraud detection, and abuse prevention; (iii) complying with legal obligations applicable to Us; and (iv) analyzing and optimizing the performance and usage of the Services. We shall comply with all Applicable Data Protection Laws regarding Our processing of Service Data.

    b. Scope of Processing: We shall process Personal Data only on behalf of and in accordance with Your documented instructions for the purposes of providing the Services, as described in the SFA and this DPA. The SFA and this DPA constitute Your complete instructions.
    Hybrid Deployment Roles: The parties acknowledge the hybrid nature of the Services, which separates the "Control Plane" (management metadata, configuration, and telemetry) from the "Data Plane" (Customer's applications and payload data).
    ● Provider-Hosted Data Plane: Where You select a Provider-hosted Data Plane, We act as a Processor for Personal Data within both the Control Plane and Data Plane.
    ● Customer-Hosted Data Plane: Where You choose to host the Data Plane , We act as a Processor solely for the Personal Data contained within the Control Plane. You acknowledge that regarding the Data Plane, We have no access to, possession of, or control over the Personal Data contained therein, except for the limited purpose of remote management instructions initiated by the Control Plane. We shall not be liable for any Data Breach originating in a Customer-Hosted Data Plane unless caused directly by a compromise of our Control Plane.
    c. Processing Location: We shall process Personal Data in the geographic region(s) selected by You in the applicable Order Form ("Processing Location"). We shall not transfer Personal Data from the selected Processing Location to another country except as necessary to provide the Services (e.g., for global support or security functions) or to engage Sub-processors, and in all cases only in accordance with the international transfer mechanisms set forth in Schedule 4.
    d. Infringing Instructions: We shall immediately inform You if, in our opinion, an instruction from You infringes Applicable Data Protection Law. We are entitled to suspend the execution of the relevant instruction until such instruction is confirmed or amended by You.


  3. Details of Processing
    The subject-matter, duration, nature, purpose, and categories of Personal Data and Data Subjects are set forth in Schedule 1 (Details of Processing).


  4. Security of Processing
    a. Technical and Organizational Measures (TOMs): We shall implement and maintain the appropriate technical and organizational measures as set forth in Schedule 2 (Technical and Organizational Measures) to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. You acknowledge that the TOMs are subject to the Shared Responsibility Model described therein.
    b. Confidentiality: We shall ensure that its personnel authorized to process Personal Data are bound by a duty of confidentiality.


  5. Sub-processing
    a. General Authorization: You grant Us a general authorization (1) to engage the Sub-processors included in Schedule 3 to support the provision of the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data.
    b. Appointment and Objections: We shall inform You of any intended new Sub-processor at least fourteen (14) days in advance, giving You the opportunity to object. Such objections must be based on reasonable data protection grounds. If We and you cannot resolve the objection, either party may terminate the affected Order Form for convenience.
    c. Flow-down Obligations: We shall enter into a written agreement with each Sub-processor imposing data protection obligations that are at least as restrictive as those imposed on Us under this DPA. We shall ensure all transfers to Sub-processors are made in accordance with Schedule 4.


  6. Data Subject Rights: We acknowledge that, due to the nature of the Processing (IaaS), You control the Personal Data residing within the Data Plane via the Services' APIs and configuration tools. Therefore, You are solely responsible for handling Data Subject requests using the self-service capabilities of the Services. We shall provide reasonable technical assistance to You, insofar as this is possible and necessary, but We are not obligated to access, retrieve, or modify Customer Content in the Data Plane to fulfil a Data Subject request on Your behalf. We shall promptly forward to You any Data Subject request We receive concerning Customer Content.


  7. Personal Data Breach: We shall notify You without undue delay after becoming aware of a Personal Data Breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content or Control Plane Data. We shall provide You with reasonable assistance and information necessary to enable You to meet its breach notification obligations, excluding any obligation for Us to determine the cause, scope, or impact of a breach that originates entirely within a Customer-Hosted Data Plane.


  8. Data Protection Impact Assessment (DPIA): We shall, upon Your reasonable request, provide reasonable assistance to You with any DPIAs and prior consultations with supervisory authorities, limited to the Processing of Personal Data by Us in connection with the Services and taking into account the information available to Us.


  9. Audit and Compliance: We shall make available to You all information reasonably necessary to demonstrate compliance with this DPA. We shall allow for and contribute to audits, including inspections, conducted by You or an independent, third-party auditor mandated by You (who is not a competitor of Us) and bound by confidentiality. You agree that such audits shall, in the first instance, be satisfied by Us providing current, independent, third-party audit reports (e.g. SOC 2). An on-site audit shall only be conducted (i) where such reports are not sufficient, (ii) upon reasonable evidence of non-compliance, (iii) no more than once annually, (iv) at Your sole expense, and (v) subject to reasonable advance notice and strict confidentiality and security rules. If an audit or inspection conducted under this Section reveals a material breach of this DPA or the security obligations defined in Schedule 2 (TOMs) attributable to Us, We shall reimburse You for the reasonable, documented costs incurred for that specific audit.


  10. Deletion and Return of Data: Upon termination or expiry of the SFA, We shall delete or return all Personal Data to You in accordance with the data retrieval and deletion procedures and timelines set forth in the SFA and its Addenda (including the EU Data Act Addendum, if applicable).


  11. International Data Transfers: We shall ensure all transfers of Personal Data are made in accordance with Applicable Data Protection Law. The transfer mechanisms are detailed in Schedule 4 (International Data Transfers).


  12. Jurisdictional Modules: For data processing subject to the laws of specific jurisdictions, the following schedules shall apply and, in case of conflict, supplement or supersede the terms of this DPA:
    ● Schedule 5: UK GDPR Module
    ● Schedule 6: US State Privacy Laws Module
    ● Schedule 7: Israeli Privacy Laws Module


  13. Liability: The disclaimers and limitations of liability set forth in the SFA (including, but not limited to, Section 8) shall apply to all claims and obligations arising under this DPA. We shall be liable to You for the acts and omissions of our Sub-processors to the same extent We would be liable if performing the services of each Sub-processor directly. Notwithstanding anything to the contrary in this DPA or the SFA, We shall have no liability for any loss, destruction, alteration, or unauthorized disclosure of Personal Data residing in a Data Plane hosted, managed, or secured by You ("Customer-Hosted Data Plane"), except to the extent such event was directly caused by Our failure to secure the Control Plane in accordance with Schedule 2.


  14. Precedence: In the event of a conflict, this DPA and its Schedules shall prevail over the SFA regarding the subject matter of data protection.


    Schedule 1: Details of Processing


    A. Subject-Matter and Duration
    Subject-Matter: The provision of IaaS (Infrastructure Services) and related services as described in the SFA, enabling You to build, deploy, and manage Customer Applications.
    Duration: The term of the applicable Order Form(s).


    B. Nature and Purpose of Processing
    Nature & Purpose: Hosting, storage, transmission, and processing of Personal Data as contained within Your Data and Your Applications, as initiated and directed by You, for the sole purpose of providing the Services.

    C. Categories of Personal Data
    Customer Content (Data Plane): Any Personal Data determined and controlled exclusively by You, stored within the virtual machines, databases, or storage volumes of we, as an IaaS provider do not have knowledge of. When the Data Plane is self-hosted by You, We do not process this data except technically as required to transmit management instructions.
    Control Plane Data: Configuration data, resource identifiers, environmental variables, and technical logs required to manage the infrastructure. You agree not to place sensitive Personal Data (e.g., health data, financial data) inside Control Plane metadata fields (such as resource names or tags) that are not designed for encrypted storage.
    Administrator and Service Data: Personal Data relating to Your employees or representatives who provision, manage, or utilize the Services, which We process as an Independent Controller for Our own defined purposes.


    D. Categories of Data Subjects
    ● The categories of Data Subjects are determined and controlled exclusively by You.

    Schedule 2: Technical and Organizational Measures (TOMs)


We shall implement and maintain, at a minimum, the following TOMs:


  1. Shared Responsibility Model: The parties acknowledge the Services are provided under a Shared Responsibility Model. We are responsible for the security of the cloud infrastructure (physical hardware, network, virtualization layer, managing OS patching, network configurations, access controls) for Company-Hosted Components in the selected Processing Location.
    You are responsible for security of self-hosted Components, encryption of End-User Data, and securing Customer Applications.

  2. Access Control (Physical): Measures to prevent unauthorized physical access to data processing facilities (e.g., 24/7 security, access logs, multi-factor access control).

  3. Access Control (Logical): Measures to prevent unauthorized system access (e.g., role-based access control [RBAC], strong password policies, multi-factor authentication [MFA] for privileged access, logging of access).

  4. Encryption: Encryption of Personal Data in transit (e.g., TLS) and at rest (e.g., AES-256 for storage).

  5. Resilience: Measures to ensure the resilience of processing systems (e.g., redundant systems, backup procedures, disaster recovery plans).

  6. Testing and Auditing: Regular security assessments, vulnerability scanning, penetration testing, and third-party audits (e.g. SOC 2 Type II or equivalent).

  7. Incident Management: A formal incident response process to detect, respond to, and remediate Personal Data Breaches.

  8. Control Plane Security: (i) We implement logical isolation controls within the Control Plane designed to prevent one customer's configuration data from impacting or accessing another customer's environment. (ii) We utilize industry-standard secrets management systems to ensure that any credentials required for the Control Plane to communicate with Your Data Plane are encrypted at rest and in transit. (iii) All management instructions sent from the Control Plane to a Customer-Hosted Data Plane are transmitted over mutually authenticated, encrypted channels (e.g., mTLS).



Schedule 3: Sub-processors


You provide general authorization for the engagement of the following categories of Sub-processors:
Core Infrastructure: Co-location data centers, network providers.
Service Monitoring & Security: Logging, monitoring, and security incident management services.
Customer Support: Ticketing systems, customer communication tools.


A dated and versioned list of Sub-processors and their locations is available at tower.dev/subprocessors


Schedule 4: International Data Transfers


  1. Primary Processing Location: The primary processing location for the Services is Germany (EEA).

  2. Transfers from Customer to Provider:
    ○ From EEA: No international transfer occurs.
    ○ From UK: Transfers to Germany are permitted under the UK's adequacy regulations for the EEA.
    ○ From Israel: Transfers to Germany are permitted under Israel's adequacy findings for the EEA/EU.
    ○ From US (or other Third Countries): Where Customer transfers Personal Data from a third country (e.g., US) to Provider in Germany, Customer is responsible for ensuring it has a valid legal basis for the transfer. To the extent such data is subject to the GDPR or UK GDPR (e.g., data of EU/UK residents), the parties agree that the EU SCCs (Module Two: Controller-to-Processor), as supplemented by the UK Addendum where applicable, are incorporated by reference and shall govern such transfers.

  3. Transfers from Provider to Sub-processors:
    ○ If Provider (based in Germany) transfers Personal Data to a Sub-processor in a country without an adequacy decision (a "Third Country"), Provider shall ensure such transfer is governed by a valid transfer mechanism, such as the EU SCCs (Module Three: Processor-to-Processor).
    ○ Remote Access Acknowledgement: You acknowledge that the Control Plane (hosted in Germany) maintains persistent, secure connections to Your Data Plane for management purposes, regardless of the geographic location of Your Data Plane. You hereby authorize this remote access and the resulting transfer of technical telemetry and metadata back to the Control Plane as necessary for the provision of the Services.

    Schedule 5: UK GDPR Module


    This Schedule applies only to Personal Data subject to the UK GDPR.

    1. References in this DPA to "GDPR" shall be interpreted as "UK GDPR".

    2. References to "EU", "Union", or "Member State" shall be interpreted as "United Kingdom" or "UK".

    3. References to "EU SCCs" shall, where the transfer is subject to the UK GDPR, be interpreted as the EU SCCs as modified by the UK Addendum.

    4. For transfers from Provider to a Sub-processor (as described in Schedule 4, Section 3), where the data is subject to UK GDPR, the EU SCCs (Module Three) shall be supplemented by the UK Addendum, with the relevant Tables completed.


    Schedule 6: US State Privacy Laws Module


    This Schedule applies only to Personal Data subject to US State Privacy Laws (e.g., CCPA).

    1. Provider is a "Service Provider" for the purposes of the CCPA.

    2. Provider shall not "Sell" or "Share" Personal Data.

    3. Provider shall not retain, use, or disclose Personal Data for any purpose other than for the specific business purposes outlined in the SFA, or as otherwise permitted by US State Privacy Laws.

    4. Provider shall not combine Personal Data received from Customer with data from other sources, except as necessary to perform the Services (e.g., for security monitoring across customers) or as permitted by law.

    5. Provider shall notify Customer if it determines it can no longer meet its obligations under US State Privacy Laws.

    6. Notwithstanding the prohibition on "Selling" or "Sharing," Provider may collect, retain, and use Service Data (as defined in Section 2) to develop, improve, and protect the Services, provided that such data is de-identified or aggregated such that it does not identify You, Your End-Users, or any individual natural person.


    Schedule 7: Israeli Privacy Laws Module


    This Schedule applies only to Personal Data subject to Israeli Privacy Laws.

    1. Provider (as a "Holder" or "Outsourcing Data Processor") shall comply with the applicable provisions of the Israeli Privacy Laws, including the Protection of Privacy (Data Security) Regulations, 2017. For the avoidance of doubt, where You host the Data Plane (Self-Hosted), You are the "Database Owner," "Database Manager," and "Database Holder" of the Data Plane as defined under the Israeli Privacy Protection Law. In such cases, We act solely as a service provider for the management interface (Control Plane) and shall not be deemed a "Manager" or "Holder" of the databases residing within Your self-hosted environment.

    2. Provider confirms that the TOMs in Schedule 2 are implemented to meet or exceed the requirements for databases subject to a "Medium" or "High" level of security, as applicable to the data processed.

    3. Provider shall process Personal Data only for the purpose defined by Customer in Schedule 1 and shall not use it for any other purpose.

    4. Provider shall ensure data is deleted upon termination as specified in Section 10 of this DPA.

    5. Provider confirms that its primary processing in Germany (EEA) is recognized as an adequate jurisdiction by the Israeli Privacy Protection Authority, permitting the transfer of data from Israel to Provider.



© Tower Computing 2025. All rights reserved

Subscribe to linkedin newsletter

Subscribe to Substack newsletter

Data Engineering for fast-growing startups and enterprise teams.

Reach us at hello@tower.dev

Sign Up

WEBSITE

Home

Blog

Demo

Company

Team

Jobs

Media Kit

PRODUCT

Quickstart

Docs

CLI

Legal

Imprint

Terms

Privacy policy

© Tower Computing 2025. All rights reserved

Subscribe to linkedin newsletter

Subscribe to Substack newsletter

Data Engineering for fast-growing startups and enterprise teams.

Reach us at hello@tower.dev

Sign Up

WEBSITE

Home

Blog

Demo

Company

Team

Jobs

Media Kit

PRODUCT

Quickstart

Docs

CLI

Legal

Imprint

Terms

Privacy policy

© Tower Computing 2025. All rights reserved

Subscribe to linkedin newsletter

Subscribe to Substack newsletter

Data Engineering for fast-growing startups and enterprise teams.

Reach us at hello@tower.dev

Sign Up

WEBSITE

Home

Blog

Demo

Company

Team

Jobs

Media Kit

PRODUCT

Quickstart

Docs

CLI

Legal

Imprint

Terms

Privacy policy

© Tower Computing 2025. All rights reserved

Subscribe to linkedin newsletter

Subscribe to Substack newsletter

Data Engineering for fast-growing startups and enterprise teams.

Reach us at hello@tower.dev

Sign Up

WEBSITE

Home

Blog

Demo

Company

Team

Jobs

Media Kit

PRODUCT

Quickstart

Docs

CLI

Legal

Imprint

Terms

Privacy policy