Estuary
WEBINARS
  • Estuary 101 Webinar
    Watch Estuary 101
PricingConnectors
SUCCESS STORIES
Glossier

Glossier slashes data costs by 50% and unlocks real-time supply chain and marketing analytics with Estuary.

Xometry

Xometry slashed integration costs by 60% with Estuary’s secure, real-time private deployment

Prodege

Data Integration for Apache Iceberg

View all success stories
READ
Blog
Blog
Product Updates
Product Updates
Docs & Guides
About us
About us
Status
Status
The Right Time Data Manifesto
The Right Time Data Manifesto
LISTEN
Podcasts
Podcasts
Webinars
Webinars
Youtube
YouTube
Video Hub
Video Hub
DEMO
  • Estuary Demo
    Play Interactive Demo
  • Deploy CDC and Streaming ETL in Minutes Using Estuary
    Real-time 101 (30 min)
    Log inTry it Free
    Log inTry it Free

    Estuary Data Processing Agreement

    Effective as of February 6, 2026

    This Data Processing Agreement ("DPA"), is incorporated into and forms part of the terms and conditions of the Master Services Agreement or other agreement, including order forms, under which Estuary provides the Services to Customer ("Agreement") executed between the party identified as the "Customer" and Estuary (each a "Party", and together, the "Parties").

    This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Estuary processes Personal Data on behalf of Customer in connection with Customer's use of the Services.

    If there is any conflict between the Agreement and this DPA, the terms of this DPA will prevail to the extent of such conflict. Any capitalized terms not defined in this DPA will have the meanings given to them in the Agreement. For the avoidance of doubt, the Privacy Policy available at https://estuary.dev/privacy-policy/ specifies the terms and conditions applicable to Estuary's Processing of personal data when Estuary is the Controller (or, the Business under the CCPA) of such personal data.

    1. DEFINITIONS

    In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:

    1. "Affiliate" means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. "Control" for the purposes of this definition means direct or indirect ownership or control of at least 50%.
    2. "Applicable Data Protection Law" means all applicable privacy and data security laws, including state, federal, and extraterritorial or international laws including those with restrictions imposed on the transfer of Personal Data across local, national, and international borders as well as regulations and state, federal, and national government laws, agency orders and decrees to which Controller or Estuary may be subject. "Applicable Data Protection Law" includes, without limitation, (i) the EU General Data Protection Regulation 2016/679 ("GDPR") and national laws implementing the GDPR, as amended from time to time; (ii) the GDPR as it forms part of retained EU law in the United Kingdom, as defined in European Union (Withdrawal) Act 2018 and as amended (if applicable) by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), and the UK Data Protection Act 2018 (as amended from time to time); (iii) the Swiss Federal Act on Data Protection; (iv) the EU Privacy and Electronic Communications Directive 2002/58/EC, as implemented in each jurisdiction and all amendments; (v) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any implementing regulations ("CCPA"); and (vi) all other applicable international, regional, federal or national privacy and data security laws, regulations and regulatory guidance anywhere in the world, to the extent any such laws apply to Personal Data to be processed hereunder by Estuary.
    3. "Customer Content" means any data that the Customer submits to Estuary in connection with Estuary's provision of the Services. Customer Content includes: (i) the data that the Customer requests Estuary to transfer from one system to another, (ii) configuration information to connect to the relevant systems involved in the Services, such as passwords and user identifications, and (iii) other information provided to facilitate the configuration and timing of data transfer, such as notification preferences.
    4. The terms "Commission", "Data Subject", "Member State", "Process/Processing", "Controller", "Processor", "Supervisory Authority", and analogous terms shall be interpreted in accordance with Applicable Data Protection Law. The terms "Business", "Business Purpose", "Consumer", "Sale", "Sell", "Selling", and "Service Provider" shall have the same meanings as in the CCPA.
    5. "Personal Data" means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, or as otherwise defined under Applicable Data Protection Law, including "Personal Information" as such term is defined under the CCPA, and which is processed by Estuary on behalf of Customer pursuant to or in connection with the Services. "EU Personal Data" means Personal Data collected from data subjects when they were located in the European Economic Area (EEA) and/or Switzerland. "UK Personal Data" means Personal Data collected from data subjects when they were located in the United Kingdom.
    6. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, or as otherwise defined under Applicable Data Protection Law. Personal Data Breach will not include events that are either (i) caused by the Customer or Customer Affiliates or their end users or third parties operating under their direction, such as the Customer's or Customer Affiliate's failure to (a) control user access; (b) secure or encrypt Customer Personal Data which the Customer transmits to and from Estuary during performance of the Services; and/or (c) implement security configurations to protect Customer Personal Data; or (ii) unsuccessful attempts or activities that do not or are not reasonably likely to compromise the security of Customer Personal Data, including but not limited to unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
    7. "Restricted Transfer" means a transfer (directly or via onward transfer) of Personal Data that is subject to European Applicable Data Protection Law to a country outside Europe which is not subject to an adequacy determination by the European Commission, UK or Swiss authorities (as applicable).
    8. "Standard Contractual Clauses" or "SCC(s)" means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses, Module II, for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCC"); and (ii) where the UK GDPR applies, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK ICO ("UK SCC").
    9. "Sub-processor" means any third party engaged directly by Estuary to Process any Personal Data pursuant to or in connection with the Services. The term shall not include employees of Estuary.

    2. RELATIONSHIP OF THE PARTIES

    1. The Parties acknowledge and agree that, with regard to the Processing of Personal Data under this DPA, (i) Customer is the Controller and Business, and (ii) Estuary is the Processor and Service Provider. Where Customer acts as a Processor on behalf of a third-party Controller, the Parties acknowledge that Estuary acts as a Subprocessor, and Customer's obligations under this DPA shall be interpreted accordingly.

    3. SCOPE OF PROCESSING

    1. Customer authorizes and instructs Estuary to Process Personal Data for performance of the Services, which shall also constitute the Business Purposes of such Processing. Estuary will Process Personal Data (i) in accordance with the documented, reasonable instructions of Customer that are consistent with the Business Purposes and Applicable Data Protection Law, (ii) in accordance with the Agreement, (iii) to comply with Estuary's legal obligations under applicable law, (iv) in accordance with Schedule 1 as applicable, and (v) as otherwise permitted under Applicable Data Protection Law.
    2. The Customer warrants that it has the right and authority under applicable law and any undertakings it may have entered into to disclose, or have disclosed, Personal Data to Estuary to be Processed by Estuary for the Services and that the Customer has obtained all necessary consents and provided all necessary notifications required by applicable law with respect to the Processing of Personal Data by Estuary.
    3. Both Parties shall comply with their respective obligations under Applicable Data Protection Law, and each Party shall be solely responsible for determining its own legal and regulatory obligations.
    4. Estuary shall notify Controller if Estuary determines that it can no longer meet Controller's instructions or its obligations under this DPA.
    5. Estuary shall not (except as permitted under Applicable Data Protection Law) Sell or Share Personal Data or combine Personal Data with personal data received from other sources.

    4. SUB-PROCESSING

    1. The Customer agrees that Estuary may use its Affiliates and other Sub-processors (which, for purposes of this Section 4, must also qualify as Service Providers under the CCPA) to fulfil its contractual obligations under this DPA or to provide certain Services on its behalf. The Website lists Sub-processors that are currently engaged by Estuary to carry out Processing activities on Personal Data at /legal/subprocessors. As of the date of this DPA, Customer consents to Estuary's use of the Sub-processors there listed.
    2. When Estuary uses a Sub-processor as set forth in this Section 4, Estuary will enter into a written agreement with the Sub-processor obligating them to Process Personal Data in accordance with this DPA or standards substantially similar to those in this DPA and, to the extent required under Applicable Data Protection Law, which will include and rely on the Standard Contractual Clauses. As applicable, the Standard Contractual Clauses shall be binding on both Estuary and Sub-processor to the extent that Sub-processor Processes any EU or UK Personal Data outside of the EEA or UK.
    3. At least thirty (30) days before Estuary engages any new Sub-processor to carry out Processing activities on Personal Data, Estuary will provide Customer with notice of such update. Such an update will be reflected in the list of Sub-processors located at /legal/subprocessors.
    4. Customer may make a good faith objection to the engagement of any new Sub-processor within the thirty day period provided in Section 4.3, provided that such objection relates to the Processing of Personal Data. In such case, Estuary will: (i) work with the Customer to address the Customer's objections to its reasonable satisfaction, (ii) instruct the Sub-processor not to Process Personal Data, provided that the Customer accepts that this may impair the Services (for which Estuary shall bear no responsibility or liability), or (iii) notify the Customer of an option to terminate this DPA and Agreement.
    5. Estuary shall remain fully liable to Controller at all times for any breach of this DPA, the Agreement, and/or Applicable Data Protection Law caused by an act, error or omission of each Sub-processor.

    5. SECURITY

    1. Estuary will implement a reasonable security plan and will maintain appropriate technical, physical and organizational measures designed to protect Personal Data against a Personal Data Breach. At a minimum, Estuary will implement the security measures set forth in Annex II.
    2. Estuary will keep records of its Processing activities performed on behalf of Controller, which will include at least:
      1. The details of Estuary as Processor, any representatives, Sub-processors, data protection officers and Estuary Personnel having access to Personal Data;
      2. The categories of Processing activities performed;
      3. Information regarding cross-border data transfers (as further specified in Section 10 of this DPA), if any; and
      4. Description of the technical and organizational security measures implemented in respect of the Processed Personal Data.

    6. COOPERATION

    1. Each Party shall reasonably cooperate with the other in any activities or obligations contemplated by this DPA or required under Applicable Data Protection Law.
    2. Upon receipt of a written request, Estuary will provide reasonable cooperation and assistance to Customer, insofar as required by Applicable Data Protection Law and as it relates to Processing of Personal Data by Estuary under this DPA, in fulfilling either the Customer's rights as Consumer or Data Subject or its obligations to respond to requests from Consumers or Data Subjects exercising their rights and/or to carry out data protection impact assessments. Data Subject or Consumer rights requests may be made at the following link: Subject Access Request. In the event that Customer is not the Data Subject or Consumer making such request, Estuary will (unless prohibited by applicable law) promptly inform Customer, providing full details of the same.
    3. Estuary shall cooperate and reasonably assist Controller with any data protection impact assessments, audits, prior consultations regarding relevant competent data protection authorities and with any other reasonable assistance related to compliance with Controller's obligations pursuant to the GDPR and other Applicable Data Protection Law. The scope of such assistance shall be limited to the Processing of the Personal Data by Estuary.
    4. Estuary conducts periodic audits of its controls of relevant systems and processes (e.g., SOC II), which may include systems and processes involved in the Processing of Customer Personal Data. Customer may request, and Estuary shall provide (subject to a nondisclosure agreement, where necessary), resulting audit reports or extracts thereof to Customer only (i) to the extent necessary to ensure Customer's compliance with Applicable Data Protection Law, and (ii) if authorized in writing by Estuary's third-party evaluator or auditor, as applicable. Customer will not make such a request more than once per year (unless otherwise required under Applicable Data Protection Law).
    5. If Customer reasonably believes Estuary has used Personal Data in a manner that is inconsistent with Section 3 of this DPA, Customer may give written notice requiring Estuary to take reasonable steps to stop and remediate such use. Within ten (10) business days, Estuary must either certify in writing that no unauthorized use occurred or describe the confirmed unauthorized use and corrective actions taken. All remediation and verification must minimize disruption, protect confidentiality, and not require disclosure of trade secrets or information prohibited by law. The provisions of this Section 6.5 constitute Customer's sole remedy for unauthorized use of Personal Data under the Agreement, unless otherwise required by applicable law.

    7. LAW ENFORCEMENT REQUESTS

    1. If a law enforcement agency sends Estuary a demand for Personal Data (including through a subpoena or court order), Estuary will attempt to redirect the law enforcement agency to request that Personal Data directly from the Customer. As part of this effort, Estuary may provide Controller's basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, Estuary will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, unless Estuary is legally prohibited from doing so. This Section 7.1 does not overwrite the equivalent protection under the Standard Contractual Clauses, if applicable.

    8. PERSONAL DATA BREACH

    1. Upon becoming aware of a Personal Data Breach, Estuary will notify the Customer without undue delay and take reasonable steps to identify, prevent and mitigate the effects of the Personal Data Breach and to remedy the Personal Data Breach to the extent such remediation is within Estuary's reasonable control. Such notification to the Customer of a Personal Data Breach is not and will not be construed as an acknowledgement by Estuary of any fault or liability of Estuary with respect to the Personal Data Breach.
    2. Personal Data Breach notifications, if any, will be delivered to Customer by any means Estuary selects, including via email. It is the Customer's responsibility to ensure that it provides Estuary with accurate contact information and secure transmission at all times.
    3. Estuary will provide Customer with timely information relating to the Personal Data Breach as it becomes known or is reasonably requested by Customer to fulfill its obligations under Applicable Data Protection Law.

    9. DELETION OR RETURN OF PERSONAL DATA

    1. Upon expiration or termination of the provision of the Services, Estuary shall, at Customer's choice, promptly delete or return all copies of Personal Data in its and/or any of its Sub-processors' or Service Providers' possession or control, except as required to be retained in accordance with applicable law or in accordance with Estuary's backup policy. In such a case, Estuary will continue to treat the Personal Data in accordance with its obligations under this Agreement and DPA, and will return and/or destroy the Personal Data (as requested by Customer) when the obligation to not return or destroy the information is no longer in effect.
    2. Customer acknowledges that it alone is responsible for any data minimization before inputting Customer Content and for executing any written requests to access, retrieve, correct and/or delete Customer Content (including any Personal Data therein).
    3. The parties agree that the certification of deletion of Personal Data described in Clauses 8.5 and 16(d) of the EU SCCs shall be provided by Estuary to Customer only upon Customer's written request.

    10. CROSS-BORDER DATA TRANSFER

    1. To the extent that Personal Data is subject to European Data Protection Laws, the terms in this Section 10 shall apply in addition to the terms in the remainder of this DPA. In the event of any conflict or ambiguity between the terms in this Section 10 and any other terms in this DPA, the terms in this Section 10 shall take precedence but only to the extent they apply to the Customer Personal Data in question.
    2. Processing Instructions. Without prejudice to Section 6, Estuary shall notify Customer in writing, unless prohibited from doing so under applicable law, if it becomes aware or believes that any Processing instructions from Customer violate applicable law.
    3. Restricted Transfers. The Parties agree that when the transfer of Personal Data from Customer (as "data exporter") to Estuary (as "data importer") is a Restricted Transfer, the Standard Contractual Clauses shall automatically be deemed incorporated into and form a part of this DPA, as follows:
      1. In relation to Customer Personal Data protected by the GDPR, the SCCs shall apply completed as follows:
        1. Module Two (Controller to Processor) or Module Three (Processor to Processor) will apply, as appropriate;
        2. in Clause 7, the optional docking clause will not apply;
        3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 4.3;
        4. in Clause 11, the optional language will not apply;
        5. in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland;
        6. in Clause 18(b), disputes shall be resolved before the courts of the EU Member State selected above;
        7. Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this DPA; and
        8. Annex II of the SCCs shall be deemed completed with the information set out in Annex II to this DPA;
      2. In relation to Customer Personal Data protected by UK Data Protection Laws, the SCCs as implemented under sub-paragraph (a) above will apply with the following modifications:
        1. the SCCs shall be deemed amended as specified by Part 2 of the UK Addendum;
        2. tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Annexes I and II and Section 4.1 of this DPA (as applicable); and
        3. table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".
      3. In relation to Customer Personal Data protected by the Swiss FADP, the SCCs will also apply in accordance with sub-paragraph (a) above with the following modifications:
        1. references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss FADP;
        2. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss FADP;
        3. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" or "Swiss law";
        4. the term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
        5. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the Swiss Federal Data Protection Information Commissioner;
        6. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland";
        7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland;
        8. Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland; and
        9. the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.
      4. It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA) the SCCs shall prevail to the extent of such conflict.

    11. LIMITATION OF LIABILITY

    1. The total combined liability of either Party towards the other Party, whether in contract, tort or under any other theory of liability, shall be limited to that set forth in the Agreement as well as any disclaimers contained therein. Any reference in such section to the liability of a Party means the aggregate liability of that Party under the Agreement and this DPA.

    12. MISCELLANEOUS

    1. Severance: Should any provision of this DPA be determined invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    2. Order of Precedence: In the event of any conflict between the terms of this DPA and other binding documents, the following order of precedence shall apply: (i) the Standard Contractual Clauses, solely to the extent applicable in accordance with Section 10 above; (ii) this DPA; (iii) the Agreement.

    13. MODIFICATIONS

    1. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party. This DPA may not be construed to create any right or cause of action on behalf of a third party, except to the minimum extent required under Applicable Data Protection Law.

    Schedule 1: ANNEXES TO EU SCCS

    ANNEX I
    A. LIST OF PARTIES

    Data exporter(s): The data exporter is Controller, with contact details regarding the Controller and its representative and the activities relevant to the data being transferred as set forth in the Agreement and/or the applicable ordering document for services.

    Data importer(s): The data importer is Estuary, with contact details for Estuary and its representative and the activities relevant to the data being transferred as set forth in the Agreement and/or the applicable ordering document for services.

    Activities relevant to the data transferred under these Clauses: Estuary will process the personal data transferred by the Controller to provide the services described in the Agreement and/or the applicable ordering document.

    B. DESCRIPTION OF TRANSFER

    Categories of data subjects whose personal data is transferred

    Data exporter may submit Personal Data to Estuary, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: the data exporter's representatives and end-users including employees, contractors, business partners, collaborators, customers and prospective customers of the data exporter.

    Categories of personal data transferred

    Data exporter may submit Personal Data to Vendor the following categories of personal data: (a) First and last name; (b) Title; (c) Position; (d) Employer; (e) Contact information (company, email, phone, physical business address); (f) ID data; (g) Connection data; (h) Localisation data; and (i) other data in an electronic form used by Controller in the context of the services; provided that such Personal Data shall not include Special Category Data as defined under GDPR Article 9.

    Special Category Data transferred under GDPR Article 9 (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    None

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

    For the term of the Agreement.

    Nature of the processing

    As described in the Agreement and/or the applicable ordering document.

    Purpose(s) of the data transfer and further processing

    To utilize Estuary's services as set forth in the Agreement and/or the applicable ordering document.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

    For the term of the Agreement plus a reasonable period following termination or expiration to provide for the return of Personal Data to Controller.

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    As necessary to enable Estuary to perform the services described in the Agreement and/or the applicable ordering document and for the term of the Agreement.

    C. COMPETENT SUPERVISORY AUTHORITY

    The data exporter's competent supervisory authority will be determined in accordance with European Data Protection Laws.

    ANNEX II
    TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

    Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

    Estuary will implement a reasonable security plan and will maintain appropriate technical, physical and organizational measures designed to protect Personal Data against a Personal Data Breach. Such measures will include, as appropriate:

    1. To the extent under the control of Estuary, the encryption of Personal Data, in transit and at rest;
    2. The use of multi-factor authentication for any Estuary access to Controller data;
    3. The ability to ensure the on-going confidentiality, integrity, and availability of Processing systems and services;
    4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.