Rejourney | Open Source Session Replay & Observability
REJOURNEY

Data Processing Agreement

Last Updated: January 2025

This Data Processing Agreement ("DPA") is between Rejourney ("Processor") and the Customer ("Controller"). It outlines the parties' obligations regarding the processing of Personal Data under the General Data Protection Regulation (GDPR).

1. Scope and Purpose

Processor will process Personal Data only as necessary to provide the Service as described in the Terms and as further specified in Annex I.

2. Technical and Organizational Measures

Processor has implemented and will maintain the technical and organizational measures specified in Annex II to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction, or damage.

3. Sub-processors

Controller grants a general authorization for Processor to engage Sub-processors. Current Sub-processors include:

Sub-processorPurposeLocation
Hetzner Online GmbHHosting & InfrastructureGermany (EU)
Cloudflare R2Session Data StorageGlobal (EU Preference)
ZeptoMail (Zoho)Email NotificationsUnited States

4. Data Subject Rights

Processor will assist Controller in fulfilling its obligations to respond to requests from individuals exercising their rights under GDPR. Please contact contact@rejourney.co for assistance.

5. Data Breach Notification

Processor will notify Controller without undue delay (and in no case later than 72 hours) after becoming aware of a personal data breach.

Annex I: Details of Processing

A. List of Parties

Data exporter: The Customer (Controller)

Data importer: Rejourney (Processor)

B. Description of Transfer

Categories of data subjects: End-users of the Controller's mobile applications.

Categories of personal data: IP addresses, device identifiers, session recordings, and interaction metadata.

Sensitive data: None. Controller is responsible for ensuring that no sensitive data is transmitted to Processor by utilizing the provided masking and redaction tools.

Annex II: Technical and Organizational Measures

Note: The following measures are default tools provided by Rejourney. Final responsibility for the appropriate configuration and use of these tools lies with the Controller.

  • Access Control: Logical access controlled via multi-factor authentication and role-based permissions.
  • Encryption: Data encrypted in transit using TLS 1.3 and at rest using AES-256.
  • Pseudonymization: User identifiers are hashed upon ingest to prevent direct identification.
  • Redaction: Automatic UI element masking and sensitive data scrubbing at the SDK level.
  • Resilience: Regular backups and geographically redundant storage for disaster recovery.