Back to sign up

Data Processing Addendum

How we process personal data on your behalf as your processor.

Last updated: 2026-07-05

This document may be updated from time to time; material changes are announced in the console.

Roles

  • For personal data in your managed tenants, you (the MSP) are the controller (or processor for your end-customers) and rugged.sh, operated by Rugged Technology Services, is your processor. We process that data only on your documented instructions.
  • For your own MSP account data, we act as controller for the limited purpose of providing, securing, and billing the service.

Scope of processing

  • Subject matter: providing the rugged.sh control plane. Duration: for the term of your agreement plus any legally required retention.
  • Nature and purpose: deploying, governing, and optimizing Microsoft cloud across your customer tenants on your instruction.
  • Data subjects and data types: your team members and your end-customers' directory users; identifiers, role and configuration data, and operational metadata. We do not process special-category data for these purposes.

Our commitments

  • Confidentiality: personnel with access are bound by confidentiality obligations.
  • Security: we apply technical and organizational measures appropriate to the risk, including hard tenant isolation, encryption of secrets in Azure Key Vault, least-privilege app-only access, and an audit trail.
  • Assistance: we help you respond to data-subject requests and to meet your security, breach-notification, and impact-assessment obligations.

Sub-processors

We engage a limited set of sub-processors to deliver the service. Each is bound by data-protection terms consistent with this addendum:

  • Microsoft Azure — infrastructure, secret management, and the Microsoft cloud platform your tenants run on.
  • Neon — managed PostgreSQL hosting for control-plane data.
  • Cloudflare — content delivery, DNS, and edge security for the web console.
  • We maintain a current sub-processor list and give reasonable prior notice of additions or replacements so you can object.

Audits and records

  • We maintain records of the processing we carry out on your behalf and make available the information reasonably necessary to demonstrate compliance with this addendum.
  • Where you require an audit beyond that documentation, the scope, timing, and cost are set in the binding agreement so it does not disrupt the security of other customers.

International transfers, breach, deletion

  • Where personal data is transferred across borders, we rely on a lawful transfer mechanism (such as Standard Contractual Clauses) in the binding agreement.
  • We will notify you without undue delay after becoming aware of a personal-data breach affecting your data.
  • On termination, we delete or return your personal data, subject to legally required retention.