Railbase

Data Processing Agreement (DPA)

Version: 1.0 Effective date: 14 July 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer accepting it ("Customer", "you") and Silkway Tech LLC, a Wyoming limited liability company with a mailing address at 5830 E 2nd St, Ste 7000 #30294, Casper, WY 82609, USA ("Company", "we", "us"). It applies where the Company processes personal data on your behalf as a processor (or service provider) under the GDPR, UK GDPR, CCPA/CPRA, or similar data-protection laws ("Data Protection Laws").

1. Roles — read this first

Railbase is self-hosted software. Your Railbase deployment, its users, tenants, records, and files run on your own infrastructure; that data never reaches the Company in ordinary operation, and for it you are the controller and the operator — no processing by the Company occurs and this DPA does not apply to it.

The Company acts in two distinct roles for the data it does receive:

  • Independent controller — for account, billing, tax, licensing, activation/heartbeat, KYC and sanctions-screening, agreement-acceptance, and website analytics data, the Company determines its own purposes (operating the marketplace, billing, and legal compliance) and processes that data as an independent controller under the Privacy Policy. This DPA does not cover that processing.
  • Processor — where you choose to send the Company materials from your deployment or business that contain personal data — support bundles, logs, database exports, screenshots, documents, or custom-development specifications and related files ("Submitted Materials") — the Company processes that personal data only on your behalf, to provide support, debugging, security review, or contracted development services. This DPA governs that processing.

2. Customer instructions

The Company will process personal data in Submitted Materials only on your documented instructions — which consist of this DPA, the Terms of Service, and your support or development requests — unless required to do otherwise by law, in which case the Company will inform you unless the law prohibits it. You are responsible for ensuring that your instructions are lawful, that you have the right to share the Submitted Materials, and that they do not include personal data that is unnecessary for the request. Do not send special-category, regulated, or highly sensitive data unless strictly necessary and lawful.

3. Confidentiality

The Company ensures that persons authorized to process Submitted Materials are bound by contractual or statutory confidentiality obligations, and limits access to those who need it to handle your request.

4. Security

The Company implements appropriate technical and organizational measures for the processing of Submitted Materials, taking into account the nature of the data and the risks, including: encryption in transit (HTTPS/TLS everywhere; the Service is HTTPS-only), access controls and restricted operator access, hashed credentials, CSRF protections and security headers, audit logging, key-based server access, and secrets kept in access-controlled storage rather than in code or configuration files. Details are summarized in Annex II.

5. Sub-processors

You give general authorization for the Company to use the sub-processors listed in Annex III (currently: hosting infrastructure and transactional email). The Company will impose data-protection obligations on sub-processors materially equivalent to this DPA and remains liable for their performance. The Company will give notice (for example, by updating Annex III on this page with a new effective date) before adding or replacing a sub-processor; if you reasonably object on data-protection grounds and no resolution is found, you may terminate the affected service as your exclusive remedy.

For clarity: Stripe processes payment data as an independent service provider under its own terms, outside the scope of Submitted Materials, and is therefore listed in the Privacy Policy rather than as a sub-processor here.

6. International transfers

The Company is located in the United States, and Submitted Materials are processed in the U.S. and/or the EEA (see Annex III). Where Data Protection Laws require a transfer mechanism for EEA/UK personal data, the parties incorporate by reference the EU Standard Contractual Clauses (Module Two: controller-to-processor) and, for UK data, the UK International Data Transfer Addendum, with you as data exporter and the Company as data importer; Annexes I–III of this DPA serve as the corresponding SCC annexes. In case of conflict, the SCCs prevail over this DPA.

7. Assistance

Taking into account the nature of the processing, the Company will provide reasonable assistance with: responding to data-subject requests that reach the Company but concern your data (the Company will redirect the data subject to you where appropriate); your security, breach-notification, DPIA, and consultation obligations, insofar as they relate to Submitted Materials and the information is available to the Company.

8. Personal data breach

The Company will notify you without undue delay after becoming aware of a personal data breach affecting Submitted Materials, and will provide information reasonably available to it about the nature of the breach, the categories and approximate volume of data concerned, likely consequences, and measures taken or proposed.

9. Deletion and return

Submitted Materials are kept only as long as needed to handle the request they were sent for, plus a reasonable operational period. On your written request, or at the latest upon termination of the services, the Company will delete or return the personal data in Submitted Materials, unless law requires further storage. Backups are deleted on their normal expiry cycle.

10. Audit

The Company will make available information reasonably necessary to demonstrate compliance with this DPA — such as this DPA, Annex II, and written answers to reasonable security questionnaires (at most once per year, absent a supervisory-authority requirement or a breach). Where Data Protection Laws grant you a mandatory on-site audit right, it will be exercised on reasonable notice, at your cost, during business hours, without access to other customers' data.

11. CCPA/CPRA

To the extent Submitted Materials contain personal information subject to the CCPA/CPRA, the Company acts as your service provider: it will not sell or share that personal information, will not retain, use, or disclose it outside the direct business relationship or for purposes other than performing the services, and certifies it understands these restrictions.

12. Liability, term, and general

This DPA takes effect when you accept the Terms of Service (or first send Submitted Materials, if earlier) and lasts as long as the Company processes Submitted Materials on your behalf. Liability under this DPA is subject to the limitations of liability in the Terms of Service. This DPA is governed by the same law and venue as the Terms of Service, except where Data Protection Laws or the SCCs require otherwise. In case of conflict regarding processing of Submitted Materials, this DPA prevails over the Terms of Service.


Annex I — Description of processing

  • Subject matter and duration — handling of Customer-submitted support, debugging, security-review, or custom-development materials, for the duration of the request plus a reasonable operational period.
  • Nature and purpose — receipt, storage, inspection, and analysis of Submitted Materials to diagnose issues, provide support, review security, or deliver contracted development work.
  • Categories of data subjects — the Customer's personnel, end users, tenants' personnel, and other individuals whose data appears in the Submitted Materials.
  • Categories of personal data — determined by the Customer; typically identifiers (names, emails, usernames), business records, log and technical data (IP addresses, session identifiers), and file contents. Special-category data is not requested and should not be submitted unless strictly necessary and lawful.
  • Frequency — occasional, initiated by the Customer.

Annex II — Technical and organizational measures

Encryption in transit (TLS; HTTPS-only service); access control with restricted, need-to-know operator access; key-based (non-password) administrative access to servers; hashed credentials; secrets held in access-controlled storage, not in code or environment files; CSRF protection, security headers, and rate limiting on the Service; audit logging of administrative actions; signed release artifacts and license keys; bounded retention with deletion on request or on service end.

Annex III — Sub-processors

Sub-processor Role Location
Hosting infrastructure provider (Contabo GmbH) Hosting of railbase.app and its database, including stored Submitted Materials Germany / EEA
Transactional email relay (SMTP provider then in use) Delivery of support and service emails (message content and addresses) U.S. / EEA

Contact

Silkway Tech LLC — 5830 E 2nd St, Ste 7000 #30294, Casper, WY 82609, USA · support@railbase.app