R&D Binder

Data Processing Agreement text

Document: Data Processing Agreement Version: v1.0 Effective date: 2026-05-09 Status: Effective
Revision history
Version Date Summary of changes
v1.0 2026-05-09 Attorney-reviewed release. Scoped to US state privacy laws (Business / Service Provider framing). Tightened security and cross-border language. Added Excluded Data prohibition, sub-processor chain disclosure, backup deletion clarification, audit cooperation scope, MSA confidentiality cross-reference, and Customer representations.
v0.2-draft 2026-05-09 Pre-release draft incorporating structural feedback.
v0.1-draft 2026-05-07 Initial draft.

This Data Processing Agreement (the "DPA") supplements the Master Services Agreement ("MSA") between Aliso LLC dba R&D Binder ("R&D Binder", "we", "us", "our", or "Service Provider") and the customer identified in the order form ("Customer", "you", "your", or "Business"). This DPA governs the processing of Personal Information by R&D Binder on behalf of Customer in connection with an annual binder Engagement. Capitalized terms not defined in this DPA have the meanings given in the MSA.

Scope. The Services are intended for US-based businesses and are scoped to applicable US state privacy laws. R&D Binder does not hold itself out as a GDPR or UK GDPR processor and does not offer the Services for processing subject to those frameworks unless separately agreed in writing.

1. Definitions

Personal Information means any information that identifies, relates to, describes, or could reasonably be linked with a particular individual or household, as defined under the California Consumer Privacy Act (CCPA), the New York SHIELD Act, and other applicable US state privacy laws. For this Engagement, Personal Information specifically includes employee names, employee compensation amounts, contractor names, contractor invoice details, and engineer email addresses included in commit metadata.

Process or Processing means any operation performed on Personal Information, including collection, use, storage, disclosure, deletion, or destruction.

Sub-processor means a third-party service R&D Binder engages to Process Personal Information in connection with delivering the Binder.

Personal Data Breach means a breach of security leading to unauthorized access to, disclosure of, or loss of Personal Information.

2. Roles of the Parties

Customer is the Business and R&D Binder is the Service Provider (or Contractor, where that term is used) as those terms are defined under applicable US state privacy laws.

R&D Binder Processes Personal Information only on documented instructions from Customer, including those given through the order-form intake, the post-payment financial-data intake, and any subsequent written instructions. R&D Binder does not Sell, Share, or otherwise commercialize Personal Information for its own purposes, and does not retain, use, or disclose Personal Information outside the direct business relationship with Customer or for any purpose other than the specific business purpose of performing the Services.

3. Categories of Personal Information Processed

For each Engagement, R&D Binder Processes the following categories of Personal Information about Customer's employees and contractors:

  • Employee and contractor names
  • Employee and contractor roles or titles
  • Employee start and end dates of employment
  • Employee total annual fully-loaded compensation amounts
  • Contractor invoice line items and total invoice amounts
  • Engineer GitHub usernames, email addresses, and commit-author metadata included in publicly-readable repository commit history
  • Engineer US-resident or non-US-resident designations as provided by Customer for foreign-research carve-out compliance

R&D Binder does NOT Process and Customer shall NOT submit: government-issued identification numbers (Social Security numbers, Tax Identification Numbers); health information; financial account numbers; credit card numbers; biometric identifiers; or any sensitive Personal Information beyond the categories listed above (collectively, "Excluded Data"). Customer is responsible for redacting Excluded Data before submission. If Excluded Data is inadvertently submitted, R&D Binder may delete or redact it on discovery and is not responsible for delays or inaccuracies in the Deliverables resulting from its removal.

4. Categories of Data Subjects

The data subjects are: Customer's employees who performed engineering work during the qualifying tax year; Customer's contractors who performed engineering work during the qualifying tax year; and any external open-source contributors whose names appear in the publicly-readable commit history of Customer's repositories.

5. Purposes of Processing

R&D Binder Processes Personal Information solely for the following purposes:

  1. Producing the Binder, the QRE workpaper, and the Section G appendix for the current Engagement;
  2. Allocating Qualified Research Expenses to qualifying business components based on US-source rules;
  3. Supporting Customer's CPA on Binder review questions during the Engagement;
  4. Supporting any audit-defense engagement initiated by Customer in response to an IRS Information Document Request;
  5. Retaining the underlying inputs for the period required by the IRS statute of limitations on a research-credit claim, in case the return is examined within that window.

R&D Binder does not Process Personal Information for advertising, marketing, profiling, or any purpose unrelated to the Engagement.

6. Sub-processors

R&D Binder uses the following Sub-processors. Customer's acceptance of this DPA is acceptance of these Sub-processors. R&D Binder will give Customer reasonable advance notice (at least thirty (30) days where practicable) before engaging a new Sub-processor that will Process Personal Information. Customer may object to a new Sub-processor on data-protection grounds; the parties will work in good faith to resolve the objection.

Sub-processor Service Categories of data Region
GitHub, Inc. Source-code repository hosting and read-only OAuth access Commit metadata, contributor email, repository content United States
Cloudflare, Inc. Pages hosting, Workers compute, R2 object storage, DNS Customer Inputs at rest in R2 storage; intake-form payloads in Worker memory United States
Resend, Inc. Transactional email delivery Customer email address; intake-form and Engagement status emails United States
Stripe, Inc. Payment processing for the Engagement Fee Customer billing email and payment information (handled directly by Stripe; R&D Binder does not store card data) United States
Migadu Inbound email mailbox (hello@rdbinder.com) Customer correspondence sent to R&D Binder mailboxes Switzerland (apex MX)
Airtable, Inc. Customer ledger (engagement state tracking) Customer name, contact email, engagement state, links to R2-stored inputs United States

Migadu is a Swiss-based email host but only receives correspondence Customer sends to R&D Binder mailboxes. R&D Binder does not push Customer Personal Information to Migadu; Customer-sent inbound email content is stored at Migadu only as needed to read the message. Customers who require strict US-only data residency may opt out by communicating with R&D Binder solely through the rdbinder.com contact form, which routes through Resend (United States); R&D Binder will accommodate this preference on request.

Sub-processors may in turn engage their own sub-processors pursuant to their published terms and privacy documentation. R&D Binder does not separately enumerate downstream sub-processors of its Sub-processors.

7. Security Measures

R&D Binder implements the following security measures to protect Personal Information:

  • Encryption in transit: all data transfers use TLS 1.2 or higher.
  • Encryption at rest: Customer Inputs in Cloudflare R2 are stored with server-side encryption.
  • Access control: access to Customer Inputs is restricted to authorized R&D Binder personnel with a legitimate business need, on a least-privilege basis. Sub-processor access is governed by each Sub-processor's terms; Sub-processor support personnel may incidentally access metadata or content in the course of providing support.
  • Authentication: all administrative access is multi-factor authenticated.
  • Operational logging: R&D Binder maintains operational logs of administrative actions on its infrastructure to the extent provided by its Sub-processors. R&D Binder does not warrant any specific log-retention period or forensic-grade logging.
  • GitHub OAuth scope: read-only repository metadata only; no write, admin, or destructive permissions are requested.
  • Network security: R&D Binder infrastructure runs on Cloudflare's edge with strict Content Security Policy, HSTS, and standard application security headers.

8. Data Subject Rights

If Customer receives a request from a data subject (an employee or contractor) to access, correct, delete, or restrict the Processing of Personal Information shared with R&D Binder, R&D Binder will assist Customer in responding within the timelines required by applicable law. Customer remains the responsible party for responding to data-subject requests; R&D Binder is the Processor and acts on Customer's instructions.

Direct data-subject requests received by R&D Binder will be forwarded to Customer for response.

9. Cross-Border Transfers

R&D Binder intends to Process and store Customer Inputs in US-designated infrastructure regions where its Sub-processors offer that configuration. Customer Inputs uploaded through the post-payment intake form are stored in Cloudflare R2 in US-designated locations. Customer acknowledges that Sub-processors operating globally distributed networks (including Cloudflare and GitHub) may, in the course of normal operation, route, cache, or transit data through points of presence outside the United States, and that incidental telemetry, edge processing, and routing of that nature do not constitute a "transfer" for purposes of this DPA. With the limited exception of Migadu (Switzerland) for inbound mailbox storage as described in Section 6, R&D Binder does not intentionally transfer Personal Information outside the United States.

10. Data Retention and Deletion

R&D Binder retains Customer Inputs for the period required by the IRS statute of limitations for examination of a research-credit claim, plus a small operational buffer, for a total retention period of seven (7) years from the close of the Engagement. After seven years, Customer Inputs are deleted from R&D Binder's systems and from Sub-processor systems where R&D Binder controls deletion.

Customer may request earlier deletion at any time through the contact form. R&D Binder will delete Customer Inputs from active production systems within thirty (30) days of receiving an early-deletion request, except where retention is required by law (for example, financial records required by tax authorities or court orders). Copies that persist in immutable backups, disaster-recovery snapshots, or Sub-processor systems beyond R&D Binder's direct control will be removed in the ordinary course as those systems cycle through their backup retention windows, and remain subject to the security and confidentiality obligations of this DPA until removed. The completed Binder, QRE workpaper, and Section G appendix that R&D Binder retains for Customer's audit support are also deleted on early-deletion request, with the operational note that R&D Binder will be unable to support audit defense for a deleted engagement.

11. Personal Data Breach Notification

R&D Binder will notify Customer of any Personal Data Breach affecting Customer's Personal Information without unreasonable delay after becoming aware of the breach, and will use commercially reasonable efforts to provide notice within seventy-two (72) hours where reasonably practicable. The notification will describe, to the extent then known, the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate volume of records affected, the likely consequences, and the measures R&D Binder has taken or proposes to take.

R&D Binder will provide commercially reasonable cooperation in Customer's investigation and response. Customer is responsible for any further breach-notification obligations Customer may have to data subjects, regulators, or other third parties under applicable law.

12. Audit Rights

Once per calendar year, on at least thirty (30) days' written notice, Customer may request: (a) a copy of R&D Binder's then-current security and data-handling documentation; (b) responses to a reasonable written questionnaire about R&D Binder's data-handling practices, scoped to a reasonable number of questions and reasonable preparation time; or (c) the Sub-processor list as updated. R&D Binder will respond within a reasonable time. On-site audits, penetration tests against R&D Binder or its Sub-processors, and forensic-grade audits are not supported because R&D Binder operates as a remote-first service on shared Sub-processor infrastructure. Audit cooperation that materially exceeds the scope above will be invoiced at R&D Binder's then-current professional-services rates.

12A. Confidentiality

Personal Information shared by Customer is Customer Confidential Information under the MSA, and the confidentiality obligations of the MSA apply to it without modification by this DPA.

12B. Customer Representations

Customer represents and warrants that, with respect to all Customer Inputs and any other Personal Information Customer submits to R&D Binder:

  • Customer has all rights, authority, and lawful basis necessary to share the Personal Information with R&D Binder for the purposes set out in this DPA;
  • Customer has provided any notices and obtained any consents required of Customer under applicable employment, payroll, contractor, and privacy laws to permit R&D Binder's Processing under this DPA;
  • Customer will not submit Excluded Data (as defined in Section 3) and accepts responsibility for redacting Excluded Data before submission; and
  • Customer will not submit Personal Information of individuals located in the European Economic Area, the United Kingdom, or other jurisdictions whose data-protection laws are not within the US-only scope described in this DPA, except as separately agreed in writing.

Customer will defend, indemnify, and hold R&D Binder harmless from third-party claims to the extent arising from Customer's breach of these representations, subject to the limitation of liability in Section 12 of the MSA.

13. Liability

The limitation of liability in Section 12 of the MSA applies to this DPA and to claims relating to Personal Information Processing.

14. Term

This DPA is effective on the same date as the MSA, runs for the term of the MSA, and survives termination of the MSA for the data-retention period in Section 10 and for any obligations that by their nature should survive (including security, confidentiality, and breach notification for Personal Information still held during the retention period).

15. Conflict

If there is a conflict between this DPA and the MSA, this DPA controls with respect to the Processing of Personal Information. The MSA controls in all other respects.

16. Acceptance

Customer accepts this DPA by checking the click-wrap box on the order form and submitting the order. The acceptance log is the legal record of execution; see Section 25 of the MSA.