moneta
Book a demo

Draft — pending legal review. This page describes how moneta intends to operate. It is informational and not yet legally binding. Final published versions will replace this notice.

Data Processing Addendum

Data Processing Addendum (DPA).

This DPA forms part of the agreement between moneta and Customer and reflects the parties' agreement on the processing of personal data through the Service, in accordance with the GDPR, UK GDPR, and equivalent laws.

Last updated 2026-05-19 Applies to all regions

1. Definitions

Capitalized terms not defined here have the meaning in the Terms of Service. In this DPA:

  • Controller, Processor, Sub-processor, Data Subject, Personal Data, Processing have the meanings given in the GDPR.
  • Customer Personal Data means personal data contained in Customer Data that Customer submits to the Service.
  • Standard Contractual Clauses ("SCCs") means the European Commission's standard contractual clauses (Module 2: controller to processor).

2. Roles of the parties

For Customer Personal Data, Customer is the controller and moneta is the processor. Customer is responsible for the lawfulness of processing and for obtaining all required consents and notices from data subjects.

3. Subject matter, duration, and nature of processing

  • Subject matter: the provision of the cloud reseller billing and FinOps services described in the Order Form.
  • Duration: for the duration of the agreement plus the retention period in §10 below.
  • Nature and purpose: hosting, storage, processing, and display of Customer Personal Data to support billing, pricing, discount, and reporting workflows.
  • Categories of data subjects: Customer's employees and authorized users; Customer's end customers' employees and authorized users where Customer is a reseller.
  • Categories of personal data: business contact information, technical identifiers (account IDs, IP addresses), authentication and usage logs.

4. Customer instructions

moneta will only process Customer Personal Data on Customer's documented instructions, including with respect to international transfers. The agreement (Terms + Order Form + use of the Service) constitutes Customer's complete and final instructions. Additional instructions require written agreement.

5. Security measures

moneta implements and maintains appropriate technical and organizational measures, including:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control with least-privilege defaults and mandatory MFA for production access.
  • Network segmentation, vulnerability scanning, and quarterly penetration testing by independent firms.
  • Centralized logging and 24×7 monitoring with on-call rotations.
  • Annual security awareness training for all personnel with access to Customer Personal Data.
  • Documented incident response runbooks with tested playbooks.

Current certifications (SOC 2 Type II, ISO 27001) and summary reports are available under NDA from the Trust Center.

6. Sub-processors

Customer authorizes moneta to engage Sub-processors to perform specific processing activities. The current Sub-processor list is published on the Trust Center. We notify customers of new Sub-processors at least 30 days before onboarding via email and an in-app notice.

Customer may object on reasonable grounds related to data protection. If objection cannot be resolved, Customer may terminate the affected portion of the agreement with a pro-rata refund.

moneta remains liable for Sub-processor performance as if performed by moneta.

7. Data subject rights

moneta provides tooling in the Service to help Customer respond to data subject requests (access, rectification, deletion, restriction, portability, objection). Where requests reach moneta directly, we forward them to Customer without responding substantively, unless legally required to act.

8. Personal data breach notification

moneta will notify Customer without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting Customer Personal Data. The notice will describe the nature, categories of data and approximate number of records affected, likely consequences, and measures taken or proposed.

9. International transfers

Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree the SCCs (Module 2) apply, with Customer as data exporter and moneta as data importer. Supplementary measures (encryption, transparency reports, challenge of overbroad government requests) apply. The UK International Data Transfer Addendum applies for UK transfers.

10. Return and deletion

On termination of the agreement, moneta will, at Customer's choice, return or delete Customer Personal Data within 90 days, unless retention is required by law. Backup snapshots that contain residual personal data are deleted on the standard backup rotation (up to 35 days).

11. Audits

moneta makes available to Customer the information necessary to demonstrate compliance with this DPA, including audit reports (SOC 2, ISO 27001) under NDA.

Customer may conduct an audit of moneta's processing facilities, on reasonable prior notice, no more than once per year, at Customer's expense, subject to confidentiality obligations. The audit will be conducted in a manner that does not interfere with moneta's business operations.

12. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing limits liability that cannot be excluded under applicable data protection law.

13. Contact

Data protection inquiries: dpo@monetacloud.com.