Last updated: May 2026
Ringfence is a product of Settleby Ltd, a company registered in England and Wales (No. 15107426, VAT GB448267759).
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Settleby Ltd ("Processor", "we") and the customer identified in the relevant subscription ("Controller", "you").
It applies whenever Settleby processes personal data on your behalf in connection with the Service — most directly, when our cloud receives heartbeat metadata containing identifiers of the developers your team has authorised to use Ringfence.
This DPA is binding without a wet-ink signature: by subscribing to a paid plan and continuing to use the Service, you and Settleby each agree to it. A countersigned copy is available on request to hello+legal@ringfence.dev for procurement teams that need one.
Terms used in this DPA — including "personal data", "data subject", "controller", "processor", "sub-processor", "processing", and "personal data breach" — have the meanings given in the UK General Data Protection Regulation, and where applicable the EU General Data Protection Regulation.
"Customer Personal Data" means personal data that Settleby processes on the Controller's behalf in providing the Service, as set out in Schedule 1.
The Controller is the controller of Customer Personal Data. Settleby acts as a processor and processes Customer Personal Data only on the Controller's documented instructions, including those set out in this DPA, the Terms of Service, and any settings configured by the Controller in the cloud dashboard.
We will notify the Controller without undue delay if we believe an instruction infringes UK or EU data-protection law.
Persons authorised by Settleby to process Customer Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
Settleby implements the technical and organisational measures set out in Schedule 2. These are intended to ensure a level of security appropriate to the risk, taking into account the nature of the data and the costs of implementation.
Settleby will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach affecting Customer Personal Data. We will provide reasonable cooperation to enable the Controller to comply with its own breach-notification obligations.
The Controller authorises Settleby to engage the following sub-processors:
We will give the Controller at least 30 days' prior notice (by email to the account address) before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds; if the parties cannot agree a workaround, the Controller may terminate the affected portion of the Service for a pro-rata refund of pre-paid fees.
Each sub-processor is engaged under a written agreement imposing data-protection obligations equivalent to those in this DPA. Settleby remains liable to the Controller for the performance of its sub-processors.
Where Customer Personal Data is transferred outside the United Kingdom or European Economic Area, the parties incorporate by reference the UK International Data Transfer Agreement and, where applicable, the European Commission's Standard Contractual Clauses (Module Two — Controller to Processor), with Settleby as data importer where it is established outside the relevant region. The Controller may request a copy of completed transfer mechanisms from hello+legal@ringfence.dev.
Taking into account the nature of the processing, Settleby will provide reasonable assistance — through technical and organisational measures, insofar as possible — to enable the Controller to respond to data subjects exercising their rights under data-protection law.
If a data subject contacts Settleby directly, we will refer them to the Controller and, where required by law, notify the Controller.
Settleby will make available to the Controller, on reasonable written request, the information necessary to demonstrate compliance with this DPA. The Controller may carry out an audit no more than once per year, on at least 30 days' written notice and subject to a reasonable confidentiality undertaking. Audits must not unreasonably interfere with Settleby's business or compromise the security of other customers.
On termination of the Service, the Controller may export account data and heartbeat metadata for 30 days. Thereafter, Settleby will delete or return Customer Personal Data within 90 days, save to the extent retention is required by applicable law (for example, billing records under HMRC rules).
Each party's liability under or in connection with this DPA is subject to the limits and exclusions in the Terms of Service, save that nothing in the Terms limits liability that cannot be limited by law (including liability under Article 82 UK GDPR for damage caused by infringing the Regulation).
Subject matter: provision of the Ringfence cloud dashboard and related Service features.
Duration: the term of the subscription, plus retention periods set out in clause 11 and the Privacy & Cookie Policy.
Nature and purpose: receiving signed heartbeats from the Controller's authorised local agents, attributing them to the Controller's team, and presenting aggregate metrics in the dashboard. Sending billing- and account-related email.
Categories of data subjects: the Controller's developers and other personnel authorised to install the local agent or sign in to the dashboard.
Categories of personal data: email address, hashed password (if used), team and role information, agent identifiers, IP address, and operational logs. No prompts, completions, file paths, or source code.
Special categories: none.
Settleby Ltd, registered in England and Wales (No. 15107426).
DPA enquiries: hello+legal@ringfence.dev