Data Processing Agreement

Template v1.0 · Last updated 2026-05-24

This DPA is between NEW RZS SRL (CUI RO48756557, EUID ROONRC.J2023005851235, Str. Gliei 34-38, Corp B, Loc. Bragadiru, Jud. Ilfov, 077025, Romania), trading as MCPSpend (the Processor), and the customer organization identified in the MCPSpend account (the Controller). It is incorporated by reference into our Terms of Service for customers on Team and Enterprise plans.

Get a counter-signed PDF

Email support@mcpspend.com with your legal entity name + signatory + billing address. We counter-sign and return a PDF within 5 business days. No legal-team back-and-forth — the template below is exactly what we sign.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Processing", "Data Subject" and "Sub-processor" have the meanings assigned to them in the GDPR. "Services" means the MCPSpend product as described at mcpspend.com.

2. Subject matter, duration, nature, purpose

The Processor processes Personal Data on behalf of the Controller solely to provide the Services. Duration: for as long as the Controller maintains an active MCPSpend account, plus the retention windows defined in clause 8. Nature and purpose: cost tracking, observability, billing, audit log, and other functionality the Controller chooses to use.

3. Categories of Personal Data

Account data: email, optional name, hashed password, organization affiliation.
Tool-call metadata: MCP server name, tool name, model identifier, latency, success/error, payload byte counts. (NOT tool arguments or response bodies.)
Audit log: who changed what, when, and from which IP, for sensitive actions on the account.
Billing data: Stripe customer ID and subscription ID. We never see or store card data.

4. Categories of Data Subjects

Employees, contractors, and end-users of the Controller who use the Services, plus end-customer identifiers the Controller chooses to attribute via the customerLabel field.

5. Processor obligations

Process Personal Data only on documented instructions from the Controller (the account configuration constitutes such instruction).
Ensure persons authorized to process Personal Data are under confidentiality obligations.
Implement the technical and organisational measures listed in /security (encryption at rest, HTTPS-only, SHA-256 API key hashes, bcrypt cost 12 passwords, per-tenant isolation).
Notify the Controller without undue delay (and in any case within 72 hours per GDPR Art. 33) of any Personal Data breach affecting their data.
Assist the Controller with Data Subject rights requests (Art. 15-22), including the self-serve flows at /dashboard/account/privacy.

6. Sub-processors

The Controller grants general authorization for the Sub-processors listed at /security. The Processor will notify the Controller at least 30 days in advance of any addition or replacement of Sub-processors. The Controller may object on reasonable grounds, in which case the parties will work in good faith to find an alternative or terminate the affected portion of the Services.

Current Sub-processors: Hostinger (EU hosting), Stripe (payment processing), Resend (transactional email), Cloudflare R2 (encrypted backups, EU region), Google Analytics 4 (marketing pages, opt-in only).

7. International transfers

MCPSpend application data is processed in the EU. Some Sub-processors (Stripe, Resend) may transfer Personal Data outside the EU under EU Standard Contractual Clauses (SCCs) included in their respective DPAs, which we have signed.

8. Retention & deletion

Tool-call metadata retention follows the Controller's plan: Free 7 days, Pro 30 days, Team 90 days, Enterprise unlimited (or as agreed in writing). On account deletion, identifying fields are anonymised within 24 hours and hard-purged within 30 days. Audit-log entries are retained per GDPR Art. 17 §3(b) (legal record exemption).

9. Audits

The Controller has the right to audit the Processor's compliance once per calendar year with 30 days' written notice. The Processor will make available all information necessary to demonstrate compliance with this DPA and the GDPR, including third-party reports (SOC 2 Type I in progress with Vanta, expected Q4 2026).

10. Liability & governing law

The liability of each Party under this DPA is capped at 12 months of fees paid by the Controller to the Processor under the underlying agreement. Governed by Romanian law; disputes resolved in Bucharest courts.

How to execute

Email support@mcpspend.com with subject "DPA request" — include legal entity name, signatory name + title, billing address, MCPSpend organization id.
We send back a PDF of this template populated with your details, signed by us.
You counter-sign and return. We file both copies.

Turn-around: 5 business days. No legal-team back-and-forth — the template above is exactly what we sign. If your legal needs custom clauses, Enterprise customers can negotiate.