Data Processing Addendum

Last Updated: Dec 17, 2025

This Data Processing Addendum (“DPA”) forms part of the agreement between Massient, Inc. (“Massient”, “Processor”, “we”, “us”) and the entity or individual using MassTransit under a commercial license (“Customer”, “Controller”, “you”).

This DPA applies solely to the extent that Massient, Inc. processes Personal Data on behalf of Customer in connection with subscription, billing, and license management.

Effective Date: This DPA is effective as of the date Customer first uses MassTransit under a commercial license issued by Massient, Inc.

1. Definitions

For purposes of this DPA, the following terms have the meanings set forth below or, where not defined, the meanings given under Applicable Data Protection Laws.

• Applicable Data Protection Laws All applicable privacy and data protection laws and regulations, including but not limited to:

  • Regulation (EU) 2016/679 (“GDPR”)
  • UK GDPR and the UK Data Protection Act 2018
  • California Consumer Privacy Act, as amended (“CCPA/CPRA”), where applicable

• Personal Data Any information relating to an identified or identifiable natural person.

• Processing, Controller, Processor, Sub-processor, Data Subject Have the meanings assigned under Applicable Data Protection Laws.

2. Roles of the Parties

• Customer acts as the Controller of Personal Data.
• Massient acts as a Processor with respect to limited Personal Data processed for subscription, billing, and license administration.
• Massient does not act as a Controller of Customer application data, message content, payloads, or operational data processed using MassTransit.

For clarity, Personal Data does not include company-level information that does not relate to an identified or identifiable natural person.

3. Scope and Purpose of Processing

3.1 Purpose

Massient processes Personal Data solely for the following purposes:

• Subscription and account management
• Billing and invoicing
• License generation, validation, and renewal
• Customer support related to licensing or billing
• Compliance with legal and financial obligations

3.2 Nature of Processing

Processing activities are limited to:

• Collection
• Storage
• Access
• Use
• Transmission, as required for payment processing

4. Categories of Data Subjects and Personal Data

4.1 Data Subjects

• Customer employees, contractors, or authorized representatives involved in purchasing or administering MassTransit licenses.

4.2 Categories of Personal Data

• Name
• Business email address
• Business contact information
• Billing address
• Payment and subscription identifiers

4.3 Excluded Data

Massient does not process or store:

• End-user application data
• Message payloads or message headers
• Production or runtime data processed by MassTransit
• Special categories of personal data or sensitive personal data

5. Data Storage and Systems

5.1 Stripe as Primary Personal Data Store

• All subscription and billing Personal Data is processed and stored primarily by Stripe, Inc. (“Stripe”).
• Massient does not maintain internal systems storing Customer Personal Data beyond what is accessible through its authorized Sub-processors.

5.2 Sub-processor Authorization

• Customer authorizes Massient to engage Stripe as a Sub-processor.
• Stripe’s data protection practices apply to all such processing.

6. Data Retention and Deletion

Personal Data is retained only for as long as necessary to fulfill the purposes described in this DPA or as required by applicable law. Personal Data is deleted or anonymized in accordance with the retention policies of the applicable Sub-processors.

7. Assistance and Cooperation

Taking into account the nature of processing, Massient shall reasonably assist Customer in meeting its obligations under Applicable Data Protection Laws.

8. Processing Instructions

Massient shall:

• Process Personal Data only on documented instructions from Customer, including as necessary to provide the services.
• Not process Personal Data for any purpose other than those described in this DPA, unless required by applicable law.

9. Confidentiality

Massient ensures that:

• Personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
• Access to Personal Data is limited to those with a legitimate business need.

10. Security Measures

Massient implements appropriate technical and organizational measures to protect Personal Data, including:

• Reliance on Stripe’s PCI-DSS-compliant infrastructure
• Encryption of data in transit and at rest, as provided by Stripe
• Role-based access controls
• Data minimization principles

11. Sub-processing

The following Sub-processors are authorized for the processing of Personal Data:

• Stripe, Inc. – Subscription management, billing, and payment processing.
• Zendesk, Inc. – Customer support communications related to licensing or billing inquiries

Customer support does not involve access to Customer application data, message payloads, or runtime data processed by MassTransit.

No additional Sub-processors are engaged for the processing of Personal Data related to MassTransit. Massient maintains a current list of Sub-processors and will update this DPA if additional Sub-processors are engaged for Personal Data processing.

12. Data Subject Rights

To the extent required by Applicable Data Protection Laws, Massient will reasonably assist Customer in responding to Data Subject requests.

13. Personal Data Breach Notification

Massient shall:

• Notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting data processed under this DPA.
• Provide information reasonably necessary to enable Customer to comply with applicable breach notification obligations.

14. International Data Transfers

Personal Data may be processed by Stripe and Zendesk in jurisdictions outside the Customer’s country. Both Sub-processors implement appropriate safeguards, such as Standard Contractual Clauses, where required by law.

15. Audits

Given the limited nature of processing:

• Customer acknowledges that audit obligations are satisfied through Stripe’s publicly available compliance reports and certifications.
• No on-site audits of Massient systems are applicable, as Personal Data is not stored on Massient-controlled infrastructure.

16. Liability

Each party’s liability under this DPA is subject to the limitations of liability set forth in the license agreement.

17. Governing Law

This DPA is governed by and construed in accordance with the governing law specified in the license agreement.

18. Order of Precedence

In the event of a conflict between this DPA and the underlying agreement, this DPA shall prevail with respect to data protection matters.