Skip to main content

Data Processing Agreement

Effective date: June 3, 2026

1. Purpose and Scope

This Data Processing Agreement (“DPA”) forms part of the agreement between Butterfly Security (“Butterfly”, “we”, “us”) and the customer (“Customer”, “you”) governing your use of the Butterfly Security service (the “Service”). It applies to the extent Butterfly processes Personal Data on the Customer’s behalf in the course of providing the Service.

Where there is a conflict between this DPA and the Terms of Service on matters of data protection, this DPA controls.

2. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service or in Regulation (EU) 2016/679 (“GDPR”).

  • Controller – the entity that determines the purposes and means of processing Personal Data.
  • Processor – the entity that processes Personal Data on behalf of the Controller.
  • Sub-processor – a third party engaged by the Processor to assist in delivering the Service.
  • Personal Data – any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
  • Customer Data– the snapshots, configuration metadata, and audit records that Butterfly collects from the Customer’s identity provider on the Customer’s instruction.

3. Roles of the Parties

In respect of Customer Data, the Customer is the Controller and Butterfly is the Processor. Butterfly will only process Customer Data on the Customer’s documented instructions (including those embodied in the Service itself – for example, scheduling a backup or running a restore).

In respect of account and billing information you provide directly to Butterfly (your name, email, plan tier, payment metadata), Butterfly is the Controller. The handling of that information is described in our Privacy Policy.

4. Categories of Data and Data Subjects

Categories processed: identity provider configuration metadata (users, groups, applications, policies, factors, network zones), Okta Workflows automation definitions, Auth0 tenant configuration, audit and event records, and the Customer’s connection records identifying the source tenant.

Categories NOT processed: Butterfly does not store end-user credentials in plaintext. Provider API tokens, OAuth refresh tokens, and private keys are encrypted at rest in Cloudflare R2 and Supabase, decrypted only inside the Butterfly Workers runtime, and are excluded from data exports.

Data subjects:the Customer’s employees, contractors, partners, customers, and any other natural person whose identity records are present in the Customer’s connected identity provider tenant.

5. Sub-processors

Butterfly uses a small set of sub-processors to deliver the Service. The current list, the purpose for which each sub-processor is engaged, and the data category each receives is published and kept current at butterflysecurity.org/subprocessors.

Butterfly will notify Customers of any new or replacement sub-processor before that sub-processor begins processing Customer Data, with at least 30 days’ notice via the email address on file for the Customer’s account. Customers may object in writing within that 30-day window. If Butterfly and the Customer cannot resolve the objection, the Customer may terminate the affected portion of the Service for convenience.

Butterfly remains liable for the acts and omissions of its sub-processors as if they were its own.

6. Data Retention

Butterfly retains Customer Data for the duration of the Customer’s subscription. Snapshot retention is configurable per plan tier:

  • Free: 7 days, 1 snapshot.
  • Standard: 90 days (configurable shorter), per connection.
  • Business: unlimited retention, per connection, configurable per backup type.

On termination or on a verified erasure request under Section 11, Butterfly will delete Customer Data within 30 days, subject to any ongoing legal hold permitted by Section 11.

7. International Transfers

Butterfly is established in the United States. Customer Data may be processed in the United States and at any edge location used by our sub-processors (see Section 5).

Where the Customer is established in the European Economic Area, the United Kingdom, or Switzerland, Butterfly will rely on the European Commission’s Standard Contractual Clauses (Module Two – Controller to Processor, Commission Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum. Customers in these regions should contact legal@butterflysecurity.org to execute the relevant SCCs.

8. Security Measures

Butterfly implements technical and organisational measures appropriate to the risk, including encryption at rest and in transit, role-based access control, audit logging, separation of duties between application and platform engineers, and least-privilege access to production systems. The current set of measures is described at butterflysecurity.org/security.

Butterfly hosts the Service on infrastructure that operates under SOC 2 Type II attestations (Cloudflare, Supabase). The product itself is undergoing SOC 2 Type II audit; the public Trust Center is the source of truth for current status.

9. Personal Data Breach Notification

Butterfly will notify the Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting Customer Data. The notification will describe the nature of the breach, the likely consequences, the measures taken or proposed to address it, and the Butterfly point of contact for follow-up.

10. Audit Rights

Customers on the Business plan may, no more than once per calendar year and on at least 30 days’ written notice, request a copy of Butterfly’s then-current SOC 2 report (once available), penetration test summary, sub-processor list, and security policy summary, under reasonable confidentiality terms.

On-site audits and direct access to production systems are not part of the standard Service. Where required by applicable law or a Customer’s regulator, additional audit cooperation may be negotiated under a separate written agreement and at the Customer’s cost.

11. Data Subject Rights and Erasure

Butterfly will assist the Customer, taking into account the nature of the processing, in fulfilling its obligations to respond to data-subject requests under GDPR Articles 15–22. Most such requests are best handled by the Customer directly within the source identity provider; where the request reaches Butterfly, we will forward it to the Customer within 5 business days.

Account-level erasure (GDPR Article 17) is available via Settings → Data rights within the dashboard. Requests trigger a 30-day grace period during which the Customer can cancel; on expiry, Butterfly deletes all team-scoped data and records a row-count summary in an audit ledger for compliance purposes.

Account-level data export (GDPR Article 20) is available via the same surface and returns a machine-readable JSON bundle of every row Butterfly holds for the requesting team. Exports are rate-limited to one per 7 days per team.

12. Termination and Return or Deletion of Data

On expiry or termination of the Customer’s subscription, Butterfly will:

  • Allow the Customer to export Customer Data via the in-product data export surface (Section 11) for up to 30 days after termination;
  • After that window, delete all Customer Data from production systems within 30 days, unless retention is required by applicable law;
  • Retain only a deletion-audit row (team identifier, requesting email, completion timestamp, and a count-only summary of rows deleted) – no Customer Data content survives this step.

13. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Butterfly’s aggregate liability under or in connection with this DPA will not, in any 12-month period, exceed the fees paid by the Customer in the preceding 12 months. Nothing in this DPA limits liability that cannot be limited under applicable law, including liability for gross negligence, wilful misconduct, or fraud.

14. Effective Date and Changes

This DPA is effective from the date the Customer accepts the Terms of Service and remains in force for the duration of the subscription. Butterfly may update this DPA from time to time to reflect changes in law, sub-processor relationships, or product capability. Material changes will be notified at least 30 days in advance via the email address on file for the Customer’s account.

15. Contact

Questions about this DPA or to request execution of Standard Contractual Clauses: legal@butterflysecurity.org.

See also: Privacy Policy · Terms of Service · Sub-processors · Security