Data Processing Agreement

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. "Customer Personal Data" means personal data the Controller (or its end users) submits to the Service. "Sub-processor" means any third party engaged by the Processor to process Customer Personal Data on behalf of the Controller.

2. Subject matter and duration

The Processor processes Customer Personal Data only to provide the Service described in the Terms of Service. Processing continues for the term of the Terms of Service plus the data-retention period referenced in Section 7.

3. Nature, purpose, and categories of processing

• Nature: hosting, storage, analysis, and transmission of GitHub pull-request metadata, diff hunks, risk scores, reviewer briefs, audit logs, and account information.
• Purpose: providing the Service, generating risk and policy outputs, alerting, billing, and producing aggregate analytics.
• Categories of data subjects: Controller's employees and contractors who connect to the Service, plus authors of pull requests inside connected repositories.
• Categories of personal data: name, work email, GitHub login, IP address, repository activity, billing records.
• Special categories: none expected. The Controller agrees not to upload special categories of personal data via the Service.

4. Processor obligations (Art 28(3))

1. Process Customer Personal Data only on documented instructions from the Controller, including transfers outside the EEA (see Section 6).
2. Ensure that personnel authorised to process the data are bound by confidentiality obligations.
3. Implement the technical and organisational measures listed in Annex II of this DPA.
4. Engage Sub-processors only under the conditions in Section 5.
5. Assist the Controller, taking into account the nature of processing, in responding to requests from data subjects under Articles 15-22 GDPR.
6. Assist the Controller with its obligations under Articles 32 to 36 GDPR.
7. At the Controller's choice, delete or return all Customer Personal Data after the end of the provision of services and delete existing copies, unless EU or Member-State law requires otherwise.
8. Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Sub-processors

The Controller hereby grants the Processor general written authorisation to engage the Sub-processors listed at /legal/sub-processors. The Processor will provide at least 30 days' notice of any addition or replacement of a Sub-processor by updating that page and notifying the Controller's primary contact by email. The Controller may object on reasonable grounds within that notice period; if the parties cannot agree, the Controller may terminate the affected portion of the Service.

The Processor flows down the obligations of this DPA to each Sub-processor by written contract.

6. International transfers

Customer Personal Data is hosted in the European Union. Where a Sub-processor is based outside the EEA in a country without an adequacy decision, transfers are governed by the EU Standard Contractual Clauses (Module 3, Processor-to-Processor) attached to the relevant Sub-processor agreement, together with appropriate supplementary measures.

7. Retention and deletion

The Processor retains Customer Personal Data for the duration of the Controller's subscription and for 90 days following termination, after which the data is permanently deleted. The Controller may configure shorter retention windows per resource type via the dashboard. Backups containing residual data are overwritten on a rolling 35-day cycle.

8. Personal data breach notification

The Processor will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include the information required by Article 33(3) GDPR to the extent then available. The Processor's full incident-response procedure is summarised in Annex II.

9. Liability and order of precedence

The liability cap in the Terms of Service applies to claims under this DPA. In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Customer Personal Data.

Annex I — Details of processing

• Controller: the entity named in the Pullminder account billing details.
• Processor: Upmate IKE, Thessaloniki, Greece.
• Frequency: continuous, in real time when GitHub events arrive or the dashboard is used.
• Storage location: Hetzner data centres in Helsinki, Finland and Falkenstein, Germany.

Annex II — Technical and organisational measures

• TLS 1.2+ for all data in transit; HSTS on customer-facing endpoints.
• AES-256-GCM column-level encryption at rest for Slack webhook URLs, IP addresses, names, emails, AI-brief content, and reviewer prompts. Key rotation supported via key generations.
• Role-based access control inside the dashboard; admin endpoints gated by the GitHub login allowlist.
• Structured audit logging of state-changing operations; sensitive values (webhooks, emails, tokens) redacted before storage.
• HMAC validation of inbound GitHub and Viva webhooks; CSRF protection on the dashboard; rate limiting on auth endpoints.
• Daily encrypted database backups, restored at least monthly to verify integrity.
• Personal-data breach response plan: detect (24h target), contain, assess, notify Controller within 48h, notify supervisory authority within 72h where required.
• Vendor management: each Sub-processor reviewed for adequate measures and bound by an equivalent processor agreement.