Data Processing Addendum
Last updated: February 18, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between the Company and Customer, to reflect the parties' agreement with regard to the processing of personal data in accordance with the requirements of applicable data protection laws, including but not limited to the EU General Data Protection Regulation (GDPR), UK General Data Protection Regulation (UK GDPR), and the California Consumer Privacy Act (CCPA).
1. Definitions
"Customer Data" means any personal data that the Company processes on behalf of Customer via the Services, as more particularly described in this DPA.
"Data Protection Laws" means all data protection and privacy laws applicable to the processing of personal data under this DPA, including, where applicable, EU Data Protection Law and Non-EU Data Protection Law.
"EU Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, and applicable national implementations of each (as may be amended, superseded or replaced).
"Services" means the services and products provided by the Company under the Terms of Service.
"Subprocessor" means any third-party data processor engaged by the Company who receives Customer Data from the Company for processing on behalf of Customer and in accordance with Customer's instructions (as communicated by the Company) and the terms of its written subcontract.
2. Relationship of the Parties
Customer (the "Controller") appoints the Company as a "Processor" to process Customer Data on behalf of Customer. The Company shall process Customer Data only in accordance with Customer's documented instructions as set out in this DPA and the Terms of Service.
3. Scope of Processing
The Company will process Customer Data as necessary to provide the Services pursuant to the Terms of Service, and as further instructed by Customer in its use of the Services. The Company will not process Customer Data for any other purpose.
Categories of Data Subjects
Customer's end users, employees, contacts, and other individuals whose personal data is submitted to the Services by or on behalf of Customer.
Types of Personal Data
Contact information (name, email, IP address), account data, and any other personal data submitted by Customer to the Services. This includes, but is not limited to:
- Account data: name, email address, profile image, authentication tokens
- Repository contents: source code, issues, pull requests, and other repository data from connected version control systems, within the scope configured by Customer
- Agent execution data: agent instructions, run logs, tool call inputs and outputs, code executed in sandbox environments
- Integration data: data accessed from third-party services connected by Customer (e.g. project management tools, communication platforms), within the scope of Customer-configured permissions
- Project storage data: files and database records stored in Customer's project environments
Nature of Processing
Processing includes the following activities:
- Storing and retrieving Customer Data to provide the Services
- Transmitting repository contents and integration data to third-party AI providers (Anthropic, via the Vercel AI Gateway routing layer) for LLM inference as part of agent execution
- Executing Customer-configured code in isolated sandbox environments (Fly.io)
- Hosting per-project SQLite databases (Turso) and executing Customer-written SQL queries against them
- Hosting persistent project filesystems (Sprites.dev) for agent code, workspace files, and run outputs
- Orchestrating connections to third-party services via integration providers (Composio), which may involve reading, creating, modifying, and deleting data in those services on Customer's behalf
- Scheduling and executing durable background tasks (Inngest), including agent runs triggered by cron schedules and event-driven workflows
- Sending transactional email notifications (Resend) to Customer users
- Generating and storing agent run logs, including summaries of actions taken and outputs produced
Duration of Processing
The Company will process Customer Data for the duration of the Customer's use of the Services, unless otherwise agreed in writing.
4. Customer Obligations
Customer shall, in its use of the Services, process personal data in accordance with the requirements of Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired the personal data.
5. Security
The Company shall implement and maintain appropriate technical and organizational measures to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of Customer Data, and having regard to the nature of the Customer Data which is to be protected.
6. Subprocessing
Customer provides a general authorization to the Company to engage Subprocessors to process Customer Data. The Company will maintain a list of Subprocessors and will notify Customer of any intended changes to Subprocessors, giving Customer an opportunity to object. The Company will enter into written agreements with each Subprocessor imposing data protection obligations no less protective than those in this DPA.
Current Subprocessors
| Subprocessor | Purpose | Location | Data processed |
|---|---|---|---|
| Anthropic | LLM inference for AI agent execution | United States | Prompts containing repository contents, agent instructions, integration data |
| Vercel | Application hosting, edge functions, and AI Gateway (LLM request routing) | United States | Request metadata, session data, LLM prompts in transit |
| Neon | PostgreSQL database hosting (platform database) | United States | All account, project, agent, and run data |
| Turso | SQLite database hosting (per-project databases) | United States | Customer-defined database records, SQL queries executed by agents |
| Fly.io | Sandbox execution environments | United States | Code executed by agents, agent filesystem data |
| Sprites.dev | Persistent project filesystem storage | United States | Agent code, workspace files, run outputs, downloaded files |
| Composio | Third-party integration orchestration | United States | OAuth tokens, integration connection metadata |
| Inngest | Durable task execution and scheduling | United States | Agent run triggers, event payloads, scheduling metadata |
| Resend | Transactional email delivery | United States | Email addresses, notification content |
| Authentication (OAuth sign-in) | United States | Name, email, profile image |
7. Data Subject Rights
The Company shall, to the extent legally permitted, promptly notify Customer if it receives a request from a data subject for access to, correction, amendment, or deletion of that person's personal data. The Company shall not respond to any such data subject request without Customer's prior written consent except to confirm that the request relates to Customer, as permitted by Data Protection Laws.
8. Data Breach Notification
The Company shall notify Customer without undue delay upon becoming aware of a personal data breach affecting Customer Data. Such notification will include, to the extent available: (a) the nature of the breach, (b) the categories and approximate number of data subjects affected, (c) the likely consequences of the breach, and (d) measures taken or proposed to address the breach.
9. Data Deletion
Upon termination of the Services, the Company shall permanently delete all Customer Data, including copies, from active systems, logs, and backups within 30 days, in accordance with the Terms of Service, unless applicable law requires retention of the Customer Data.
10. International Transfers
The Company may transfer and process Customer Data in the United States or other countries outside the European Economic Area ("EEA") or United Kingdom. For transfers of personal data from the EEA or UK to countries not deemed adequate by the European Commission, the Company relies on Standard Contractual Clauses (SCCs) as approved by the European Commission.
11. Audit Rights
Upon Customer's written request, and no more than once per year, the Company shall provide Customer with information necessary to demonstrate compliance with this DPA. Customer may, at its own expense, conduct or commission an audit of the Company's compliance with this DPA, upon reasonable advance notice and during normal business hours.
12. Limitation of Liability
Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Terms of Service.
This DPA is a template adapted from standard GDPR data processing addendum patterns and the 37signals open-source policies, licensed under CC BY 4.0. It should be reviewed by legal counsel before use.