Data Processing Agreement

Last updated: January 8, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and DevHub ("Processor") and governs the processing of personal data by Processor on behalf of Customer.

This DPA is designed to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

Personal Data:

Any information relating to an identified or identifiable natural person processed through the Service.

Processing:

Any operation performed on Personal Data, including collection, storage, use, and deletion.

Data Subject:

The individual to whom Personal Data relates.

Controller:

The Customer who determines the purposes and means of processing Personal Data.

Processor:

DevHub, which processes Personal Data on behalf of the Controller.

3. Scope and Purpose

This DPA applies to all Personal Data processed by Processor on behalf of Customer in connection with the Service. The purpose of processing is to provide the Service as described in the Terms of Service.

Types of Personal Data:

User account information (name, email, profile data)
Authentication tokens and credentials
Integration data from connected services (GitHub, Jira, Slack, etc.)
Usage data and analytics
Communication data

Categories of Data Subjects:

Customer's employees and contractors
Customer's end users
Third parties whose data appears in integrated services

4. Processor's Obligations

Processor shall:

Process Personal Data only on documented instructions from Customer
Ensure that persons authorized to process Personal Data are bound by confidentiality
Implement appropriate technical and organizational measures to ensure security
Assist Customer in responding to Data Subject requests
Assist Customer in ensuring compliance with data protection obligations
Delete or return Personal Data upon termination of services
Make available all information necessary to demonstrate compliance

5. Security Measures

Processor implements the following security measures:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Access controls and authentication mechanisms
Regular security assessments and penetration testing
Incident response and breach notification procedures
Employee training on data protection
Regular backups and disaster recovery procedures
Logging and monitoring of data access

6. Sub-Processors

Customer authorizes Processor to engage the following sub-processors:

Vercel Inc. - Hosting and infrastructure
Database providers (PostgreSQL hosting)
Authentication providers (OAuth services)
Analytics providers (Vercel Analytics)

Processor will notify Customer of any intended changes concerning the addition or replacement of sub-processors, giving Customer the opportunity to object to such changes.

7. Data Subject Rights

Processor shall assist Customer in fulfilling Data Subject requests, including:

Right of access to Personal Data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to processing

Customer may exercise these rights through the Service interface or by contacting support.

8. Data Breach Notification

In the event of a Personal Data breach, Processor shall:

Notify Customer without undue delay (within 72 hours of becoming aware)
Provide details of the breach, including affected data and individuals
Describe measures taken to address the breach
Recommend steps Customer should take to mitigate potential adverse effects

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). Processor ensures such transfers comply with applicable data protection laws through:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions by the European Commission
Other legally recognized transfer mechanisms

10. Audits and Compliance

Customer has the right to audit Processor's compliance with this DPA. Processor shall:

Provide documentation demonstrating compliance upon request
Allow for and contribute to audits conducted by Customer or an authorized auditor
Maintain records of processing activities

Audits shall be conducted during business hours with reasonable advance notice and shall not unreasonably interfere with Processor's operations.

11. Data Retention and Deletion

Upon termination of the Service or upon Customer's request, Processor shall:

Delete or return all Personal Data to Customer within 30 days
Delete existing copies unless storage is required by law
Certify in writing that these actions have been completed

See our Data Retention Policy for details on retention periods and deletion procedures.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Processor shall indemnify Customer against claims arising from Processor's breach of this DPA.

13. Term and Termination

This DPA shall remain in effect for as long as Processor processes Personal Data on behalf of Customer. Upon termination:

Processor shall cease all processing of Personal Data
Processor shall delete or return all Personal Data as specified in Section 11
Obligations regarding confidentiality and security shall survive termination

14. Governing Law

This DPA shall be governed by the same law as the Terms of Service. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms of Service.

15. Contact Information

For questions about this DPA or to exercise your rights, contact:

Data Protection Officer

Email: privacy@devhub.com

Address: [Your Company Address]

This Data Processing Agreement is effective as of the date you accept the Terms of Service and remains in effect for the duration of your use of the Service.