NEWRead
Trust · DPA

Data Processing Addendum.

The contract that governs how CodeCourier processes personal data on your behalf - Article 28 GDPR, with the 2021 Standard Contractual Clauses incorporated by reference. Pre-signed and counter-executed within one business day.

Request the DPARead the GDPR page
documentDPA · v2.1
ReferenceGDPR Art. 28
ProcessorCodeCourier
Controller________________________
Effective__ / __ / ____
Processor
Controller
Background

What this document actually does.

Under Article 28 GDPR, whenever a service provider processes personal data on a customer's behalf - even routinely, even via a SaaS interface - a written contract is mandatory. The DPA is that contract.

It assigns roles: the customer is the Controller (you decide why and how data is processed) and CodeCourier is the Processor (we execute on your documented instructions). It then locks down exactly what we may and may not do with that data.

It is called an addendum because it lives alongside our Master Services Agreement (MSA) or Terms of Service - the commercial contract sets out the service; the DPA sets out the data-protection guardrails layered on top.

Do you need a DPA?
  • You process personal data of EU, EEA, UK or Swiss residents through CodeCourier.
  • You upload code, logs or prompts that may contain personal data (names, emails, identifiers).
  • You operate under contractual data residency or vendor due-diligence obligations.
Clauses at a glance

12 clauses, all Art. 28-aligned.

Every Article 28(3) mandatory element is covered. Plain-English summaries below - the actual legal text is in the document itself.

Clause 1

Subject matter & duration

Defines what processing is in scope (the CodeCourier service) and how long it lasts (for the term of the MSA, plus a defined residual window).

Clause 2

Nature & purpose of processing

Describes what we actually do with personal data: hosting, code execution, agent orchestration, logging, support, and billing - and nothing beyond.

Clause 3

Types of personal data

Lists the categories of personal data that may be processed: account identifiers, code and prompts, configuration, support correspondence, telemetry.

Clause 4

Categories of data subjects

Identifies whose data is processed: the Controller's employees, contractors, customers and any end users whose personal data the Controller submits via the service.

Clause 5

Processor obligations & instructions

We process only on documented instructions from the Controller. Anything outside scope requires a written change order or a separate legal basis.

Clause 6

Confidentiality

All personnel with access are bound by written confidentiality. Access is least-privilege, logged, and reviewed quarterly under our SOC 2 controls.

Clause 7

Security measures (Art. 32)

Annexes the technical and organisational measures: encryption, access control, pseudonymisation, resilience, incident response, regular testing.

Clause 8

Subprocessor terms

General authorisation with 30 days' advance notice for new subprocessors. Controllers retain a right to object and, on cause, to terminate.

Clause 9

Assistance with data subject rights

We help Controllers respond to access, rectification, erasure, restriction, portability and objection requests within the GDPR's 30-day window.

Clause 10

Personal data breach notification

We notify the Controller without undue delay - and never later than 24 hours from awareness - with all information required for the Art. 33/34 reports.

Clause 11

Audit rights

Annual SOC 2 Type II report satisfies routine audits; on-cause on-site audits are available with 30 days' notice and reasonable confidentiality safeguards.

Clause 12

Return or deletion of data

On termination, Controllers choose return or deletion of personal data. Deletion is completed within 30 days, with a written attestation on request.

These are explanations, not the contract. Request the document for the precise wording.

Sign in 3 steps

Pre-signed and ready.

Our DPA is pre-signed on the Processor side. You countersign and send it back - most agreements are fully executed within one business day.

Step 01

Request

Email legal with your company name and the email address you want named on the agreement. We send the pre-signed PDF, SCCs, and the security annex.

→ Request via email
Step 02

Review & countersign

Take as long as you need. Most teams turn it around in 1–3 days. We are happy to red-line minor edits where legally feasible - the DPA is built to be Art. 28-tight.

Review window
Step 03

Counter-execute

Send the signed copy back. We countersign on receipt and return the fully executed PDF with a unique reference number for your records.

24-hour turnaround
Subprocessor management

Disclosed, reviewed, controllable.

We rely on a short, deliberately small list of subprocessors to deliver the service. Every one is contractually bound to the same Art. 28 obligations we owe you.

Subprocessors are the third parties we use to run the service - cloud infrastructure, sandbox runtime, transactional email, observability and analytics. None of them sit between you and your data without a signed processing agreement of their own.

Before we add or replace a subprocessor, every Controller on the DPA gets at least 30 days' advance written notice. The notice covers who the new vendor is, what they process, where, and on what legal basis.

If you object on reasonable data-protection grounds and we cannot offer an alternative, you may terminate the affected portion of the service without penalty. Silence after the 30-day window counts as approval.

Categories in scope
  • Cloud infrastructure
  • Sandbox runtime
  • Transactional email
  • Observability
  • Product analytics
Request the latest subprocessor list
Right to audit

Verify, don't just trust.

The DPA gives Controllers a layered audit right - annual third-party reports for the routine case, and on-site audits when a real concern arises.

ISO 27001 (on roadmap)

ISO 27001 certification is on our security roadmap. In the interim, we share equivalent control evidence and gap analyses on request to enterprise Controllers.

On-cause audits

Where SOC 2 evidence is insufficient - for example after a breach or a regulator inquiry - Controllers may request an on-site audit with 30 days' written notice.

Audits respect confidentiality and operational continuity - they verify controls, not exfiltrate data.

Cross-border

Transfers handled by SCCs.

Where personal data flows from the EU/EEA, UK or Switzerland to a third country, the DPA incorporates the European Commission's 2021 Standard Contractual Clauses - Module Two (Controller-to-Processor) and Module Three (Processor-to-Subprocessor) - by reference, with the UK Addendum and the Swiss FDPIC variations applied automatically.

Switzerland benefits from the Swiss-EU adequacy framework; UK transfers run under the UK IDTA / Addendum. We complete a Transfer Impact Assessment for each subprocessor location and provide a copy on request.

Full transfer details on the GDPR page
Security annex

Art. 32 measures, in the document.

The DPA annexes the technical and organisational measures (TOMs) we maintain to protect personal data - a contractually binding summary of what lives in full detail on our Security page.

Full technical measures on the Security page
  • Encryption - in transit (TLS 1.3) and at rest (AES-256), with managed key rotation.
  • Access control - SSO, MFA, least-privilege RBAC, quarterly access reviews.
  • Pseudonymisation - applied to identifiers in logs and analytics wherever feasible.
  • Resilience - multi-AZ infrastructure, automated backups, tested restore procedures.
  • Incident response - 24/7 on-call, documented runbooks, 24-hour breach notification SLA.
  • Regular testing - annual third-party penetration tests and continuous automated scans.
Cooperation

We help you meet your obligations.

Controllers carry the primary responsibility for data subject rights, DPIAs and breach notifications. The DPA contractually binds us to provide reasonable assistance with each of these - at no extra cost for routine requests.

Concretely: we surface the data we hold for an access or portability request, execute erasure under your written instruction, support your DPIAs with information about the processing, and notify you of a personal data breach within 24 hours of becoming aware - with all the detail you need for your Art. 33 filing.

Request

Ready to execute?

Email us and we send the full DPA package - pre-signed, ready for countersignature, and accompanied by everything procurement will ask for.

Pre-signed DPA (PDF)

Article 28-aligned, ready for your countersignature.

Standard Contractual Clauses

2021 SCCs, Modules 2 and 3, with UK Addendum and Swiss variations.

Subprocessor list

Current vendors, categories, locations and transfer mechanisms.

Security measures annex

The Art. 32 technical and organisational measures, in contract form.

Request the DPA package

Returned within one business day. Reviewed by counsel; questions welcome.

FAQ

Common DPA questions.

Do I need a DPA if I'm only on the free plan?
Whether a DPA is required depends on whether you process personal data through CodeCourier - not on the plan you're on. If you do, even on a free workspace, Article 28 still applies and we will happily execute a DPA at no additional cost.
Can I negotiate changes to the DPA?
Our DPA is built to be Art. 28-tight and is broadly accepted as-is by enterprise procurement and legal teams. We are open to reasonable red-lines - typically around notice windows, audit scope and definitions - and will respond within five business days. Substantive changes are reviewed by our outside counsel.
Is the DPA bilingual?
The authoritative version is in English. For customers in the DACH region we can provide a German reading copy alongside the English original; in case of any conflict the English version governs. We can produce other languages on a per-deal basis for enterprise contracts.
Does the DPA cover Swiss FADP?
Yes. The DPA is drafted to be valid under both the GDPR and the revised Swiss Federal Act on Data Protection (FADP), and the SCCs are amended with the FDPIC-recommended language. Swiss-resident data subjects benefit from the same rights and remedies as EU residents.
What happens to my data if I cancel?
On termination you choose return or deletion of personal data within 30 days. We provide a written deletion attestation on request. A short residual window applies for backups (typically up to 35 days) and for data we are legally required to retain (e.g. invoicing records).
Can I add a Joint Controller addendum?
If your use case involves us as a Joint Controller rather than a Processor - for example specific co-marketing arrangements - we can attach an Art. 26 Joint Controller addendum that clarifies the allocation of responsibilities, transparent information and the single point of contact for data subjects.
Legal at CodeCourier

Got a contract question? We answer those too.

GDPR pageContact legal
Free for 14 days · no credit card

Hire your first AI engineer.
Ship by lunchtime.

5 minutes to onboard. First PR within an hour. Cancel anytime.

Deploy your first agentBook a 20-min demo