Skip to content
Legal — GDPR Art. 28

Data Processing Agreement

Standard terms, version 2026-06-05.

Draft — pending legal review. For a countersigned copy naming your organisation, contact us. This DPA supplements the Terms of Service and is governed by Regulation (EU) 2016/679 (GDPR), Art. 28.

1. Parties & roles

Processor: Canine Development, Denmark (see the imprint).
Controller: the customer accepting the Terms of Service.
The processor processes personal data only on the controller's documented instructions: connecting a repository, choosing a cadence, and requesting scans constitute those instructions.

2. Subject matter, nature & purpose

Automated analysis of source repositories the controller connects, producing engineering-health reports and metrics. Processing consists of: temporary cloning, static and model-assisted analysis, report generation, storage of reports/metrics, and deletion of the working copy after each scan (see Security & data handling for the verifiable lifecycle).

3. Categories of data & data subjects

  • Account data: GitHub identity (login, display name, email) of the controller's users. Data subjects: the controller's personnel who sign in.
  • Repository data: source code and git metadata (author names/emails in commit history) that may incidentally contain personal data. Data subjects: contributors to the controller's repositories and any individuals incidentally referenced in the code base.
  • Derived data: reports, metrics and findings; these may quote small code excerpts and git authorship (e.g. ownership/bus-factor analysis).

4. Duration & deletion

  • Working copies (clones / uploaded archives) are deleted at the end of every scan, including failed scans.
  • Reports and metrics are retained while the repository remains connected, so trends stay meaningful.
  • On disconnection of a repository or termination of the account, stored reports and metrics for it are deleted within 30 days of a deletion request via our contact form.
  • Self-service account closure. You can close your account from Profile & settings → Close account. Deletion is reversible for a 14-day grace period, after which it is permanent: your personal data and Keycloak login are erased, your repositories' reports and source-derived artifacts are purged, and a repository whose last connected account was yours has its identity stripped (owner/name removed). We do not touch your GitHub/GitLab account or app installation — you revoke those with the provider.
  • Retained after erasure, on a separate legal basis: invoices and billing records (bookkeeping obligation); an identity-free record that a repository was previously scanned (to prevent repeated free-scan abuse); and anonymised, non-identifying aggregate scores used for peer benchmarking. Signed compliance attestations are kept as immutable records with the signer's account link removed.

5. Technical & organisational measures

  • All processing on hardware owned and operated by the processor, located in Denmark (EU) — no cloud compute or storage; the language model used in analysis is self-hosted.
  • TLS for all public transport; internal services bound to internal interfaces behind a host firewall.
  • OIDC authentication (self-hosted Keycloak brokering GitHub); no local password store.
  • Repository-level authorisation mirroring GitHub, re-synchronised daily (revocation within 24h).
  • Read-only source access (GitHub App: Contents + Metadata, read-only).
  • Access to production limited to the processor's operator; no further personnel.

6. Subprocessors

The controller authorises the subprocessors listed at /security#subprocessors (currently: GitHub, Inc. — source hosting and identity, a relationship the controller already holds; Stripe, Inc. — payments, once billing activates). The processor notifies account owners by email before adding a subprocessor; the controller may object on reasonable data-protection grounds, in which case the remedy is termination with a pro-rata refund.

7. Confidentiality, integrity, availability

The processor treats repository contents as the controller's confidential information, processes them solely to provide the service, and does not use them to train models — its own or anyone else's. Public publication of a report happens only per the Terms (open-source auto-publish on the free plan; explicit opt-in otherwise).

8. Assistance & breach notification

The processor assists the controller with data-subject requests and Art. 32–36 obligations to the extent the processing allows, and notifies the controller's account email without undue delay and within 72 hours of becoming aware of a personal-data breach affecting the controller's data.

9. Audit

The processor makes available the information reasonably necessary to demonstrate Art. 28 compliance — starting with the verifiable claims on the security page — and permits audits by the controller or its mandated auditor, at reasonable notice and frequency, at the controller's cost.

10. International transfers

The processor's own processing happens in Denmark (EU). GitHub-hosted repositories remain subject to the controller's own agreement with GitHub, Inc. (USA); the processor only reads from that existing location. No other transfers outside the EU/EEA take place.

Security & data handling · Terms of Service · Home