Data Processing Agreement (DPA)
Last Updated: January 2025
Introduction
This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy when Anchorpipe processes personal data on behalf of enterprise customers ("Data Controllers") in the European Economic Area (EEA) or other jurisdictions requiring a DPA.
Definitions
- "Data Controller": The enterprise customer who determines the purposes and means of processing personal data
- "Data Processor": Anchorpipe, who processes personal data on behalf of the Data Controller
- "Personal Data": Any information relating to an identified or identifiable natural person
- "Processing": Any operation performed on personal data (collection, storage, analysis, etc.)
- "Sub-processor": Third-party service providers engaged by Anchorpipe
Scope and Applicability
This DPA applies when:
- Anchorpipe processes personal data on behalf of an enterprise customer
- The processing involves personal data subject to GDPR, CCPA, or similar regulations
- The customer is a Data Controller under applicable data protection laws
Processing Details
Categories of Data Subjects
- Employees and contractors of the Data Controller
- End users whose test results are processed through Anchorpipe
- Repository collaborators and administrators
Types of Personal Data Processed
- Account Information: Email addresses, GitHub usernames, display names
- Repository Data: Repository names, commit information, test results
- Usage Data: CI/CD run metadata, test execution data
- Technical Data: IP addresses, device information, session data
Processing Purposes
- Test result analysis and reporting
- CI/CD integration and automation
- Service delivery and support
- Security and compliance monitoring
- Service improvement and analytics (with consent)
Processing Duration
Personal data is processed for the duration of the service agreement and retained according to our Retention Policy.
Data Controller Obligations
The Data Controller agrees to:
- Lawful Basis: Ensure they have a lawful basis for processing personal data
- Data Subject Rights: Handle data subject requests in accordance with applicable law
- Data Quality: Provide accurate and up-to-date personal data
- Instructions: Provide clear instructions for processing personal data
- Compliance: Comply with all applicable data protection laws
Data Processor Obligations
Anchorpipe agrees to:
Processing Requirements
- Process Only as Instructed: Process personal data only in accordance with documented instructions
- Confidentiality: Ensure persons authorized to process personal data are bound by confidentiality
- Security Measures: Implement appropriate technical and organizational security measures
- Sub-processors: Inform the Data Controller of any intended changes to sub-processors
- Assistance: Assist the Data Controller in responding to data subject requests
Security Measures
Anchorpipe implements the following security measures:
- Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
- Access Controls: Role-based access control (RBAC), authentication, and authorization
- Audit Logging: Comprehensive audit trails for all data access and modifications
- Security Scanning: Regular CodeQL, Dependabot, and Snyk security scans
- Incident Response: Security incident response plan and procedures
- Data Minimization: Collect and process only necessary personal data
Data Subject Rights
Anchorpipe will assist the Data Controller in responding to data subject requests:
- Access Requests: Provide access to personal data within 30 days
- Rectification: Correct inaccurate or incomplete data upon request
- Erasure: Delete personal data when requested (subject to legal retention requirements)
- Portability: Provide data in a structured, machine-readable format
- Objection: Cease processing when objected to (subject to legitimate interests)
Breach Notification
In the event of a personal data breach, Anchorpipe will:
- Notify Without Delay: Inform the Data Controller within 72 hours of becoming aware
- Provide Details: Include nature of breach, categories of data, likely consequences, and mitigation measures
- Assist Investigation: Cooperate with the Data Controller's investigation and remediation
Records and Audits
- Processing Records: Maintain records of processing activities as required by GDPR Article 30
- Audit Rights: Allow the Data Controller to audit compliance (with reasonable notice and confidentiality)
- Certifications: Provide evidence of security certifications and compliance audits
Sub-processors
Current Sub-processors
Anchorpipe may engage the following categories of sub-processors:
- Cloud Infrastructure: Hosting and infrastructure providers
- Database Services: Database hosting and management
- Monitoring and Analytics: Service monitoring and analytics (with appropriate safeguards)
- Support Services: Customer support and communication tools
Sub-processor Requirements
- Due Diligence: Anchorpipe will conduct due diligence on all sub-processors
- Contractual Safeguards: Sub-processors are bound by equivalent data protection obligations
- Notification: Data Controller will be notified of new sub-processors (with 30-day objection period)
- List Maintenance: Current sub-processor list available upon request
Right to Object
The Data Controller may object to new sub-processors. If an objection cannot be resolved, either party may terminate the service agreement.
International Data Transfers
Transfer Mechanisms
When personal data is transferred outside the EEA, Anchorpipe ensures appropriate safeguards:
- Standard Contractual Clauses: EU-approved Standard Contractual Clauses (SCCs)
- Adequacy Decisions: Transfers to countries with adequate data protection laws
- Binding Corporate Rules: Where applicable
- Other Approved Mechanisms: As recognized by applicable data protection authorities
Transfer Impact Assessment
Anchorpipe will provide a transfer impact assessment upon request, including:
- Description of the transfer
- Safeguards in place
- Assessment of risks
- Mitigation measures
Data Retention and Deletion
Retention Periods
Personal data is retained according to our Retention Policy:
- Active Accounts: Retained while the account is active
- Deleted Accounts: Personal data redacted within 30 days of deletion request
- Test Results: Retained for 30 days (configurable)
- Audit Logs: Retained for 2 years for compliance
Deletion Requirements
Upon termination of the service agreement or upon request:
- Return or Delete: Anchorpipe will return or delete all personal data
- Certification: Provide certification of deletion upon request
- Legal Retention: May retain data as required by law (with notification)
Liability and Indemnification
- Liability: Each party is liable for its own breaches of this DPA
- Limitation: Liability is limited as set forth in the Terms of Service
- Indemnification: Each party will indemnify the other for breaches of this DPA
Governing Law and Dispute Resolution
- Governing Law: This DPA is governed by the laws specified in the Terms of Service
- Dispute Resolution: Disputes will be resolved according to the Terms of Service
- Supervisory Authority: Data subjects may lodge complaints with their local supervisory authority
Changes to This DPA
Anchorpipe may update this DPA to reflect changes in:
- Applicable data protection laws
- Processing activities
- Security measures
- Sub-processors
Material changes will be notified to the Data Controller with at least 30 days' notice.
Contact Information
For questions about this DPA or data processing:
- Data Protection Officer: dpo@anchorpipe.dev
- Privacy Inquiries: privacy@anchorpipe.dev
- Security Issues: security@anchorpipe.dev
Execution
This DPA is incorporated by reference into the Terms of Service and becomes effective upon:
- Execution of the service agreement, or
- First processing of personal data on behalf of the Data Controller
By using Anchorpipe's services, the Data Controller acknowledges and agrees to this DPA.
Effective Date: January 2025
Version: 1.0