Data Processing Agreement

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
• "Processing" means any operation performed on Personal Data as defined in Article 4(2) GDPR.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data (i.e., the Customer).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (i.e., Qoil AI UG (haftungsbeschränkt)).

2. Subject Matter and Duration

2.1 Subject matter

The subject matter of the Processing is the provision of the GitQueue Service as described in the Agreement. The Processor will process Personal Data as necessary to provide the Service in accordance with the Controller's documented instructions.

2.2 Duration

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, the provisions of Section 10 (Return and Deletion of Data) shall apply.

2.3 Nature and purpose of Processing

The nature and purpose of the Processing is the provision of PR merge queue orchestration services, including:

• Authentication and authorization via third-party SCM platforms
• Processing of repository metadata (PR titles, branch names, commit hashes, statuses)
• Managing merge queues and executing automated actions (merges, updates, comments)
• Processing of webhook notifications from connected platforms
• Providing audit logs and operational data for the Service

2.4 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be processed include:

• Controller's employees and contractors
• Users with access to Controller's repositories on connected SCM platforms
• Contributors to Controller's repositories (to the extent their information appears in PR/commit metadata)

2.5 Types of Personal Data

The types of Personal Data processed may include:

• Names and usernames
• Email addresses
• User identifiers from SCM platforms
• IP addresses (in access logs)
• Activity data (timestamps, actions taken within the Service)
• Content that may include Personal Data (PR titles, descriptions, comments)

3. Obligations of the Processor

3.1 Processing according to instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

The Controller's instructions are documented in (a) this DPA, (b) the Agreement, and (c) the Controller's configuration of the Service. The Controller may issue additional written instructions consistent with the terms of the Agreement.

3.2 Confidentiality

The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Encryption of Personal Data in transit and at rest
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Measures to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident
• Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures
• Access controls and authentication mechanisms
• Logging and monitoring of processing activities

3.4 Assistance with Data Subject rights

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR.

3.5 Assistance with compliance obligations

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of Processing and the information available to the Processor.

4. Sub-processors

4.1 General authorization

The Controller provides general authorization for the Processor to engage Sub-processors, subject to the conditions in this Section.

4.2 Sub-processor obligations

Where the Processor engages a Sub-processor, the Processor shall:

• Impose data protection obligations on the Sub-processor that are at least as protective as those in this DPA
• Remain fully liable to the Controller for the performance of the Sub-processor's obligations

4.3 List of Sub-processors

The Controller may request a current list of Sub-processors by contacting [email protected].

4.4 Notification of changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors. The Controller may object to such changes on reasonable grounds relating to data protection within 30 days of notification. If the Controller objects and the parties cannot resolve the matter, the Controller may terminate the Agreement with respect to those services that cannot be provided without the objected-to Sub-processor.

5. International Data Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area ("EEA") unless:

• The European Commission has decided that the third country ensures an adequate level of protection (Article 45 GDPR);
• Appropriate safeguards have been provided in accordance with Article 46 GDPR (e.g., EU Standard Contractual Clauses); or
• A derogation for specific situations applies under Article 49 GDPR.

Where transfers are based on Standard Contractual Clauses, the Processor shall provide a copy upon request.

6. Data Breach Notification

6.1 Notification to Controller

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach affecting Personal Data processed on behalf of the Controller.

6.2 Content of notification

The notification shall, to the extent possible, include:

• A description of the nature of the breach
• The categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of measures taken or proposed to address the breach

6.3 Assistance

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

7. Audit Rights

7.1 Information and audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

7.2 Audit procedures

Audits shall be conducted with reasonable advance notice (at least 30 days, unless a shorter period is required due to a regulatory investigation), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear its own costs for audits (unless the audit reveals a material breach by the Processor).

7.3 Certifications and reports

The Controller may satisfy its audit rights by reviewing certifications, attestations, or third-party audit reports that the Processor makes available, where such reports adequately address the Controller's audit requirements.

8. Obligations of the Controller

The Controller warrants that:

• It has the legal authority to provide Personal Data to the Processor and to instruct the Processor to process such data
• It has provided appropriate notices to Data Subjects and obtained necessary consents (where required) for the Processing
• Its instructions to the Processor will comply with applicable data protection laws
• It will comply with its obligations as a Controller under the GDPR

9. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall limit either party's liability with respect to any rights that Data Subjects may have under applicable data protection laws.

10. Return and Deletion of Data

10.1 Upon termination

Upon termination of the Agreement, and at the choice of the Controller (communicated in writing), the Processor shall delete or return all Personal Data to the Controller and delete existing copies unless Union or Member State law requires storage of the Personal Data.

10.2 Retention period

If the Controller does not communicate a choice within 30 days of termination, the Processor shall delete the Personal Data. The Processor may retain Personal Data to the extent required by applicable law, and such retained data shall remain subject to this DPA.

10.3 Certification

Upon request, the Processor shall provide written certification of deletion.

11. General Provisions

11.1 Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

11.2 Amendments

This DPA may be amended only in writing (text form is sufficient) signed by both parties.

11.3 Governing law

This DPA shall be governed by the laws specified in the Agreement. For matters not covered by the Agreement, the laws of the Federal Republic of Germany shall apply.

12. Contact

For questions about this DPA or to exercise rights under this DPA, contact:

Qoil AI UG (haftungsbeschränkt)
Germany
Email: [email protected]