Data Processing Agreement

1. Parties

CodeDig acts as data processor; you (the customer) act as data controller. The DPA covers all Team, Business, and Enterprise customers.

2. Subject matter and duration

CodeDig processes personal data solely to provide its pull-request analysis service for the duration of your subscription. After subscription end we retain data for up to 30 days for inactive accounts before deletion. Data deletion may be requested at any time under GDPR Article 17 and is supported via Settings → Compliance in the product.

3. Categories of personal data processed

• Account data (name, work email, authentication identifiers)
• Billing email and subscription records
• Repository metadata (repository names, pull request payloads, file paths)
• Code snippets submitted to LLM providers for analysis

CodeDig does not process customer credentials or payment-card data — payment processing is handled exclusively by Stripe.

4. Categories of data subjects

Customer employees and collaborators who hold CodeDig accounts, and repository contributors whose names or email addresses appear in code or commit metadata submitted to the service.

5. Subprocessors

We maintain a complete, up-to-date list of third-party subprocessors at /subprocessors. We provide at least 30 days' written notice before adding a new subprocessor, except where a change is required urgently for security reasons.

6. International transfers

Most data resides in the United States (Fly.io IAD region and Neon US). For EU-origin personal data we rely on Standard Contractual Clauses (SCCs) executed with US-based subprocessors. EU data-residency options are available for Enterprise customers on request.

7. Security measures

Full details are available at /security-overview. In summary: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, MFA enforcement, audit logs, and SAML/OIDC/LDAP SSO for Enterprise customers.

8. Data subject rights

We support access, export (CSV), and deletion of personal data via Settings → Compliance in the product. Rights requests routed to security@codedig.ai receive a response within one business day.

9. Breach notification

We notify affected customers within 72 hours of discovery of any personal data breach, via email to the primary contact and a status-page incident. Notifications include the nature of the incident, data categories affected, and remediation steps taken or planned.

10. Audit rights

Enterprise customers may request our current SOC 2 Type II report (currently in audit, target Q3 2026) under NDA, and we will respond to one CAIQ or SIG questionnaire per year within 5 business days. Reasonable on-site audits may be coordinated with at least 30 days' notice for large engagements.

11. Term and termination

DPA obligations apply for the duration of your subscription plus the 30-day post-termination retention period. You may request immediate deletion of all personal data at any time via Settings → Compliance or by emailing security@codedig.ai.