1. Purpose and scope
This Data Processing Agreement applies when SafeCommit processes personal data on behalf of a customer in connection with SafeCommit services.
2. Roles of the parties
The customer is the controller of personal data processed in Customer Content. SafeCommit acts as processor and processes personal data only on behalf of the customer and according to documented instructions.
3. Subject matter and duration
The subject matter is the provision of SafeCommit services, including GitHub pull request analysis, privacy and AI data-leakage risk detection, PR comments, status checks, audit notes, and support. The duration is the term of the customer’s use of SafeCommit plus any retention period required for legal, security, or contractual purposes.
4. Nature and purpose of processing
SafeCommit processes data to analyze technical content for potential privacy engineering risks, provide findings, generate recommendations, maintain service security, troubleshoot issues, and improve service reliability.
5. Categories of personal data
SafeCommit does not intentionally collect personal data beyond what is necessary to analyze GitHub pull requests. Personal data may be processed when it appears inside Customer Content or related GitHub metadata, including:
- names, email addresses, IP addresses, user identifiers, customer IDs, or account IDs appearing in PR diffs or code snippets;
- support ticket content, log snippets, prompts, comments, or test data included in code changes;
- GitHub usernames or commit metadata associated with pull requests;
- other personal data accidentally or intentionally included in code, diffs, logs, prompts, tickets, or repository metadata.
6. Categories of data subjects
Data subjects may include the customer’s end users, employees, contractors, customers, prospects, support contacts, developers, and other individuals whose personal data appears in Customer Content.
7. Customer instructions
SafeCommit will process personal data only according to the customer’s documented instructions, including the agreement, product configuration, GitHub installation settings, and this DPA.
8. Confidentiality
SafeCommit will ensure that personnel authorized to process personal data are subject to appropriate confidentiality obligations.
9. Security measures
- access controls and least-privilege access;
- encryption in transit and at rest where appropriate;
- logging and monitoring of administrative access;
- limited retention of Customer Content;
- source-code processing limited to PR diffs or relevant snippets by default;
- secure development practices;
- incident response procedures;
- subprocessor review and contractual protections.
10. Subprocessors
Customer authorizes SafeCommit to use subprocessors necessary to provide the service, including hosting, storage, GitHub integration, security monitoring, and AI-assisted analysis providers. SafeCommit will impose data protection obligations on subprocessors that are substantially similar to those in this DPA.
11. International transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, SafeCommit will use appropriate transfer mechanisms, such as Standard Contractual Clauses, UK Addendum, adequacy decisions, or other lawful mechanisms.
12. Data subject requests
SafeCommit will reasonably assist the customer in responding to data subject requests where required and where the customer cannot reasonably fulfill the request without SafeCommit’s assistance.
13. Personal data breach
SafeCommit will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Content, including information reasonably available to help the customer meet legal obligations.
14. Deletion and return
Upon termination, SafeCommit will delete or return personal data in accordance with the agreement, unless retention is required by law or legitimate business purposes such as security, billing, or dispute resolution.
15. Customer responsibilities
The customer is responsible for ensuring that it has a lawful basis to submit Customer Content to SafeCommit and that Customer Content is appropriate for processing through the service.