data processing agreement.

Public summary. Canonical, executable master in /legal/dpa-v1-2026-04-19.md — based on EU Commission Standard Contractual Clauses, Decision 2021/914, Module 2 (Controller-to-Processor). Acceptance is logged when you connect your first private repository.

1. roles

Customer is the Controller of any personal data contained in their Repository (typically their end-users). VCEye is the Processor. VCEye sub-contracts processing activities to the sub-processors listed at /legal/subprocessors.

2. subject matter, nature & purpose

Automated and AI-assisted production-readiness analysis of Customer Repositories under the VCEye Plan (subscription): static scanning, AI-generated remediation diffs delivered as Pull Requests, continuous re-scan on push, and an AI Concierge for product questions. No marketing or profiling of end-users.

3. duration

Processing runs for the duration of the service contract and for the retention periods disclosed in the privacy policy. Post-cancellation purge within 30 days, subject to legal retention of invoices.

4. data categories and subjects

• Data subjects:end-users of the Customer's app whose data may be present in source-controlled fixtures, migrations, seed data or logs.
• Data categories: identifiers (emails, usernames), technical metadata (IP, user-agent in fixtures), authentication artefacts (hashes). Customer warrants no special categories of data (Art. 9) or data of minors are present.

5. sub-processors & objection

VCEye notifies the Customer of any new sub-processor with at least 30 days' notice. The Customer may object on reasonable grounds; if unresolved, the Customer may terminate the affected service with pro-rata refund of prepaid amounts.

6. international transfers

Transfers to the US (Anthropic, OpenRouter, HeyGen) happen under the 2021 EU Standard Contractual Clauses incorporated by reference. Transfer Impact Assessment (TIA) performed; summary available on request.

7. security (Annex II summary)

• Encryption at rest and in transit.
• Row-Level Security on every tenant-scoped table.
• MFA for administrative access; audit logs kept 90 days.
• Ephemeral scan sandbox; source code cleared from memory after scan.
• Webhook signature verification (HMAC).
• Incident response playbook; ≤72h breach notification per Art. 33 GDPR.

8. data subject rights assistance

VCEye assists the Customer in responding to data subject requests received by the Customer as Controller. Standard requests are handled at no extra cost; large-volume requests may be billed at time and materials.

9. audit rights

Once per year, 30 days' notice, under mutual NDA, at Customer's cost. Capped at EUR 3,000 of Vendor staff time per audit round. SOC 2 / ISO 27001 reports from sub-processors satisfy the audit requirement for those layers.

10. termination

Upon termination, VCEye deletes or returns Customer personal data within 30 days, subject to mandatory retention (invoices, tax records). Anonymous aggregate statistics (health score distribution) may be retained for product improvement.

11. version and review status

Version v1-2026-04-19. AI-drafted. Formal review by EU-qualified counsel triggered at 3+ paid Customers or first enterprise Customer request.