Data Processing Agreement (DPA)

Last updated: August 7, 2025

This Data Processing Agreement (“Agreement”) is made between: Customer (the “Controller”) and PullRule, (the “Processor”). Together, referred to as the “Parties”.

1. Subject Matter

   This DPA governs the Processing of Personal Data by PullRule on behalf of the Controller in connection with the use of the PullRule SaaS platform (the “Service”).

2. Definitions

   1. Personal Data, Processing, Data Subject, Controller, and Processor have the meanings given in the General Data Protection Regulation (GDPR) (EU 2016/679).
   2. Sub-processor means a third party engaged by the Processor to assist in Processing Personal Data.

3. Purpose and Scope

   The Processor shall Process Personal Data only:

   1. As necessary to provide the Service,
   2. As instructed by the Controller,
   3. In compliance with applicable laws.

   Categories of Data Subjects:

   1. Controller’s users, collaborators, and administrators

   Types of Personal Data:

   1. Names, email addresses, profile pictures, pull request metadata, authentication identifiers

4. Processor Obligations

   The Processor shall:

   1. Process Personal Data solely on documented instructions from the Controller
   2. Ensure confidentiality, integrity, and availability of Personal Data
   3. Implement appropriate technical and organizational security measures
   4. Ensure employees and contractors are bound by confidentiality
   5. Assist the Controller in responding to data subject requests
   6. Assist with security impact assessments and breach notifications
   7. Return or delete data at termination of the agreement
   8. Make available information necessary to demonstrate compliance with this DPA

5. Sub-processing

   The Controller authorizes the Processor to use the following Sub-processors:

   1. Sub-Processor Purpose Location
   2. GitHub PR metadata sync EU/US
   3. Bitbucket PR metadata sync EU/US
   4. Google Authentication EU/US
   5. Stripe Payment processing EU/US
   6. Cloud hosting (e.g. Vercel, Fly.io, etc.) Infrastructure EU or GDPR-compliant

   Processor will inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.

6. International Transfers

   If Personal Data is transferred outside the EEA, the Processor shall ensure that:

   1. Transfers are to countries with adequate protection under GDPR, or
   2. Standard Contractual Clauses (SCCs) or other valid mechanisms are in place

7. Data Subject Rights

   Processor will:

   1. Promptly inform the Controller of any data subject requests
   2. Assist the Controller in fulfilling requests under GDPR Articles 12–23

8. Security

   Processor shall implement appropriate technical and organizational measures, including:

   1. Encryption in transit and at rest
   2. Access control and audit logging
   3. Regular vulnerability assessments
   4. Backup and recovery procedures

9. Personal Data Breaches

   In case of a breach involving Personal Data, the Processor shall:

   1. Notify the Controller without undue delay (no later than 48 hours)
   2. Provide all relevant breach details and remediation steps
   3. Cooperate fully in breach investigation and notification efforts

10. Duration & Termination

    This DPA remains in effect as long as the Processor Processes Personal Data on behalf of the Controller. Upon termination of the main agreement:

    1. Processor shall, at Controller’s choice, delete or return all Personal Data
    2. Backups will be deleted within 90 days unless otherwise required by law

11. Governing Law and Jurisdiction

    This DPA shall be governed by the laws of the Netherlands. Disputes shall be subject to the exclusive jurisdiction of the courts of Amsterdam, Netherlands.

12. Contact

    PullRule legal@pullrule.com