Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Veriva Terms of Service and governs Veriva's processing of personal data on behalf of customers (“Controller”) in connection with the Service.

For repository content (pull request diffs, commit metadata, source code analyzed during a run), Veriva acts as a data processor; the customer is the data controller. For account metadata of individual users (email, GitHub identity, role within an organization), Veriva acts as an independent controller.

Veriva processes personal data for the purpose of providing the Service described in the Terms of Service. Processing continues for the duration of the customer's subscription, plus the retention windows described in our Privacy Policy.

• Data subjects: the customer's employees, contractors, and any pull request authors whose contributions are analyzed.
• Categories of personal data: identifiers (GitHub user IDs, usernames, emails), professional information (organization membership, role), and any personal data incidentally present in repository content (commit messages, code comments, file contents).

Veriva will:

• Process personal data only on documented instructions from the customer
• Ensure all personnel with access are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures, including encryption in transit and at rest, PostgreSQL Row-Level Security, audit logging, and the principle of least privilege for employee access
• Notify the customer without undue delay (and in any case within 72 hours) after becoming aware of a personal data breach affecting customer data
• Assist the customer in meeting its obligations under applicable data protection law (DPIAs, prior consultation, data subject requests)
• Delete or return all personal data at the end of the engagement, except where retention is required by law
• Make available the information necessary to demonstrate compliance with this DPA and contribute to audits

The current list of sub-processors is published in our Privacy Policy. The customer authorizes Veriva to engage these sub-processors. Veriva will:

• Provide at least 30 days' notice of any new or replacement sub-processor that materially affects personal data processing, via the Service dashboard or email
• Bind each sub-processor by a written agreement with data protection obligations no less protective than this DPA
• Remain fully liable for sub-processor performance

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or other third countries, the parties rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor), the UK International Data Transfer Addendum, and (where applicable) sub-processor certification under the EU-US Data Privacy Framework.

Veriva will, taking into account the nature of processing, assist the customer with appropriate technical and organizational measures, insofar as possible, to fulfill the customer's obligation to respond to data subject requests under applicable law. The Service includes self-service data export and deletion features that enable the customer to fulfill most data subject requests directly.

On reasonable prior notice (at least 30 days, except in case of regulator order or confirmed breach), Veriva will make available to the customer all information necessary to demonstrate compliance with this DPA. The customer may conduct audits no more than once per year, at the customer's expense, subject to confidentiality obligations and reasonable scoping. Veriva may satisfy audit obligations by providing copies of third-party audit reports (e.g., SOC 2 Type II once available).

This DPA is effective for as long as Veriva processes personal data on behalf of the customer under the Terms of Service. On termination, Veriva will delete or return customer personal data in accordance with the Privacy Policy retention schedule, except where retention is required by law (e.g., billing records under tax law).

A signed PDF copy of this DPA, with customer-specific schedules (sub-processor list, contact information, technical and organizational measures), is available on request to legal@veriva.dev. For enterprise customers, we counter-sign a customer-supplied DPA where the substance is materially equivalent to this template.