Data Processing Agreement
Version v1.0 — 2026-06-04
This Data Processing Agreement (“DPA”) is incorporated by reference into the Terms of Service. It governs the processing of Personal Data by RepoOps, Inc. on behalf of the Customer when Customer is the data controller. Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679).
1. Subject matter & duration
RepoOps processes Personal Data on behalf of Customer to provide the services described in the Terms (the hosted dashboard, billing, team management, opt-in telemetry rollup). Processing continues for the term of Customer’s subscription plus the 30-day deletion grace period.
2. Nature & purpose
Processing is limited to: authentication, billing, hosted team coordination, opt-in cross-repo telemetry rollup, audit log custody, transactional email, and incident response.
3. Categories of data subjects
Customer’s authorized end users (engineers using the desktop app bound to a Customer team).
4. Categories of Personal Data
- Identification: name, email, OAuth provider IDs.
- Authentication: session tokens, hashed device IDs.
- Billing: Stripe customer ID, plan, seat counts.
- Telemetry (Team/Cloud only, opt-in): redacted session metadata (model, tokens, cost, duration). Never prompts or completions.
- Audit: actor IDs, action names, timestamps.
5. RepoOps’ obligations
- Process Personal Data only on documented instructions from Customer (the Terms + this DPA constitute those instructions).
- Ensure persons authorized to process the data are subject to confidentiality.
- Implement the security measures described in our security overview: encryption in transit (TLS 1.2+), encryption at rest (provider-managed), least-privilege access, audit logging, vulnerability management.
- Notify Customer of any Personal Data breach without undue delay (and in any event within 72 hours).
- Make available all information necessary to demonstrate compliance with Article 28 GDPR.
6. Sub-processors
Customer authorizes the following sub-processors. RepoOps will give at least 30 days’ notice (via this page) before adding or replacing a sub-processor; Customer may object on reasonable grounds before the change takes effect.
| Sub-processor | Purpose | Region |
|---|---|---|
| Neon | Postgres database hosting | US-East |
| Vercel | Application + edge hosting | Global |
| Stripe | Payments + subscription billing | US/EU |
| Resend | Transactional email | US |
| PostHog | Product analytics (opt-in via cookie banner) | US |
| Sentry | Server-side error reporting | US/EU |
| Anthropic | Claude API — BYOK, customer's own sub-processor on Solo tier | US |
7. International transfers
Where Personal Data of EU/UK data subjects is transferred to a country outside the EEA/UK that the European Commission / UK ICO has not deemed adequate, the parties incorporate the EU Standard Contractual Clauses (Commission Decision 2021/914) Module Two (Controller to Processor) and the UK International Data Transfer Addendum, both with Annexes pre-filled by reference to the categories in this DPA.
8. Data subject rights assistance
RepoOps assists Customer with data subject requests via the self-service export and deletion endpoints. For requests Customer cannot fulfil via those endpoints, email support@repoops.ai; RepoOps responds within 5 business days.
9. Deletion & return
Within 30 days of termination, RepoOps deletes or returns all Personal Data, except where retention is required by law (e.g. US tax records).
10. Audits
RepoOps will respond to written security-questionnaire requests annually at no charge. On-site audits are available to Enterprise Customers under a separate engagement; reasonable expenses to be paid by Customer.
11. Signing
Enterprise Customers can request a counter-signed copy by emailing support@repoops.aiwith their account ID. We’ll return a signed PDF within 3 business days.
See also: Terms of Service · Privacy Policy · Refund & cancellation policy.