1. Purpose and scope
This Data Processing Agreement applies when SafeCommit processes personal data on behalf of a customer in connection with SafeCommit services.
2. Roles of the parties
The customer is the controller of personal data processed in Customer Content. SafeCommit acts as processor and processes personal data according to documented customer instructions.
3. Subject matter and duration
The subject matter is the provision of SafeCommit services, including pull request and release risk analysis, workflow signal processing, risk recommendations, audit logs, governance records, and support. The duration is the term of the customer’s use of SafeCommit plus any legally or contractually required retention period.
4. Nature and purpose of processing
SafeCommit processes data to detect operational blast radius, hidden dependencies, validation weakness, deployment timing risk, incident correlation, rollback history, subsystem instability, and other risk signals before production changes are released.
5. Categories of personal data
- names, email addresses, usernames, IDs, or commit metadata appearing in engineering systems;
- ticket, incident, pull request, review, deployment, and audit metadata;
- personal data accidentally or intentionally included in code, diffs, logs, prompts, tickets, or repository metadata.
6. Categories of data subjects
Data subjects may include the customer’s employees, contractors, end users, customers, support contacts, developers, and other individuals whose personal data appears in Customer Content.
7. Customer instructions
SafeCommit will process personal data only according to the customer’s documented instructions, including the agreement, product configuration, integration settings, and this DPA.
8. Confidentiality
SafeCommit will ensure that personnel authorized to process personal data are subject to appropriate confidentiality obligations.
9. Security measures
- access controls and least-privilege access;
- encryption in transit and at rest where appropriate;
- logging and monitoring of administrative access;
- limited retention of Customer Content;
- source-code processing limited to relevant diffs or snippets by default;
- secure development and incident response practices;
- subprocessor review and contractual protections.
10. Subprocessors
Customer authorizes SafeCommit to use subprocessors necessary to provide the service, including hosting, storage, engineering-system integrations, security monitoring, and AI-assisted analysis providers. SafeCommit will impose data protection obligations on subprocessors that are substantially similar to those in this DPA.
11. International transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, SafeCommit will use appropriate transfer mechanisms such as Standard Contractual Clauses, UK Addendum, adequacy decisions, or other lawful mechanisms.
12. Data subject requests
SafeCommit will reasonably assist the customer in responding to data subject requests where required and where the customer cannot reasonably fulfill the request without SafeCommit’s assistance.
13. Personal data breach
SafeCommit will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Content.
14. Deletion and return
Upon termination, SafeCommit will delete or return personal data in accordance with the agreement, unless retention is required by law or legitimate business purposes such as security, billing, or dispute resolution.