Data Processing Addendum

1. Definitions

Applicable Data Protection Lawmeans, as applicable: (a) the EU General Data Protection Regulation (2016/679) (“GDPR”); (b) the UK GDPR as retained under the European Union (Withdrawal) Act 2018; (c) any implementing national legislation; and (d) any other data protection legislation applicable to the processing activities described herein.

Customer Datameans any Personal Data that the Customer, or any authorized user acting on the Customer's behalf, submits to or through the Service in the course of using the CodeElevate platform.

Personal Data has the meaning given to it under Applicable Data Protection Law.

Processing and cognate terms have the meaning given under Applicable Data Protection Law.

Security Incident means any confirmed unauthorized access to, or unauthorized disclosure, loss, or destruction of, Customer Data.

Standard Contractual Clauses or SCCs means the standard contractual clauses for international transfers of personal data adopted by the European Commission or, for UK transfers, the International Data Transfer Addendum issued by the ICO.

Subprocessor means any third party engaged by CodeElevate to process Customer Data in connection with the Service.

2. Roles of the parties

The Customer acts as Controller and CodeElevate acts as Processor in respect of Customer Data processed under this DPA. Each party will comply with its obligations under Applicable Data Protection Law in its respective capacity.

3. Scope of processing

CodeElevate processes Customer Data solely to the extent necessary to provide the Service as described in the Terms of Service and as further specified in this DPA. CodeElevate operates in a read-only capacity with respect to Customer repositories. CodeElevate does not process Customer Data for any purpose independent of the Service without Customer's prior written instruction, except where required by applicable law.

4. Duration of processing

CodeElevate will process Customer Data for the duration of the Customer's subscription or access period, or such shorter period as may be agreed or required by applicable law. Upon termination or expiry of the Terms of Service, CodeElevate will cease processing Customer Data in accordance with Section 14 of this DPA.

5. Nature and purpose of processing

Nature:Read-only access to Customer's code repositories for the purpose of structural analysis; storage of analysis findings and run metadata; transmission of findings to Customer.

Purpose: To provide automated structural code analysis services as described in the Terms of Service.

CodeElevate does not retain raw source files beyond what is necessary to complete a given analysis run. Findings and run metadata are retained per the Customer's account and plan settings.

6. Categories of data subjects

Data subjects whose Personal Data may be processed under this DPA include: employees, contractors, and authorized users of the Customer who contribute to or are identified within the Customer's code repositories — for example, in commit history, code comments, or repository metadata.

7. Types of personal data

Personal Data processed may include: names, email addresses, usernames, and other identifiers associated with code contributors, where such data appears in or is associated with the Customer's repository data or account information.

CodeElevate does not intentionally collect or process special category personal data. The Customer is responsible for ensuring that no special category data is submitted to the Service without a lawful basis.

8. Customer obligations

The Customer represents and warrants that:

• It has a lawful basis for providing Customer Data to CodeElevate and instructing processing under this DPA
• It has provided all required notices to, and obtained all required consents from, data subjects whose Personal Data is included in Customer Data, to the extent required under Applicable Data Protection Law
• Its instructions to CodeElevate regarding processing of Customer Data comply with Applicable Data Protection Law
• It will only connect repositories it owns or is lawfully authorized to submit for analysis

9. CodeElevate obligations

CodeElevate will:

• Process on documented instructions only. CodeElevate will process Customer Data only in accordance with the Customer's documented instructions, including as set out in this DPA and the Terms of Service. CodeElevate will promptly notify the Customer if it believes an instruction infringes Applicable Data Protection Law.
• Maintain confidentiality. CodeElevate will ensure that persons authorized to process Customer Data are subject to appropriate confidentiality obligations.
• Implement security measures. CodeElevate will implement and maintain appropriate technical and organizational measures to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. CodeElevate does not warrant that these measures will prevent every Security Incident, but will apply measures appropriate to the risks presented by the processing activities described in this DPA.
• Assist with data subject rights. CodeElevate will provide reasonable assistance to the Customer in responding to data subject rights requests under Applicable Data Protection Law, to the extent that CodeElevate holds or controls the relevant Customer Data.
• Assist with compliance obligations. CodeElevate will provide reasonable cooperation to assist the Customer in meeting its obligations under Applicable Data Protection Law in connection with the processing activities described in this DPA, including in relation to data protection impact assessments where required.

10. Subprocessors

General authorization. The Customer provides a general authorization for CodeElevate to engage Subprocessors, subject to the requirements of this Section. CodeElevate maintains a current list of Subprocessors at codeelevate.dev/subprocessors.

New Subprocessors.CodeElevate will provide the Customer with at least thirty (30) days' prior written notice before engaging any new Subprocessor that will process Customer Data.

Right to object.The Customer may object to the engagement of a new Subprocessor on reasonable data protection grounds by written notice within fourteen (14) days of receiving notification. If CodeElevate cannot accommodate the objection without material operational impact, the Customer may terminate the affected Services without penalty on written notice, within thirty (30) days of CodeElevate's written confirmation that the objection cannot be accommodated.

Flow-down. CodeElevate will impose data protection obligations on each Subprocessor that are no less protective than those set out in this DPA. CodeElevate remains liable to the Customer for the acts and omissions of its Subprocessors to the extent CodeElevate would be liable under this DPA.

11. International data transfers

CodeElevate will not transfer Customer Data to a country outside the European Economic Area or the United Kingdom, or to an international organization, unless an appropriate transfer mechanism is in place under Applicable Data Protection Law, including:

• A decision by the relevant supervisory authority that the destination country provides an adequate level of protection; or
• Standard Contractual Clauses, incorporated by reference into this DPA and available upon request.

Where SCCs apply, the parties agree that the SCCs form part of this DPA and are incorporated by reference. In the event of conflict between the SCCs and this DPA, the SCCs will prevail with respect to international transfers.

12. Data subject rights assistance

CodeElevate will promptly notify the Customer of any data subject request received by CodeElevate relating to Customer Data. CodeElevate will not respond to such requests on behalf of the Customer without the Customer's prior written instruction, except where required to do so by applicable law.

CodeElevate will provide reasonable technical and organizational assistance to enable the Customer to respond to data subject requests within applicable legal timeframes.

13. Security incident notification

In the event of a confirmed Security Incident affecting Customer Data, CodeElevate will:

• Notify the Customer without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the Incident
• Provide the Customer with sufficient information to enable the Customer to meet its own notification obligations under Applicable Data Protection Law — including the nature of the Incident, categories of data affected, approximate number of data subjects affected where known, likely consequences, and measures taken or proposed to address the Incident
• Cooperate with the Customer and provide reasonable assistance in relation to any required notifications to supervisory authorities or data subjects

CodeElevate's notification obligations do not constitute an acknowledgment of fault or liability.

14. Data retention and deletion

Upon termination or expiry of the Terms of Service, or upon written request from the Customer:

• CodeElevate will make Customer Data available for export in a machine-readable format for a period of thirty (30) days following the date of termination or request
• Following expiry of that export period, CodeElevate will securely delete or render irrecoverable all Customer Data within a further thirty (30) days, except to the extent that retention is required by applicable law
• Upon Customer's written request, CodeElevate will provide a written certification confirming that deletion has been completed

Aggregated, de-identified analytical data that does not constitute Personal Data and cannot be used to identify the Customer or its data subjects may be retained beyond this period.

15. Audits and information rights

Information requests. CodeElevate will make available to the Customer, upon reasonable written notice, information reasonably necessary to demonstrate compliance with this DPA.

Audit rights.No more than once per calendar year (unless a Security Incident has occurred), the Customer may, at its own cost and with at least thirty (30) days' prior written notice, conduct or commission a third-party audit of CodeElevate's processing activities under this DPA. Audits must be conducted during normal business hours, must not unreasonably disrupt CodeElevate's operations, and must be subject to a confidentiality agreement acceptable to CodeElevate.

Certifications. Where CodeElevate holds relevant security certifications, CodeElevate will make summary reports or certifications available to the Customer in lieu of a direct audit, where this is sufficient to demonstrate compliance.

16. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, including the limitation of liability in Section 10 of the Terms. Nothing in this DPA limits liability that cannot be excluded or limited under Applicable Data Protection Law.

17. Governing law

This DPA is governed by the laws of the State of California, United States, consistent with the governing law provisions in the CodeElevate Terms of Service.

18. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the subject matter of data protection. In the event of conflict between this DPA and any applicable Standard Contractual Clauses, the SCCs prevail with respect to international transfers of Personal Data.

19. Contact

For questions about this DPA, data protection obligations, or to request a countersigned copy for your records, contact contact@codeelevate.dev.