DPA
Data Processing Agreement (DPA)
Effective Date: January 17, 2023
Last Updated: July 10, 2026
Parties: This Data Processing Agreement (“Agreement” or “DPA”) is entered into between CodeConda LLC, a U.S. limited liability company (“Processor”), and the customer or entity that has entered into an agreement for the use of Processor’s services (“Controller”).
This DPA forms part of the Terms of Service or other agreement (the “Main Agreement”) between the parties.
1. Purpose and Scope
1.1 The Processor provides certain software, hosting, translation, AI, and related digital services (“Services”) which may involve the processing of personal data on behalf of the Controller, as described in sections 1.4 and 1.5.
1.2 The Controller determines the purposes and means of processing personal data; the Processor processes such data only on the Controller’s documented instructions. The Main Agreement, this DPA, and the Controller’s configuration and use of the Services constitute the Controller’s documented instructions for the Processing of Personal Data, and any additional or different instructions must be agreed in writing.
1.3 This DPA governs all processing of personal data by the Processor on behalf of the Controller.
1.4 Applicability. This DPA applies only where the Processor processes personal data on behalf of the Controller in the context of a business or organizational customer relationship, that is, where the Controller uses the Services to process personal data relating to its own end users, customers, contacts, employees, website visitors, or other third parties, and determines the purposes and means of that processing. Whether this DPA applies is determined by this functional relationship and not by the particular Service used.
1.5 This DPA does not apply where the Services are used by an individual acting in a personal or consumer capacity, such that the individual is the data subject rather than a controller of other persons’ personal data. In that case, the processing of the individual’s personal data is governed by the Privacy Policy and the other relevant Terms rather than by this DPA. The absence of a data processing agreement for such use does not limit any rights the individual may have under relevant privacy rules or under the Privacy Policy.
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
- “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
- “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
- “Supervisory Authority” means an independent public authority responsible for monitoring the application of data protection rules.
- “Subprocessor” means any third party engaged by the Processor to process Personal Data.
- “GDPR” means the EU General Data Protection Regulation (Regulation (EU) 2016/679), and “UK GDPR” means that regulation as incorporated into the law of the United Kingdom.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
3. Details of Processing
The details of the processing carried out under this DPA are as follows:
- Subject matter: the provision of the Services by the Processor to the Controller.
- Duration: the term of the Main Agreement, plus any additional period during which retention is otherwise required.
- Nature and purpose: hosting, caching, proxying, translation, AI generation, analytics, debugging, performance monitoring, security, service continuity, and support, as necessary to provide the Services and to comply with binding obligations.
- Categories of Personal Data: account and identification data (such as name and email address), authentication data, billing and transaction metadata, usage and device data, IP addresses, and any Personal Data contained in the content, prompts, uploads, or files submitted to the Services by the Controller or its users.
- Categories of data subjects: the Controller’s authorized users and customers, and any individuals whose Personal Data is contained in content submitted to the Services.
4. Obligations of the Processor
The Processor shall:
- process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country, unless otherwise required, in which case the Processor shall inform the Controller when possible before processing;
- ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement and maintain the appropriate technical and organizational measures described in this DPA;
- respect the conditions for engaging subprocessors set out in this DPA;
- taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in responding to requests from data subjects seeking to exercise their rights, including rights of access, correction, deletion, and data portability;
- assist the Controller in ensuring compliance with its obligations relating to the security of processing, the notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities;
- at the Controller’s choice, delete or return all Personal Data after the end of the provision of the Services, unless retention is otherwise required; and
- make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.
The Processor is not responsible for compliance with requirements that apply to the Controller’s industry or business operations.
5. Confidentiality
The Processor shall ensure that any personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality, whether contractual or statutory, and are granted access to Personal Data only as necessary to perform the Services.
6. Security Measures
The Processor shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized processing and against accidental loss, destruction, damage, alteration, or disclosure, appropriate to the risk. Such measures may include access controls and least-privilege access, encryption of Personal Data in transit and, where appropriate, at rest, logging and monitoring, secure software development practices, regular backups, vendor and subprocessor due diligence, and incident response procedures.
7. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s Personal Data. Such notification shall include, as then available, the information reasonably necessary to assist the Controller in meeting its own obligations to notify supervisory authorities and affected data subjects.
8. Subprocessors
8.1 The Controller provides a general authorization for the Processor to engage subprocessors as reasonably necessary to provide the Services.
8.2 The Processor shall:
- impose data protection obligations on each subprocessor that are substantially similar to those set out in this DPA;
- remain responsible for the performance of each subprocessor’s obligations;
- maintain an up-to-date list of subprocessors, which the Processor will make available to the Controller on request submitted through our support page; and
- notify the Controller of any intended addition or replacement of a subprocessor, giving the Controller a reasonable opportunity to object on reasonable data protection grounds.
8.3 Current subprocessors may include cloud hosting providers (for example, Google Cloud, Amazon Web Services, Cloudflare, and Supabase), analytics and monitoring services, and email, support, and logging tools.
8.4 If the Controller reasonably objects to a new subprocessor and the parties are unable to resolve the objection, the Controller may terminate the affected Services.
9. International Data Transfers
9.1 The Controller acknowledges that the Processor may transfer Personal Data to the United States or any other country where the Processor or its subprocessors operate.
9.2 Where the Processor processes Personal Data subject to the GDPR and transfers it to a country that is not the subject of an adequacy decision, the European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated into this DPA by reference and apply to such transfers.
9.3 For Personal Data subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs applies. For Personal Data subject to Swiss law, the SCCs apply with the adjustments required by the Swiss Federal Act on Data Protection.
9.4 Where these clauses apply, they prevail over any conflicting term of this DPA with respect to the relevant transfer.
10. Audit and Information Rights
The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable prior notice, confidentiality obligations, reasonable frequency limits, and conduct that does not unduly disrupt the Processor’s operations. The Processor may satisfy such requests by providing relevant third-party certifications or audit reports where available.
11. Data Retention and Deletion
11.1 The Processor shall, at the Controller’s choice, delete or return all Personal Data after the end of the provision of Services, unless retention is otherwise required.
11.2 The Processor may retain anonymized or aggregated data for statistical or security purposes.
12. Liability
12.1 The Processor’s total aggregate liability under this DPA shall be limited to the amounts paid by the Controller under the Main Agreement in the three (3) months preceding the event giving rise to the claim.
12.2 The Controller agrees to indemnify and hold harmless the Processor against any claims, damages, or penalties arising from the Controller’s breach of data protection obligations or misuse of the Services.
12.3 Notwithstanding section 12.1, nothing in this DPA limits or excludes (a) any liability that must remain in effect, (b) the rights of Data Subjects, or any liability owed to them, under the Standard Contractual Clauses or relevant data protection rules, or (c) either party’s indemnification obligations under this DPA.
13. Content Responsibility
13.1 The Controller is solely responsible for the content, data, and materials submitted to or processed through the Services, including the accuracy, legality, and publication of any translated or generated outputs.
13.2 The Processor does not pre-screen, actively monitor, or systematically audit such content, and does not assume liability for it. For consumer and general use of the Services, additional terms regarding User Content appear in the Legal Disclaimers.
13.3 The Controller shall indemnify and hold the Processor harmless from any claims, damages, or losses arising from such content or its use.
13.4 The Controller represents and warrants that it has a proper basis for the Processing of Personal Data under this DPA, that it has provided all notices to and obtained all consents from Data Subjects required for such processing, and that its instructions to the Processor comply with its data protection obligations. The Controller is responsible for the accuracy, quality, and legality of the Personal Data it provides and the means by which it acquired that Personal Data.
14. United States State Privacy Laws
14.1 This section applies where the Processor processes personal information on behalf of the Controller that is subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), or to other United States state privacy rules (for example, those of Virginia, Colorado, Connecticut, and Utah). Terms such as “business,” “service provider,” “sell,” “share,” and “personal information” have the meanings given to them under the CCPA and such other rules.
14.2 Where the CCPA applies, the Controller is the “business” and the Processor acts as a “service provider.” The Processor processes personal information only on behalf of the Controller and for the limited and specified business purposes of providing the Services and as otherwise allowed under the CCPA.
14.3 The Processor shall not: (a) sell or share personal information; (b) retain, use, or disclose personal information for any purpose other than the business purposes specified in the Main Agreement and this DPA, or as otherwise allowed under the CCPA, including outside the direct business relationship between the parties; or (c) combine personal information received from or on behalf of the Controller with personal information it receives from or on behalf of any third party, or collects from its own interaction with the Data Subject, except as allowed under the CCPA.
14.4 The Processor certifies that it understands the restrictions set out in this section and will comply with them. The Processor shall notify the Controller if it determines that it can no longer meet its obligations under relevant United States state privacy requirements.
15. Miscellaneous
15.1 This DPA does not grant either party ownership rights in the other’s data or intellectual property.
15.2 If any provision of this DPA is found invalid or unenforceable, the remaining provisions remain in effect.
15.3 In the event of conflict between this DPA and the Main Agreement, this DPA shall control solely with respect to data protection matters.
15.4 This DPA is governed by the laws of the State of Arizona, United States, and disputes shall be resolved exclusively in Arizona courts.
16. Contact Information
For privacy and data protection inquiries, including data subject and deletion requests, contact CodeConda LLC through our support page.