Data Processing Addendum

Effective: May 20, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Servicebetween docs-keeper Inc. ("Processor") and the customer ("Controller"). It governs the processing of personal data carried out by docs-keeper on the Controller's behalf and reflects the requirements of the GDPR and UK GDPR. A countersigned copy is available to paid customers on request at [email protected].

1. Roles

The Controller determines the purposes and means of processing. docs-keeper acts as Processor and processes personal data only on documented instructions from the Controller, namely the operation of the Service as described in our Privacy Policy.

2. Nature and purpose of processing

We process: GitHub account identifiers, email addresses, repository and pull-request metadata, run metadata, and generated documentation diffs. The purpose is to detect merged pull requests, draft documentation changes, and open follow-up pull requests. We do not persist your full source code, and your repositories are never used to train models.

3. Sub-processors

The Controller authorizes the use of the following sub-processors, each bound by data- protection terms no less protective than this DPA:

  • Supabase (PostgreSQL database hosting)
  • Vercel (application hosting + edge network)
  • OpenRouter (LLM gateway / inference routing)
  • Voyage AI (code embeddings)
  • Cohere (reranking)
  • Lemon Squeezy (merchant of record / billing)
  • Resend (transactional email)
  • Upstash (Redis / queueing)
  • Sentry (error monitoring)

We'll give at least 30 days' notice before adding or replacing a sub-processor, and you may object on reasonable data-protection grounds.

4. Security

We implement appropriate technical and organizational measures, including encryption in transit (TLS) and at rest, least-privilege access controls, signed-webhook verification, audit logging, and per-organization spend and rate isolation. Details are summarized on our Security page.

5. International transfers

Where personal data is transferred outside the EEA or UK, the transfer is governed by the European Commission's Standard Contractual Clauses (and the UK Addendum), incorporated here by reference.

6. Data-subject requests & assistance

We'll assist the Controller in responding to data-subject requests and, taking into account the nature of processing, in meeting obligations around security, breach notification, and data-protection impact assessments. We notify the Controller without undue delay after becoming aware of a personal-data breach.

7. Deletion

On termination, or on Controller request, we delete or return personal data within 30 days except where retention is required by law. Account deletion is available self-serve; a daily task hard-deletes soft-deleted records older than 30 days.

8. Audits

We make available information necessary to demonstrate compliance and allow for audits on reasonable notice, subject to confidentiality. Contact [email protected].