SYSTEM OPERATIONAL
v0.1.0-beta
Legal

Data Processing Agreement

Between DriftGuard (Processor) and Customer (Controller). Compliant with GDPR Art. 28.

1. Definitions

"Controller" means the customer entity that determines the purposes and means of processing personal data. "Processor" means UP2CLOUD Lda., operating DriftGuard. "Personal Data" has the meaning given in Article 4(1) GDPR. "Processing" has the meaning given in Article 4(2) GDPR.

2. Subject matter and duration

This DPA governs the processing of Personal Data by DriftGuard on behalf of the Controller for the purpose of providing the DriftGuard Terraform PR review service. The DPA remains in effect for the duration of the service agreement and terminates automatically upon termination of that agreement.

3. Nature and purpose of processing

DriftGuard processes: (a) GitHub repository metadata (repository name, PR number, commit SHA, author login); (b) Terraform plan output; (c) Infracost analysis output. Processing is performed solely to deliver the PR review service. DriftGuard does not process end-user personal data, payment card data, or health data.

4. Categories of data subjects

Engineers and automated agents whose GitHub identities (username, email) appear in PR metadata submitted to DriftGuard for review.

5. Obligations of the Processor

DriftGuard shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure that persons authorised to process Personal Data have committed to confidentiality; (c) implement appropriate technical and organisational measures per Article 32 GDPR; (d) not engage sub-processors without prior written consent of the Controller; (e) assist the Controller in responding to data subject rights requests; (f) delete or return all Personal Data upon termination of services.

6. Sub-processors

Current sub-processors are listed at driftguard.io/subprocessors. DriftGuard will notify Controllers of any intended changes at least 30 days before the change takes effect.

7. Data transfers

All Personal Data is stored in the European Economic Area (GCP EU-WEST-1, GCP EU-CENTRAL-1). No transfers to third countries occur without appropriate safeguards pursuant to Chapter V GDPR.

8. Security measures

DriftGuard implements: AES-256 encryption at rest; TLS 1.3 in transit; access control limited to authorised personnel; regular security testing; incident response procedures with 72-hour breach notification to supervisory authority.

9. Audit rights

The Controller may audit DriftGuard's compliance with this DPA once per year upon 30 days' written notice, or at any time following a confirmed security incident. Audits are conducted at the Controller's expense.

10. Governing law

This DPA is governed by the laws of Portugal and the mandatory provisions of EU Regulation 2016/679 (GDPR).

To execute a signed DPA, contact legal@driftguard.io. Enterprise customers receive a countersigned PDF within 2 business days.