Data Processing Agreement

Effective date: April 24, 2026

Version 1.0

A signable Word-format copy is available on request from [email protected]. Enterprise customers on annual plans may execute this DPA as a stand-alone agreement; otherwise the terms below are incorporated into our Terms of Service.

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement ("Agreement") between Turbo Technologies Ltd, a company registered in England and Wales with company number 13124266, trading as RepoWarden (the "Processor", "we", "us"), and the customer identified in the Agreement (the "Controller", "you"), governing the Processor's processing of Personal Data on behalf of the Controller in connection with the RepoWarden service at repowarden.dev (the "Service"). Where the Agreement and this DPA conflict on the subject of Personal Data, this DPA prevails.

1. Definitions

Terms not defined below have the meaning given in the UK GDPR and the Data Protection Act 2018.

  • "Applicable Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the EU GDPR (Regulation 2016/679) where applicable, and any other data-protection or privacy laws applicable to the processing of Personal Data under this DPA.
  • "Customer Personal Data" means Personal Data that the Processor processes on behalf of the Controller in connection with the Service, as described in Annex I.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
  • "Subprocessor" means any third party engaged by the Processor to process Customer Personal Data on the Controller's behalf.
  • "Standard Contractual Clauses" or "SCCs" means the EU Commission's module-based clauses (2021/914) and the UK International Data Transfer Addendum ("UK Addendum") issued under section 119A of the Data Protection Act 2018.

2. Subject matter, nature and purpose

The Processor processes Customer Personal Data solely to provide the Service to the Controller, which involves: (i) authenticating the Controller's users via GitHub OAuth; (ii) scanning GitHub repositories selected by the Controller for outdated or vulnerable software dependencies; (iii) generating pull requests, summaries, test scaffolding, and documentation updates using a large language model (LLM); (iv) storing scan results, pull-request metadata, usage telemetry, and billing information; and (v) providing support and billing services related to the Service.

The duration of processing is the term of the Agreement plus any retention period described in Section 10.

3. Processor obligations

The Processor shall:

  1. Process only on documented instructions. Process Customer Personal Data only on the Controller's documented instructions, which for the purposes of Article 28(3)(a) UK GDPR are: (i) this DPA; (ii) the Agreement; (iii) the Controller's use of the Service's features; and (iv) further written instructions agreed in writing between the parties. The Processor shall inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws.
  2. Confidentiality. Ensure that personnel authorised to process Customer Personal Data are under an appropriate statutory obligation of confidentiality or have entered into binding confidentiality agreements.
  3. Security. Implement and maintain the technical and organisational measures set out in Annex II and such further measures as are appropriate to the risk, taking into account Article 32 UK GDPR.
  4. Subprocessors. Engage Subprocessors only in accordance with Section 5.
  5. Assist the Controller with: (a) responding to data-subject rights requests under Chapter III UK GDPR; (b) carrying out DPIAs and prior consultations; (c) ensuring compliance with Articles 32–36 UK GDPR.
  6. Personal Data Breach. Notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information required under Article 33(3) UK GDPR.
  7. Return or deletion. On termination, at the Controller's written choice, delete or return all Customer Personal Data within 30 days, subject to legal retention requirements.
  8. Audit. Make available to the Controller information necessary to demonstrate compliance with Article 28 UK GDPR and allow for and contribute to audits. Provision of our security documentation, subprocessor list, and responses to written questionnaires will ordinarily satisfy this obligation.

4. Controller obligations

The Controller warrants that it has a lawful basis for the processing instructed under this DPA and has obtained all necessary consents and notices. The Controller shall not provide to the Processor any special-category Personal Data under Article 9 UK GDPR, data relating to criminal convictions, or payment-card data outside the designated billing integration, without the Processor's prior written consent. The Controller is responsible for the accuracy, quality, and legality of Customer Personal Data.

5. Subprocessors

The Controller grants the Processor general written authorisation to engage the Subprocessors listed on our Subprocessor page. We will notify the Controller of any intended addition or replacement of a Subprocessor at least 30 days before the change takes effect. The Controller may object to the change on reasonable data-protection grounds within that 30-day window, in which case the parties will work in good faith to resolve the objection or the Controller may terminate the affected part of the Service without penalty for the notice period. We impose on each Subprocessor contractual data- protection obligations that are no less protective than those in this DPA, and remain liable for their acts and omissions.

6. International data transfers

Customer Personal Data is processed by the Subprocessors listed in Schedule 2, which may include processing outside the United Kingdom and the European Economic Area. Where transfers to a country without an adequacy decision occur, the parties agree that (a) the UK Addendum is incorporated into this DPA for UK-controller transfers, and (b) the EU SCCs (Module 2: Controller-to-Processor) are incorporated into this DPA for EEA-controller transfers, with the Processor as data importer and the Controller as data exporter. Annexes I, II and III of the SCCs are populated by the corresponding Annexes of this DPA.

7. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability in the Agreement. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Laws.

8. Term and termination

This DPA takes effect on the Effective Date and remains in force for as long as the Processor processes Customer Personal Data on behalf of the Controller.

9. Precedence and amendment

In the event of a conflict between this DPA and the Agreement, this DPA prevails. We may update this DPA from time to time, provided that no update will materially reduce the protections afforded to Customer Personal Data without the Controller's consent.

10. Retention

Customer Personal Data is retained for the term of the Agreement and for up to 30 days after termination, after which it is deleted from live systems and from routine backups within a further 90 days, except where retention is required by law (e.g. UK tax law: 6 years).

11. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

Annex I — Details of processing

A. Parties

Data Exporter (Controller): the Customer as identified in the Agreement. Data Importer (Processor): Turbo Technologies Ltd t/a RepoWarden, UK company no. 13124266. Contact: [email protected].

B. Description of the transfer

  • Categories of data subjects: (i) Controller's authorised users of the Service (e.g. developers, engineering managers); (ii) individuals identified in commit metadata, pull requests, issues, or code comments within repositories the Controller has connected.
  • Categories of Personal Data: GitHub account identifiers (username, numeric ID, avatar URL); email address; GitHub OAuth access token (encrypted at rest); IP address and user agent for session and audit logging; repository metadata; manifest/lock-file contents; code snippets sent to the LLM; billing contact and Stripe customer ID.
  • Special-category data: none expected. The Controller agrees not to submit such data.
  • Frequency: continuous, while the Service is in use.
  • Nature: collection, storage, retrieval, consultation, transmission, and erasure as necessary to provide the Service.
  • Purpose: automated repository maintenance, dependency updates, pull-request generation, billing, and support.
  • Retention: see Section 10.
  • Subprocessors: see Annex III / live Subprocessor List.

C. Competent supervisory authority

For UK-controller transfers: the UK Information Commissioner's Office (ICO). For EEA-controller transfers: the supervisory authority of the Member State in which the Controller is established.

Annex II — Technical and Organisational Measures

Summary TOMs implemented by the Processor:

  • Encryption in transit: TLS 1.2+ (TLS 1.3 preferred); HSTS enforced.
  • Encryption at rest: AES-256-GCM on sensitive fields (GitHub OAuth tokens) using a separate Cloudflare Worker secret key; database encrypted at rest by the infrastructure provider.
  • Access control: GitHub OAuth for end users; hardware-backed MFA on all admin accounts; least-privilege OAuth scopes; production access restricted to authorised personnel under documented role-based controls.
  • Network security: Cloudflare WAF, DDoS mitigation, bot management, strict CORS, parameterised queries, CSRF protection.
  • Vulnerability management: automated dependency scanning on every build; annual or change-triggered penetration testing.
  • Backups & BCP: managed database backups with point-in-time restore; RTO 24 hours, RPO 24 hours.
  • Monitoring: Sentry (PII scrubbed), Cloudflare Analytics Engine, audit logs.
  • Incident response: written procedure; 4-hour acknowledgement target; 72-hour notification to affected Controllers.
  • Personnel: written confidentiality obligations and annual security-awareness training.
  • Physical security: infrastructure operated by Cloudflare, Inc. in ISO 27001 / SOC 2 / PCI-DSS certified data centres; we do not operate our own data centres.

See the full Security Overview for further detail.

Annex III — Approved Subprocessors

The up-to-date list is maintained at repowarden.dev/subprocessors.

Contact

Questions about this DPA should be directed to [email protected].