# Data Processing Agreement **Between:** - **Data Controller:** [Customer Name] ("Controller") - **Data Processor:** ChenPo LLC, d/b/a CloudRepo ("Processor") **Effective Date:** [Date] **Document Version:** 1.0 **Last Updated:** March 9, 2026 --- ## 1. Definitions For the purposes of this Data Processing Agreement ("DPA"), the following terms shall have the meanings set forth below: **"Personal Data"** means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR. **"Processing"** means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. **"Data Subject"** means an identified or identifiable natural person whose Personal Data is processed under this DPA. **"Sub-processor"** means any third party engaged by the Processor to process Personal Data on behalf of the Controller. **"Data Breach"** (or "Personal Data Breach") means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. **"Supervisory Authority"** means an independent public authority established by an EU/EEA Member State pursuant to Article 51 of the GDPR. **"GDPR"** means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). **"Service Agreement"** means the underlying agreement between Controller and Processor for the provision of CloudRepo services. **"Standard Contractual Clauses" (SCCs)** means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission. --- ## 2. Scope and Purpose of Processing 2.1. The Processor provides cloud-based software artifact and package repository services to the Controller under the Service Agreement. This DPA governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with those services. 2.2. **Nature and purpose of Processing:** The Processing includes storage, retrieval, and management of software artifacts; user account management; billing and payment processing; and customer support. 2.3. **Categories of Data Subjects:** Controller's employees, contractors, and other authorized users of the services. 2.4. **Types of Personal Data processed:** - Account information (name, email address, company affiliation) - Usage data (access logs, feature usage, session metadata) - Billing information (billing contact details, payment method identifiers) - Support communications (support tickets, chat transcripts, email correspondence) 2.5. **Duration of Processing:** Processing shall continue for the term of the Service Agreement, unless otherwise specified in this DPA. --- ## 3. Obligations of the Data Controller 3.1. The Controller determines the purposes and means of Processing of Personal Data and shall ensure that the Processing of Personal Data under this DPA is lawful under applicable data protection law. 3.2. The Controller is responsible for ensuring that a lawful basis exists for the Processing of Personal Data, including obtaining and managing Data Subject consent where required. 3.3. The Controller shall provide documented instructions to the Processor regarding the Processing of Personal Data. The Service Agreement and this DPA constitute the Controller's initial instructions. 3.4. The Controller shall inform the Processor without undue delay if, in the Controller's opinion, an instruction infringes applicable data protection law. --- ## 4. Obligations of the Data Processor 4.1. **Processing on instructions.** The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law. 4.2. **Confidentiality.** The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 4.3. **Security measures.** The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: - **AES-256 encryption at rest** for all stored data - **TLS 1.2+ encryption** for all data in transit - **PBKDF2+BLAKE2b-512 password hashing** with 50,000 iterations - **Multi-factor authentication (MFA)** required for all production system access - **Principle of least privilege** for all access controls - **Automated backups** with point-in-time recovery - **DDoS protection** via AWS Shield Standard (included with all AWS resources) 4.4. **Sub-processors.** The Processor shall not engage another processor without prior written authorization from the Controller, subject to the provisions of Section 5. 4.5. **Data Subject requests.** The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligations to respond to requests from Data Subjects exercising their rights under applicable data protection law. 4.6. **Assistance with compliance.** The Processor shall assist the Controller in ensuring compliance with obligations related to security of Processing, notification of Data Breaches, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of Processing and the information available to the Processor. 4.7. **Deletion or return.** Upon termination of the Service Agreement, the Processor shall, at the Controller's election, delete or return all Personal Data to the Controller within 30 days, in accordance with Section 8. 4.8. **Demonstration of compliance.** The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. --- ## 5. Sub-processors 5.1. The Controller provides general written authorization for the Processor to engage Sub-processors for the purposes described in this DPA. The current list of Sub-processors is set forth in Annex B and maintained at www.cloudrepo.io/subprocessors. 5.2. The Processor shall notify the Controller at least **30 days** before adding or replacing a Sub-processor. Notification shall be provided via email to the Controller's designated contact. 5.3. The Controller may object to a new or replacement Sub-processor within **14 days** of receiving notification. Any objection must be in writing and state reasonable grounds related to data protection. 5.4. If the Controller raises a reasonable objection, the Processor shall use commercially reasonable efforts to make available an alternative solution that avoids the use of the objected-to Sub-processor. If no alternative is available and the parties cannot resolve the objection within 30 days, the Controller may terminate the Service Agreement without penalty. 5.5. The Processor shall impose data protection obligations no less protective than those set out in this DPA on each Sub-processor by way of a written contract. The Processor remains fully liable for the performance of each Sub-processor's obligations under this DPA. --- ## 6. Data Subject Rights 6.1. The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including: - Right of access (Article 15) - Right to rectification (Article 16) - Right to erasure (Article 17) - Right to restriction of processing (Article 18) - Right to data portability (Article 20) - Right to object (Article 21) 6.2. If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request directly unless authorized to do so by the Controller. 6.3. The Processor shall provide reasonable assistance to the Controller within **10 business days** of receiving a request for assistance, or such shorter period as may be required by applicable law. --- ## 7. Data Breach Notification 7.1. The Processor shall notify the Controller without undue delay, and in any event no later than **72 hours**, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. 7.2. The notification shall include, to the extent available: - A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected - The name and contact details of the Processor's data protection point of contact - A description of the likely consequences of the Personal Data Breach - A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects 7.3. Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without undue further delay. 7.4. The Processor shall cooperate with the Controller in the investigation and remediation of any Personal Data Breach and shall take reasonable steps to mitigate the effects and minimize any damage resulting from the breach. --- ## 8. Data Deletion/Return 8.1. Upon termination or expiration of the Service Agreement, the Processor shall, at the Controller's written election: - **(a)** Return all Personal Data to the Controller in a commonly used, machine-readable format; or - **(b)** Delete all Personal Data, including all copies thereof. 8.2. The Processor shall complete the deletion or return within **30 days** of termination or receipt of the Controller's written instructions, whichever is later. 8.3. Deletion shall include all copies of Personal Data in the Processor's possession, including backups and archived copies, except where retention is required by applicable law. Where retention is required by law, the Processor shall inform the Controller of the retention requirement and shall continue to protect the retained data in accordance with this DPA. 8.4. The Processor shall certify deletion in writing upon the Controller's request. --- ## 9. Audit Rights 9.1. The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted by the Controller or by an independent third-party auditor appointed by the Controller and bound by appropriate confidentiality obligations. 9.2. The Processor shall cooperate with reasonable audit requests and shall make available all information, systems, and personnel reasonably necessary to conduct the audit. 9.3. The Controller shall provide at least **30 days'** written notice before conducting an audit. 9.4. Audits shall be limited to **once per 12-month period**, unless a Personal Data Breach has occurred or the Controller has reasonable grounds to believe the Processor is not in compliance with this DPA. 9.5. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations. 9.6. The Controller shall bear the costs of the audit, unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear the reasonable costs. --- ## 10. International Data Transfers 10.1. All customer data is stored and processed exclusively in the **United States** (AWS US-West, N. California). 10.2. The Processor does not transfer Personal Data outside the United States, except as disclosed in Annex B (Sub-processors) where certain Sub-processors may process limited data categories in the European Union. 10.3. For transfers of Personal Data from the EU/EEA to the United States, the parties agree to the **Standard Contractual Clauses** (Module Two: Controller to Processor) as adopted by the European Commission Decision (EU) 2021/914. The SCCs are incorporated by reference into this DPA. 10.4. The Processor shall ensure that any Sub-processor located outside the EU/EEA provides adequate safeguards for the protection of Personal Data in accordance with applicable data protection law. --- ## 11. Term and Termination 11.1. This DPA shall become effective on the Effective Date and shall remain in force for the duration of the Service Agreement. 11.2. Upon termination of the Service Agreement, the data deletion and return provisions set forth in Section 8 shall apply. 11.3. The following provisions shall survive termination of this DPA: - **Confidentiality obligations** (indefinitely) - **Audit rights** (for 12 months following termination) - **Data deletion/return obligations** (Section 8) - **Liability provisions** (Section 12) - **Any obligations required by applicable law** --- ## 12. Liability 12.1. Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Service Agreement, except as otherwise provided in this Section. 12.2. The Processor's total aggregate liability arising out of or in connection with this DPA shall not exceed the total fees paid by the Controller to the Processor in the **12 months** immediately preceding the event giving rise to the claim. 12.3. Neither party excludes or limits liability for: - Fraud or fraudulent misrepresentation - Gross negligence or willful misconduct - Any liability that cannot be excluded or limited under applicable law --- ## Annex A: Details of Processing | Detail | Description | | ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Subject matter** | Software artifact and package repository services | | **Duration** | Term of the Service Agreement | | **Nature and purpose** | Storage, management, and delivery of software artifacts; user account management; billing and payment processing; customer support | | **Types of Personal Data** | Account information (name, email, company), billing information (billing contact details, payment method identifiers), usage data (access logs, feature usage), support communications | | **Categories of Data Subjects** | Controller's employees, contractors, and authorized users | | **Data location** | United States (AWS US-West, N. California) | --- ## Annex B: Sub-processors The following Sub-processors are authorized to process Personal Data on behalf of the Controller. The current list is maintained at www.cloudrepo.io/subprocessors. | Sub-processor | Purpose | Data Processed | Location | Compliance | | ------------------------- | -------------------------------- | ---------------------------------------- | ---------------- | ------------------------- | | Amazon Web Services (AWS) | Infrastructure, storage, compute | All customer data and artifacts | United States | SOC 2, ISO 27001, FedRAMP | | Braintree/PayPal | Payment processing | Billing information | United States | PCI DSS Level 1, SOC 2 | | GitHub | Source code management | No customer data | United States | SOC 2, ISO 27001 | | Postmark | Transactional email | Email addresses, notification content | United States | SOC 2 | | Grafana Cloud | Monitoring and observability | System metrics, logs (no PII) | United States | SOC 2 | | Amplitude | Product analytics | Anonymized usage data | United States | SOC 2 | | Intercom | Customer support | Support conversations, email | United States | SOC 2 | | Sentry | Error tracking and monitoring | Application error data, session metadata | United States | SOC 2 | | Google Tag Manager | Marketing analytics | Anonymized browsing data | United States | SOC 2 | | n8n (Cloud) | Workflow automation | Operational data | Germany (EU) | SOC 2 | | Supabase | Billing and operational systems | Billing contacts, operational records | United States | SOC 2 | | Baserow (Cloud) | Billing and operational systems | Billing contacts, operational records | Netherlands (EU) | SOC 2 | --- ## Signatures ### Data Controller Name: \***\*\*\*\*\*\*\***\_\_\_\_\***\*\*\*\*\*\*\*** Title: \***\*\*\*\*\*\*\***\_\_\_\_\***\*\*\*\*\*\*\*** Company: \***\*\*\*\*\*\*\***\_\_\_\_\***\*\*\*\*\*\*\*** Signature: \***\*\*\*\*\*\*\***\_\_\_\_\***\*\*\*\*\*\*\*** Date: \***\*\*\*\*\*\*\***\_\_\_\_\***\*\*\*\*\*\*\*** ### Data Processor Name: Chris Shellenbarger Title: Founder & CEO Company: ChenPo LLC (d/b/a CloudRepo) Signature: \***\*\*\*\*\*\*\***\_\_\_\_\***\*\*\*\*\*\*\*** Date: \***\*\*\*\*\*\*\***\_\_\_\_\***\*\*\*\*\*\*\***