Data Processing Agreement (template)

Template — requires legal review and signature before use.This DPA governs Aven’s processing of personal data on behalf of a client (the “Controller”) when a repository or tracker is connected. It must be executed before any real client data is connected (UK GDPR / DPA 2018). It does not bind anyone until signed.

1. Roles

The Controller is the client company. Aven Ltd is the Processor. Aven processes personal data only on the Controller’s documented instructions (this DPA and the service).

2. Subject-matter, duration, nature & purpose

Subject-matter: assembling AIF-aligned R&D evidence from the Controller’s engineering history. Duration: for the term of the engagement plus deletion. Nature & purpose: read-only ingestion of commit/PR/ticket metadata and text, redaction, storage, and presentation in an evidence pack reviewed by a competent person. Aven never files claims or gives tax advice.

3. Types of personal data & data subjects

Personal data: contributor identities present in version-control and tracker history (names, usernames, email addresses in commit/PR/ticket metadata and text), and Controller account details. Data subjects: the Controller’s engineers and staff. No special-category data is sought. Source code is never stored.

4. Processor obligations

• Process only on documented instructions; no purpose beyond the service.
• Ensure persons authorised to process are bound by confidentiality.
• Implement appropriate technical & organisational security (clause 6).
• Assist the Controller with data-subject requests and with DPIAs / breach duties.
• Delete or return all personal data at the end of the engagement (clause 8).
• Make available information to demonstrate compliance and allow audits (clause 9).

5. Sub-processors

The Controller authorises the sub-processors Aven uses to run the service, currently: Supabase (database, auth, storage; EU/London region), Vercel (hosting), Stripe (payments), Resend (transactional email), PostHog (EU-region analytics). Aven remains liable for its sub-processors and will give notice of changes, allowing objection.

6. Security

• Read-only integration scopes; no write access to client systems.
• Secrets and access tokens encrypted at rest (Supabase Vault); never logged.
• Ingestion-time redaction of secrets and obvious PII; source code never stored.
• Row-level security isolating each company’s data; least-privilege access.
• Encryption in transit; access limited to authorised personnel.

7. Personal-data breach

Aven will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s data, with the information needed for the Controller’s own notifications.

8. Deletion & return

On termination or request, Aven deletes (or returns, then deletes) all personal data processed for the Controller, including from connected-tool ingestion, save where retention is legally required.

9. Audit & international transfers

Aven makes available information reasonably necessary to demonstrate compliance and submits to audits on reasonable notice. Personal data is hosted in the UK/EU; any transfer outside the UK/EEA will rely on an appropriate safeguard (e.g. the UK IDTA / SCCs).

10. Liability & governing law

Liability is as set out in the main services agreement. This DPA is governed by the law of England and Wales. Where it conflicts with the services agreement on data protection, this DPA prevails.

This is a drafting template generated to unblock the build, not executed legal advice. Have it reviewed by a solicitor and complete the signature block before connecting any real client data.