Data Processing Addendum
Version 1.0, effective July 12, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Customer,” “you”) and [ShiftGraph operating entity, to be finalized at incorporation] (“ShiftGraph,” “we”) under our Terms of Service (the “Agreement”) and governs the Processing of Personal Data by ShiftGraph on your behalf. Where this DPA conflicts with the Agreement on the subject of data protection, this DPA controls. Capitalized terms not defined here have the meaning given in the Agreement.
The ShiftGraph Service is engineered to process only value-free structural metadata and to reject payloads carrying request or response values at the ingest edge. This DPA nonetheless provides full processor commitments as a deliberate safeguard, so that any Personal Data that a Customer configuration or environment might transmit is governed from the first byte.
1. Definitions
“Data Protection Laws” means all laws applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 (“EU GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and US state privacy laws including the California Consumer Privacy Act as amended by the CPRA (“CCPA”). “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” have the meanings given in the EU GDPR, and their equivalents (including “Business,” “Service Provider,” and “Personal Information”) apply under US state law. “SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914. “Sub-processor” means a processor engaged by ShiftGraph to Process Personal Data.
2. Roles and scope of processing
For Personal Data contained in the structural metadata you submit to the Service (“Customer Personal Data”), you are the Controller (or a Processor acting for a third-party Controller) and ShiftGraph is the Processor. ShiftGraph acts as an independent Controller only for the limited account, authentication, billing, and Service-security data described in our Privacy Policy, and this DPA does not apply to that processing. The subject matter, duration, nature, and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex I.
3. Processing on documented instructions
ShiftGraph will Process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law to which we are subject; in that case we will inform you of the legal requirement before Processing, unless the law prohibits it on important grounds of public interest. This DPA, the Agreement, and your configuration and use of the Service are your complete and final documented instructions. We will inform you if, in our opinion, an instruction infringes Data Protection Laws (without obligation to give legal advice).
4. Confidentiality
ShiftGraph ensures that persons authorized to Process Customer Personal Data are bound by an appropriate duty of confidentiality and are Processing on a need-to-know basis. Access by our personnel is least-privilege, individually authenticated, and logged; our production database roles cannot read customer secrets, and support access requires a time-boxed, customer-visible, audited grant.
5. Security of processing
ShiftGraph implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. Those measures are described in Annex II and may be updated to keep pace with the state of the art, provided the level of protection is not materially diminished.
6. Sub-processors
You give ShiftGraph general written authorization to engage Sub-processors to Process Customer Personal Data. Our current Sub-processors are listed at shiftgraph.dev/subprocessors. Before engaging a new Sub-processor or replacing an existing one, we will update that list and, where you subscribe to notifications, give you at least thirty (30) days’ advance notice, during which you may object on reasonable data-protection grounds. If you reasonably object and we cannot make a commercially reasonable accommodation, you may terminate the affected Service and receive a pro-rata refund of prepaid, unused fees as your sole remedy. ShiftGraph imposes on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, and remains liable to you for a Sub-processor’s performance of those obligations.
7. Assistance to the Controller
Taking into account the nature of the Processing, ShiftGraph will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests to exercise Data Subject rights under Chapter III of the GDPR. If a Data Subject contacts ShiftGraph directly, we will, unless legally prohibited, promptly refer the request to you and not respond except to acknowledge receipt or on your instruction. Taking into account the nature of Processing and the information available to us, we will also assist you in ensuring compliance with your obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation).
8. Personal Data Breach notification
ShiftGraph will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and in any event in a manner that allows you to meet your own notification deadlines. The notice will describe, to the extent known and as it becomes available, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. ShiftGraph will take reasonable steps to mitigate and remediate. Our notification is not an acknowledgment of fault or liability.
9. Return and deletion
On termination or expiry of the Service, and at your choice, ShiftGraph will delete or return all Customer Personal Data and delete existing copies, unless retention is required by law. We will delete Customer Personal Data within ninety (90) days of termination, subject to routine backup cycles under which residual copies are deleted on their ordinary schedule and remain protected by this DPA until then. Anonymized and aggregated data that is no longer Personal Data is not subject to this Section.
10. Records and audits
ShiftGraph maintains records of its Processing sufficient to demonstrate compliance with Article 28 of the GDPR, and will make available to you the information reasonably necessary to demonstrate that compliance. To satisfy audit and inspection rights under Article 28(3)(h), we will, on reasonable written request no more than once in any twelve (12) months (unless required more often by a supervisory authority or following a Personal Data Breach), provide our then-current security summary and any third-party audit reports or certifications we hold. Where those are insufficient to satisfy a specific regulatory requirement, we will contribute to an audit, including an inspection, conducted by you or a mutually agreed independent auditor bound by confidentiality, on reasonable prior notice, during business hours, without unreasonable disruption, and subject to our security and confidentiality controls.
11. International transfers
Where ShiftGraph Processes Customer Personal Data protected by the EU GDPR, UK GDPR, or Swiss law and transfers it to a country without an adequacy decision, the SCCs are incorporated into this DPA by reference and take precedence over any conflicting term:
- Module Two (Controller-to-Processor) applies where you act as Controller, and Module Three (Processor-to-Processor) applies where you act as a Processor for a third-party Controller.
- In Clause 7 (docking), a new party may accede. In Clause 9, Option 2 (general written authorization) applies with the notice period in Section 6. In Clause 11, the optional independent-dispute-resolution language does not apply. In Clause 17, the governing law is that of Ireland; in Clause 18, disputes are resolved before the courts of Ireland. The Annexes to the SCCs are populated by Annexes I and II of this DPA and the Sub-processor list.
- For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs applies and amends the SCCs accordingly; for transfers subject to Swiss law, the SCCs apply with the adaptations of the Swiss Federal Data Protection and Information Commissioner. To the extent an approved successor mechanism or valid adequacy framework (such as the EU-US Data Privacy Framework) covers a transfer, the parties may rely on it.
12. US state privacy terms (Service Provider / Processor)
This Section applies to Personal Information Processed under US state Data Protection Laws. ShiftGraph acts as a Service Provider (CCPA) and Processor under other US state laws, and Processes Personal Information solely to provide the Service under the Agreement (the specified business purpose) and not for any other purpose. ShiftGraph will not:
- sell or share Personal Information as those terms are defined under the CCPA;
- retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement, or outside the direct business relationship, except as permitted by law;
- combine Personal Information with data received from other sources, except as the CCPA permits a Service Provider to do.
ShiftGraph certifies that it understands and will comply with these restrictions. We will provide the assistance reasonably necessary for you to respond to verifiable consumer requests, and, on notice that you reasonably believe we are making an unauthorized use, will stop and remediate. You may take reasonable and appropriate steps to confirm that ShiftGraph uses Personal Information consistent with your obligations under applicable US state law.
13. Liability and term
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, and any reference to a party’s liability means aggregate liability under the Agreement and this DPA together. Where the SCCs apply, nothing in this Section limits a Data Subject’s rights under the SCCs. This DPA takes effect when the Agreement does and continues while ShiftGraph Processes Customer Personal Data. This DPA is governed by the law of the Agreement, except where Data Protection Laws or the SCCs require otherwise.
Annex I: Description of Processing
A. Parties. Data exporter: the Customer, acting as Controller (or Processor), whose identity and contact details are in its ShiftGraph account and the Agreement. Data importer: [ShiftGraph operating entity, to be finalized at incorporation], acting as Processor, Virginia, United States, contact privacy@shiftgraph.dev.
B. Description.
- Subject matter and nature: Processing of value-free structural metadata describing the behavior of Customer’s third-party dependencies, to provide dependency intelligence, drift detection, alerting, and the CI drift gate.
- Purpose: to provide, secure, and support the Service under the Agreement.
- Duration: the term of the Agreement plus the deletion window in Section 9.
- Frequency: continuous, for the duration of the Service.
- Types of Personal Data: the Service is designed not to receive Personal Data. Any Personal Data is incidental and limited to identifiers that a Customer’s own dependency structure might expose (for example, a field name); request and response values are stripped and rejected. Special-category data is not requested and must not be submitted.
- Categories of Data Subjects: to the extent any Personal Data is incidentally present, the Customer’s own end users or contacts as reflected in dependency structure.
C. Competent supervisory authority. Where Module Two or Three applies, the competent supervisory authority is determined under Clause 13 of the SCCs by reference to the data exporter’s establishment or EU representative.
Annex II: Technical and organizational measures
ShiftGraph maintains, at a minimum, the following measures:
- Data minimization at source: a value-free capture model and an ingest gate that rejects request/response values, so contents never enter the Service.
- Access control: least-privilege database roles; row-level and column-level isolation between tenants; production secrets unreadable by the runtime role; mandatory two-factor authentication and support for passkeys and SSO; time-boxed, audited support access.
- Encryption: encryption in transit (TLS) and at rest; application-layer encryption of stored secrets.
- Resilience and recovery: managed, backed-up infrastructure; the ability to restore availability after an incident; monitoring and alerting.
- Integrity and accountability: a tamper-evident, hash-chained audit log; change control and code review; separation of duties.
- Testing: a security test suite exercised in continuous integration, and regular review of the effectiveness of these measures.
- Sub-processor governance: reputable Sub-processors bound by equivalent obligations, listed publicly and change-notified.
Annex III: Sub-processors
The current list of authorized Sub-processors is maintained at shiftgraph.dev/subprocessors and is incorporated into this DPA.
Questions about this document can be sent to legal@shiftgraph.dev. These documents govern the ShiftGraph service operated by [ShiftGraph operating entity, to be finalized at incorporation], under the laws of the Commonwealth of Virginia, United States (excluding its conflict-of-laws rules).