Legal
Data Processing Agreement
Last updated: May 1, 2026
1. Parties
This Data Processing Agreement ("DPA") is between CodeHost, Inc. ("Processor") and the customer identified in the signature block ("Controller"). This DPA supplements the Terms of Service and applies to the processing of personal data subject to GDPR, CCPA, and other applicable data protection laws.
2. Scope of processing
Processor processes the following categories of personal data on behalf of Controller: account holder name and email, billing contact information, team member names and emails, and app deployment metadata (app name, region, resource usage). Processor does not process the content of Controller's deployed applications or their databases. App content is outside the scope of this DPA.
3. Purposes of processing
Processing is carried out for the purposes of: providing the CodeHost hosting service, processing payments and maintainer revenue shares, communicating service updates, maintaining platform security, and complying with legal obligations.
4. Processor obligations
Processor shall: process personal data only on documented instructions from Controller, ensure personnel are bound by confidentiality, implement appropriate technical and organizational security measures, assist Controller in responding to data subject requests, notify Controller of any data breach within 72 hours, and delete or return all personal data upon termination.
5. Sub-processors
Processor engages the following sub-processors: Stripe, Inc. (payment processing, USA), Amazon Web Services, Inc. (infrastructure, USA/EU/APAC), and Cloudflare, Inc. (CDN and security, USA). Controller authorizes these sub-processors. New sub-processors will be announced with 30 days' notice. Controller may object to sub-processor changes by terminating the service.
6. International transfers
For transfers outside the EEA, Processor relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. SCCs are incorporated by reference and available upon request. Controller may select EU-based deployment regions to minimize data transfers outside the EEA.
7. Security measures
Technical measures include: encryption at rest (AES-256) and in transit (TLS 1.3), container isolation between customer environments, automated security patching, network firewalls and DDoS protection, and regular penetration testing. Organizational measures include: access controls and least-privilege principles, employee security training, incident response procedures, and annual security audits.
8. Data breach notification
Processor shall notify Controller of a personal data breach within 72 hours of becoming aware of it, including: the nature of the breach, categories and approximate number of data subjects affected, measures taken to contain the breach, and a designated contact for further information.
9. Audit rights
Controller may audit Processor's compliance with this DPA upon 30 days' written notice, no more than once per year. Audits will be conducted during business hours and at Controller's expense. Processor will provide reasonable assistance and access to relevant systems and records.
10. Term and termination
This DPA remains in effect for the duration of the Terms of Service. Upon termination, Processor will delete all personal data within 30 days unless legal retention requirements apply. Certificate of deletion available upon request.
11. Contact
DPA inquiries: dpo@codehost.app Data Protection Officer: dpo@codehost.app