Data Processing Agreement

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the agreement between 0x0800 SRL, operating under the brand Complimetric ("Processor"), and the customer ("Controller") who has accepted the Complimetric Terms of Service.

This DPA governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the provision of the Complimetric Infrastructure-as-Code compliance platform ("Service"), in accordance with Regulation (EU) 2016/679 (GDPR), Article 28.

2. Controller and Processor Roles

2.1 Controller

The Controller is the legal entity (company or individual) that has signed up for the Service and determines the purposes and means of processing personal data of its users, employees, and end-users.

2.2 Processor

0x0800 SRL acts as Processor and processes personal data solely on documented instructions from the Controller, unless required to do otherwise by applicable EU or Belgian law.

3. Data Subjects and Categories of Personal Data

3.1 Data Subjects

• Employees, contractors, and team members of the Controller
• GitHub users whose accounts are connected to the Service
• Organization administrators and members

3.2 Categories of Personal Data

• GitHub username, email address, and OAuth token
• Name and professional contact details
• IP addresses and browser/device metadata (access logs)
• Cloud credential identifiers (access key IDs, subscription IDs) — encrypted at rest, never stored in plaintext
• Billing contact information (processed via Stripe)

4. Purpose of Processing

The Processor processes personal data exclusively to:

• Provide, operate, and maintain the Complimetric Service as described in the Terms of Service
• Authenticate users and enforce role-based access controls
• Scan connected repositories and cloud environments for infrastructure compliance on the Controller's instruction
• Detect infrastructure drift by comparing Terraform state against live cloud resources
• Generate compliance reports and audit trails for the Controller's internal governance requirements
• Send service notifications (scan results, billing receipts, security alerts)

5. Technical and Organisational Measures

The Processor implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include those described in the Complimetric Security page, and specifically:

• TLS 1.3 for all data in transit
• AES-256-GCM encryption for sensitive data at rest
• Role-based access control (RBAC) and multi-factor authentication (WebAuthn) for administrative access
• Kubernetes NetworkPolicies restricting pod-to-pod traffic
• Non-root, read-only containers with no privilege escalation
• Immutable audit log with hash-chain integrity verification
• Automated dependency scanning and patching for known vulnerabilities
• Business continuity and disaster recovery procedures with daily database backups

6. Sub-Processors

The Controller authorises the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes at least 14 days in advance.

• Amazon Web Services (AWS) — Cloud infrastructure (EU regions). Data Processing Addendum: aws.amazon.com/agreement
• OVHCloud — Cloud infrastructure (EU). Privacy policy: ovhcloud.com/en/personal-data-protection
• GitHub, Inc. — Source code access and OAuth. DPA: docs.github.com/en/site-policy/privacy-policies
• Stripe, Inc. — Payment processing (PCI DSS Level 1). DPA: stripe.com/legal/dpa
• Sentry (Functional Software, Inc.) — Error monitoring (EU region). DPA: sentry.io/legal/dpa

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) for transfers to third countries
• Adequacy decisions where applicable (e.g., transfers to countries recognised by the European Commission)

The Processor will inform the Controller if it becomes aware that applicable law prevents it from complying with instructions under this DPA.

8. Retention and Deletion

The Processor retains personal data for the duration of the Service subscription. Upon termination or account closure:

• Personal data is deleted or anonymised within 30 days
• Cloud credentials are deleted immediately and permanently upon disconnection
• Scan results may be retained in anonymised form for aggregate product analytics, unless the Controller requests full deletion
• Audit logs are retained for a minimum of 12 months to satisfy legal obligations

9. Controller's Rights and Assistance

The Processor will assist the Controller in fulfilling its obligations under GDPR, including:

• Responding to data subject access, rectification, erasure, and portability requests
• Conducting and documenting Data Protection Impact Assessments (DPIAs) where required
• Notifying the Controller within 72 hours of becoming aware of a personal data breach
• Making available all information necessary to demonstrate compliance, and allowing audits by the Controller or its mandated auditor (subject to reasonable notice and confidentiality)

10. Liability

Each party is liable for its own GDPR violations. Where both parties are found responsible for damage caused by processing, liability is apportioned according to their respective responsibility as determined by a competent supervisory authority or court.

The Processor's aggregate liability under this DPA is subject to the limitations set out in the Complimetric Terms of Service.

11. Governing Law and Jurisdiction

This DPA is governed by Belgian law. Any dispute arising from or in connection with this DPA that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the courts of Brussels, Belgium.

Nothing in this clause prevents either party from seeking urgent injunctive relief from any competent court.