[ LEGAL ]
Data Processing Agreement
Effective: 2026-04-28
This Data Processing Agreement ("DPA") forms part of the Terms of Service (or applicable Order Form) between Spinal Technologies GmbH("Processor", "Spinal") and the customer entity ("Controller", "Customer"). Capitalised terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679).
1. Definitions
- "Service Data" — Personal Data contained in Customer Data that Spinal processes on Controller's behalf in the course of providing the Service.
- "Sub-processor" — a third party engaged by Spinal that processes Service Data.
- "SCCs" — the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2. Subject matter and duration
| Item | Detail |
|---|---|
| Subject matter | Provision of the Spinal code-review automation Service |
| Duration | Until termination of the Terms or, if longer, deletion or return of Service Data |
| Nature and purpose | Hosting, processing, analysing, and storing Service Data to deliver the Service |
| Categories of data subjects | Controller's employees, contractors, and third parties whose Personal Data is included in source code, pull requests, or connected systems (including commit authors) |
| Categories of Personal Data | Identifiers (name, email, GitHub/Microsoft/Google IDs), employment metadata, free-text content embedded in code, comments, logs, and incidents |
3. Spinal's obligations as Processor
Spinal will:
- (a) process Service Data only on Controller's documented instructions (these Terms, Order Forms, and Service configuration constitute documented instructions);
- (b) ensure persons authorised to process Service Data are bound by confidentiality;
- (c) implement appropriate technical and organisational measures (Annex II);
- (d) engage Sub-processors only as permitted in § 6;
- (e) assist Controller, taking into account the nature of processing, in responding to data-subject requests and in compliance with Articles 32–36 GDPR;
- (f) at Controller's choice, delete or return Service Data at the end of the Service, except where retention is required by law;
- (g) make available information necessary to demonstrate compliance and allow audits as set out in § 8;
- (h) notify Controller without undue delay if it considers an instruction infringes the GDPR or other applicable data-protection law.
4. Controller's obligations
Controller will:
- (a) ensure it has a lawful basis to send Service Data to Spinal and to instruct the processing described here;
- (b) provide notice to data subjects as required by law;
- (c) configure Service settings (including the model provider, model choice, and PII redaction patterns) appropriately for its data;
- (d) keep credentials and access controls secure and manage user provisioning;
- (e) not use the Service to process Special Categories of Personal Data (Art. 9 GDPR), Personal Data of children under 16, or payment-card data subject to PCI DSS, without explicit prior written agreement.
5. Data-subject rights
Spinal will, taking into account the nature of processing, assist Controller with appropriate technical and organisational measures, insofar as possible, to fulfil Controller's obligation to respond to data-subject requests under Chapter III of the GDPR. If Spinal receives a request directly, it will refer the requester to Controller and not respond except on Controller's instructions or as required by law.
6. Sub-processors
Controller grants general written authorisation for Spinal to engage Sub-processors. The current list is at Sub-processors. Spinal will:
- impose data-protection terms on each Sub-processor that are no less protective than this DPA;
- give Controller at least 30 days' noticeof additions or replacements (via the published list and email to Controller's nominated contacts);
- allow Controller to object on reasonable data-protection grounds; if the parties cannot resolve the objection in good faith within 30 days, Controller may terminate the affected portion of the Service for the unexpired prepaid period;
- remain liable for the acts and omissions of its Sub-processors.
Customer-initiated integrations and model providers (e.g., Anthropic/Claude using Customer's own API key, GitHub, Sentry, Datadog, Jira, Slack) are not Sub-processors of Spinal; they are third-party systems Controller connects to the Service at its own initiative and under its own contracts with those providers.
7. International transfers
The Service is hosted in the European Economic Area (AWS eu-central-1, Frankfurt). For transfers of Service Data from the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties incorporate the SCCs:
- Module Two (Controller-to-Processor) where Controller is in the EEA and Spinal acts outside the EEA in respect of a given processing activity, and
- Module Three (Processor-to-Sub-processor) for onward transfers from Spinal to a Sub-processor outside the EEA.
Annex I (description of processing and parties) and Annex II (TOMs) below complete the SCC annexes. The UK International Data Transfer Addendum applies to UK transfers; Swiss FDPIC requirements apply where the Swiss FADP is engaged.
Where Controller configures a third-party model provider or integration, including Anthropic/Claude using Controller's own API key, any transfer to that provider is governed by Controller's contract and transfer mechanism with that provider unless an Order Form expressly states that Spinal supplies managed provider access.
8. Audits
Once per twelve months (more often if required by a supervisory authority), Controller may request:
- a copy of Spinal's most recent third-party audit report (where available);
- a written response to a reasonable security questionnaire.
Where these are insufficient to address a specific Controller concern, Spinal will cooperate with a reasonable on-site or remote audit by Controller or its independent third-party auditor (under NDA), on 30 days' notice, during business hours, at Controller's cost, scoped to avoid disclosure of other customers' data and Spinal's confidential trade secrets.
9. Personal Data Breach
Spinal will notify Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Service Data. The notice will include the information available to Spinal at the time, sufficient to allow Controller to meet its own notification obligations under Articles 33 and 34 GDPR.
10. Liability
Liability under this DPA is subject to the limitation of liability in the Terms of Service. Liability under the SCCs is governed by their own terms.
11. Order of precedence
In the event of conflict among the documents, the following order applies (most-controlling first): SCCs > this DPA > Order Form > Terms of Service.
12. Term and termination
This DPA continues in force for as long as Spinal processes Service Data on Controller's behalf. Termination of the Terms terminates this DPA. Sections 3(f), 7, 9, and 10 survive termination as applicable.
Annex I — Description of processing
A. List of parties.
| Party | Role | Identity |
|---|---|---|
| Data exporter | Controller | The Customer entity identified in the Order Form / account |
| Data importer | Processor | Spinal Technologies GmbH, Hoppendorfer Straße 18A, 12555 Berlin, Germany |
Contact for Spinal: privacy@getspinal.com.
B. Description of transfer.
| Item | Detail |
|---|---|
| Categories of data subjects | Controller's employees, contractors, and third parties whose Personal Data is included in connected systems |
| Categories of Personal Data | Identifiers; employment metadata; free-text content embedded in code, PRs, comments, logs, and incidents |
| Sensitive data | None permitted unless explicitly agreed in writing |
| Frequency | Continuous |
| Nature of processing | Hosting, transformation, machine-learning inference, storage, retrieval, deletion |
| Purpose | Provide and maintain the Service |
| Storage location | AWS eu-central-1 (Frankfurt) primary; Sub-processors per the published list; Customer-configured integrations and model providers may process data in their own locations under Customer's contracts |
| Retention | Per Privacy Policy and customer instructions; deletion within 30 days of account closure unless legally required |
C. Competent supervisory authority. Berliner Beauftragte für Datenschutz und Informationsfreiheit.
Annex II — Technical and organisational measures (Art. 32 GDPR)
This Annex describes the controls Spinal has in place today. Items not listed here are not currently in place.
| Domain | Measures in place |
|---|---|
| Hosting region | AWS eu-central-1 (Frankfurt) |
| Encryption in transit | TLS for all client-to-server and server-to-server traffic |
| Encryption at rest | Application secrets are encrypted before database persistence. Infrastructure-level disk, snapshot, and backup encryption are controlled by the AWS deployment configuration. |
| Tenant isolation | Postgres row-level security enforced by the database; every tenant-scoped table has a tenant_isolation policy. Tenant identity is embedded in the JWT and applied to each session. |
| Authentication | Federated sign-in via Google, Microsoft, or GitHub OAuth; or email/password with salted hash. JWT with embedded company_id. MFA available via the OAuth provider. |
| Secret protection | Reversible secrets stored by customers (integration API keys, OAuth tokens, model provider API keys) are encrypted using a dedicated helper before persistence. |
| PII redaction before LLM submission | The launch deployment enables server-side redaction of common PII categories before LLM submission, and customers can add custom regex patterns for their environment. |
| Audit logging | Production audit log maintained for security-relevant events |
| Backup | Application data is stored on deployment volumes; backup and snapshot policy is configured outside the application. |
| Incident response | Documented breach-notification process per § 9 |
| Sub-processor diligence | Each sub-processor is engaged under a written DPA and SCCs where applicable |
The following are not currently in place; Spinal does not represent that they are: third-party security certifications (SOC 2, ISO 27001), 24/7 operations centre, formal quarterly access reviews, annual third-party penetration test, formal security training programme, formal background-check policy, documented disaster-recovery test cadence, bug-bounty programme. Spinal will update this Annex when these controls are implemented and evidenced.
Annex III — Sub-processors
Current list: Sub-processors.