StatewardStateward
All legal documents

Data Processing Agreement

Last updated:

This Data Processing Agreement ("DPA") forms part of the Terms of Use between you ("Customer", the controller) and Yggdrasil Digital ("Stateward", the processor). It governs the processing by Stateward of personal data contained in the code, repositories and data you connect to the Services ("Customer Personal Data"), in accordance with Article 28 of the GDPR. If you require a signed copy, contact hello@stateward.com.

1. Roles and Scope

For Customer Personal Data, the Customer is the controller (or itself a processor for its own customers) and Stateward is the processor. Stateward processes Customer Personal Data only to provide, secure and support the Services, and only on the Customer's documented instructions — which include the Terms of Use, this DPA and the Customer's configuration and use of the Services.

  • Subject-matter: automated security analysis of the Customer's software.
  • Duration: for the term of the Services, plus the deletion period in Section 9.
  • Nature and purpose: access, scanning, analysis, storage of related metadata, and generation of findings.
  • Types of personal data: any personal data incidentally present in source code, configuration, commit metadata or logs (e.g. names, emails, identifiers, secrets).
  • Categories of data subjects: the Customer's developers, employees, contractors and, incidentally, its own end users.

2. Stateward's Obligations

Stateward shall:

  1. process Customer Personal Data only on the Customer's documented instructions, including for transfers, unless required by EU or Member State law (in which case it will inform the Customer unless that law prohibits it);
  2. ensure that persons authorised to process the data are bound by confidentiality;
  3. implement the technical and organisational security measures required by GDPR Article 32 (Section 5);
  4. respect the conditions for engaging subprocessors (Section 4);
  5. assist the Customer, by appropriate measures, in responding to data subject requests (GDPR Articles 12–23);
  6. assist the Customer in ensuring compliance with Articles 32–36 (security, breach notification, impact assessments, prior consultation), taking into account the information available to Stateward;
  7. at the Customer's choice, delete or return Customer Personal Data at the end of the Services (Section 9);
  8. make available to the Customer the information necessary to demonstrate compliance with Article 28 and allow for audits (Section 8).

3. Customer's Obligations

The Customer warrants that it has a lawful basis and the necessary rights and notices to connect the data it submits, that its instructions comply with data protection law, and that it will not submit data outside the scope intended by the Services.

4. Subprocessors

The Customer grants general authorisation to Stateward to engage subprocessors to provide the Services. Current subprocessors are listed on our Subprocessors page. Stateward imposes on each subprocessor data-protection obligations equivalent to those in this DPA and remains liable for their performance.

Stateward will give at least thirty (30) days' notice (via the Subprocessors page or email) before adding or replacing a subprocessor. The Customer may object on reasonable data-protection grounds within that period; the parties will then work in good faith toward a resolution, and the Customer may terminate the affected Services if no resolution is reached.

5. Security

Stateward implements appropriate technical and organisational measures, including: encryption of data in transit; access controls and least-privilege; read-only repository access; segregation and EU-based hosting; logging, monitoring and vulnerability management; secure development practices; and personnel confidentiality and training. Measures may evolve provided the level of protection is not diminished.

6. Data Breach

Stateward shall notify the Customer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Personal Data, with the information reasonably available, and shall take reasonable steps to mitigate it.

7. International Transfers

Customer Personal Data is hosted on EU-based infrastructure. Where a transfer outside the EEA is necessary (e.g. a subprocessor), Stateward relies on an adequacy decision or appropriate safeguards under GDPR Article 46, including the Standard Contractual Clauses, which are incorporated by reference where applicable.

8. Audits

Stateward will make available the information necessary to demonstrate compliance and will allow and contribute to audits, including inspections, conducted by the Customer or an independent auditor it mandates, on reasonable prior notice (at least thirty (30) days), no more than once per year except where required by a supervisory authority or following a breach, subject to confidentiality and without disrupting Stateward's operations. Stateward may satisfy audit requests by providing relevant certifications or reports where available.

9. Return and Deletion

On termination or expiry of the Services, or on the Customer's request, Stateward will delete or return Customer Personal Data within a reasonable period (target thirty (30) days) and delete existing copies, unless EU or Member State law requires storage. Aggregated or de-identified data that no longer identifies any individual may be retained.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Use. This DPA is governed by French law; the courts of Toulouse have jurisdiction, subject to the GDPR's rules on supervisory authorities and data subject remedies.

Contact for data protection matters: privacy@stateward.com.