Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Sidequest Labs ("Ancla," "Processor") and the entity accepting these terms ("Customer," "Controller"). This DPA applies when Ancla processes personal data on Customer's behalf as a data processor in the course of providing the Service.

This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK General Data Protection Regulation as retained by the Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and other applicable data protection legislation (collectively, "Data Protection Laws").

In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.

Personal Data means any information relating to an identified or identifiable natural person ("Data Subject"), as defined under applicable Data Protection Laws, that is processed by Ancla on behalf of the Customer in connection with the Service.

Processing means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Sub-processor means any third party engaged by Ancla to process personal data on behalf of the Controller in connection with the Service.

Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Terms not defined herein have the meanings given to them in the GDPR or the Terms of Service, as applicable.

The following details of processing are provided in accordance with Article 28(3) GDPR:

Subject matter and duration: The processing of personal data in connection with the provision of the Service for the duration of the Agreement between the parties, plus any retention period required under this DPA or applicable law.

Nature and purpose: Hosting, storing, transmitting, and processing Customer's applications, databases, and associated data as necessary to provide the Service, including container orchestration, build processing, deployment management, secrets management, log aggregation, and monitoring.

Categories of data subjects: End users of Customer's applications; Customer's employees, contractors, and authorized users; and any other individuals whose personal data is contained within Customer's deployed applications and data.

Types of personal data: Any personal data contained within Customer's applications, databases, environment variables, configuration files, deployment logs, and other data deployed to or generated by the Service. This may include, but is not limited to: names, email addresses, IP addresses, authentication credentials, transaction data, and any other personal data that Customer or its end users submit through Customer's applications.

Ancla will process personal data only in accordance with the Controller's documented instructions, unless required to do so by applicable law to which Ancla is subject (in which case Ancla will inform the Controller of that legal requirement before processing, unless prohibited by law from doing so). The Service's documented functionality as described in the Terms of Service and applicable documentation constitutes the Controller's initial instructions.

Ancla will immediately inform the Controller if, in Ancla's opinion, an instruction from the Controller infringes applicable Data Protection Laws. Ancla will not process personal data for any purpose other than providing the Service as described in the Agreement.

Ancla confirms that it will not: (a) sell personal data; (b) retain, use, or disclose personal data for any commercial purpose other than providing the Service; (c) retain, use, or disclose personal data outside of the direct business relationship with the Controller; or (d) combine personal data received from the Controller with personal data received from other sources, except as permitted by applicable Data Protection Laws.

Ancla ensures that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in accordance with Article 28(3)(b) GDPR.

Ancla limits access to personal data to those employees, contractors, and agents who require access to perform their duties in connection with the Service. All such personnel receive appropriate data protection training and are subject to disciplinary procedures for non-compliance.

Ancla implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in accordance with Article 32 GDPR. These measures include, but are not limited to:

(a) Encryption: All personal data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Environment variables and secrets use additional application-layer encryption and are decrypted only at runtime within isolated containers. (b) Access controls: Role-based access control with least-privilege principles; multi-factor authentication for infrastructure and administrative access; regular access reviews. (c) Network security: Network segmentation and firewall rules; intrusion detection and prevention systems; DDoS mitigation. (d) Monitoring and logging: Comprehensive audit logging of administrative, system, and data access events; real-time alerting for anomalous activity. (e) Availability: Redundant infrastructure; automated failover; regular backups with tested restoration procedures; disaster recovery planning. (f) Vulnerability management: Regular vulnerability assessments and penetration testing; timely application of security patches; responsible disclosure program.

Ancla regularly reviews and updates its security measures to address evolving threats and align with industry best practices. Details of current security measures are available upon request.

The Controller authorizes Ancla to engage sub-processors to assist in providing the Service, subject to the requirements of this section.

Ancla maintains a current list of sub-processors, including their identity, location, and the nature of processing performed. This list is available upon request by contacting privacy@ancla.dev.

Before engaging a new sub-processor or replacing an existing sub-processor, Ancla will: (a) notify the Controller at least thirty (30) days in advance via email; (b) provide the name, location, and description of processing for the proposed sub-processor. If the Controller objects to a new sub-processor on reasonable data protection grounds, the parties will discuss the concerns in good faith. If the objection cannot be resolved within thirty (30) days, the Controller may terminate the affected portion of the Service without penalty.

Ancla will enter into a written agreement with each sub-processor imposing data protection obligations no less protective than those in this DPA, in accordance with Article 28(4) GDPR. Ancla remains fully liable to the Controller for the acts and omissions of its sub-processors as if they were the acts and omissions of Ancla itself.

Ancla will assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection) by appropriate technical and organizational measures, insofar as this is possible, taking into account the nature of the processing (Article 28(3)(e) GDPR).

If Ancla receives a request directly from a data subject regarding personal data processed on behalf of the Controller, Ancla will promptly redirect the data subject to the Controller and notify the Controller of the request, unless Ancla is legally required to respond directly. Ancla will not respond to such requests on its own initiative without the Controller's prior written authorization.

In the event of a Data Breach affecting personal data processed on behalf of the Controller, Ancla will notify the Controller without undue delay and in any event no later than seventy-two (72) hours after becoming aware of the breach, in accordance with Article 33(2) GDPR.

The notification will include, to the extent available: (a) a description of the nature of the Data Breach, including the categories and approximate number of data subjects and personal data records affected; (b) the name and contact details of Ancla's data protection officer or other contact point; (c) a description of the likely consequences of the breach; (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects.

Ancla will cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. Ancla will document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and make this documentation available to the Controller upon request.

Ancla will provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to Ancla.

When personal data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, Ancla ensures that appropriate safeguards are in place, including:

(a) EU Standard Contractual Clauses (SCCs) as adopted by the European Commission pursuant to Decision 2021/914, with the Controller as the "data exporter" and Ancla as the "data importer" under Module Two (Controller to Processor) or Module Three (Processor to Processor), as applicable; (b) the UK International Data Transfer Addendum to the EU SCCs, as issued by the UK Information Commissioner's Office; (c) the Swiss-U.S. Data Privacy Framework, where applicable; or (d) any other transfer mechanism recognized as providing adequate safeguards under applicable Data Protection Laws.

The Controller may request a copy of the applicable transfer safeguards and any supplementary measures by contacting privacy@ancla.dev. Ancla will conduct transfer impact assessments as required and implement supplementary measures where necessary to ensure an essentially equivalent level of protection.

Ancla will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

Audit requests must be submitted in writing to privacy@ancla.dev with at least thirty (30) days' prior notice. Audits will be conducted during normal business hours, with reasonable scope and duration, and in a manner that minimizes disruption to Ancla's operations. The Controller shall bear the costs of any audit it initiates, unless the audit reveals a material breach by Ancla of this DPA.

Ancla may satisfy audit obligations by providing: (a) relevant certifications and audit reports from independent third-party auditors (such as SOC 2 Type II); (b) responses to reasonable written security questionnaires; or (c) on-site or remote inspection access, as mutually agreed.

Upon termination or expiration of the Agreement, and at the Controller's election, Ancla will either: (a) return all personal data to the Controller in a structured, commonly used, machine-readable format; or (b) delete all personal data from its systems, including all existing copies.

The Controller must communicate its election within thirty (30) days of termination. If no election is made, Ancla will delete the personal data. Deletion will be completed within thirty (30) days of the election or the end of the election period. Backup copies will be destroyed within ninety (90) days.

Ancla may retain personal data to the extent required by applicable law, provided that Ancla: (a) processes such data only for the purpose of compliance with the legal retention obligation; (b) implements appropriate technical and organizational measures to ensure the security and confidentiality of the retained data; and (c) deletes the data promptly upon expiration of the retention period.

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service, except that such limitations shall not apply to either party's obligations under applicable Data Protection Laws to the extent such limitations are prohibited by those laws.

Ancla is liable for damage caused by processing that does not comply with the obligations of Data Protection Laws specifically directed to processors, or where Ancla has acted outside of or contrary to the Controller's lawful instructions, in accordance with Article 82 GDPR.

This DPA takes effect on the date the Controller accepts the Terms of Service and remains in effect for as long as Ancla processes personal data on behalf of the Controller. Obligations relating to confidentiality, data deletion/return, and cooperation with supervisory authorities survive termination.

This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service, provided that where Data Protection Laws require the application of the law of a specific jurisdiction (e.g., the GDPR requires application of EU/EEA member state law for certain provisions), those requirements shall prevail.

For questions about this DPA, contact dpo@ancla.dev.