Data Processing Agreement

Effective as of Nov 15, 2024

This Data Processing Agreement (“Agreement”) is part of, and is governed by, the terms and conditions set forth in the Terms and Conditions of Sourcery.AI Limited (“Sourcery”). Terms not defined in this Agreement shall have the meaning given to them in the Terms and Conditions.

If Sourcery makes any changes to this Agreement that materially affect how personal data is processed or reduce your rights, you will be notified (e.g., by email). If you have questions about this Agreement, wish to know more about our data protection practices, or need to exercise your rights regarding the processing of your personal data, contact our Data Protection Officer, Tim Gilboy, at privacy@sourcery.ai.

1. Definitions and Interpretation

Unless otherwise defined herein, terms and expressions in this Agreement shall have the meanings assigned in the GDPR.

• Agreement: This Data Processing Agreement.
• Client Personal Data: Personal Data processed by Sourcery on behalf of the Client.
• Data Processor: Sourcery.AI Limited.
• Data Controller: The Client (any user of Sourcery services).
• Services: Code review and coding assistant services provided by Sourcery.
• Subprocessor: Any third party engaged by Sourcery to process personal data.

2. Processing of Personal Data

Roles and Scope: Sourcery will process Client Personal Data solely to deliver the agreed Services, in accordance with documented instructions provided by the Client.

Nature of Processing:

• Data Types: Name or GitHub/GitLab username, email address, credit card data (processed via Stripe), source code (not retained), and product usage data.
• Categories of Data Subjects: Customers and end users of the Sourcery platform.

3. Processor Obligations

Sourcery shall comply with all applicable Data Protection Laws, ensuring that:

• Data is processed only as necessary to fulfill the Services.
• Access to data is restricted to authorized personnel under confidentiality agreements.

4. Subprocessing

Sourcery may engage the following Subprocessors:

• Auth0: User authentication and account management.
• Google Analytics: Website analytics.
• Langsmith: Processes LLM message data and analytics.
• Mixpanel: Product usage analytics.
• Sentry: Error handling and reporting.
• Stripe: Payment processing.

All Subprocessors will comply with terms no less stringent than those set forth in this Agreement.

5. Data Transfers

Data storage is within the EEA. Data processed for LLM services may involve transfers outside the EEA, subject to Client configuration and choice of provider.

6. Data Subject Rights

Sourcery will assist the Client in responding to Data Subject requests, including access, rectification, or deletion of personal information. Sourcery shall not respond to such requests without Client instructions unless legally required.

7. Data Breach Notification

Sourcery will notify the Client without undue delay upon becoming aware of a personal data breach, providing sufficient details for compliance with GDPR obligations.

8. Data Retention

Upon termination of the Services, all Client Personal Data will be deleted promptly unless required by law. Data deletion will be confirmed upon Client request.