DreamCI · Legal
Data Processing Agreement
Last updated: 2026-05-22
This Data Processing Agreement (“DPA”) supplements the Terms of Service and applies whenever {{COMPANY_NAME}} (“Processor”) processes personal data on behalf of a customer (“Controller”, “you”) through the DreamCI Service. It implements Article 28 GDPR and the analogous provisions of the UK GDPR and LGPD.
A signed long-form copy of this DPA is available at /docs/dpa-template.md in our public repository. Customers on the Team and Business plans can request a counter-signed PDF by emailing {{DPO_EMAIL}}.
1. Subject matter and duration
The Processor processes personal data for the sole purpose of providing the Service under the Terms. Processing continues for the duration of the Terms and ends with the deletion routine described in Section 8.
2. Categories of data subjects and personal data
Data subjects: employees, contractors, and collaborators of the Controller who use the Service.
Personal data: account identifiers (email, display name), authentication metadata (IP, user-agent, identity-provider subject), repository-access tokens, build inputs and outputs as configured by the Controller, audit-log entries.
3. Processor obligations
- Process personal data only on documented instructions from the Controller. The Terms and the Service’s documented APIs constitute those instructions.
- Ensure that personnel authorised to process personal data are bound by appropriate confidentiality undertakings.
- Implement appropriate technical and organisational measures (Annex II of the long-form DPA) to ensure a level of security appropriate to the risk.
- Engage sub-processors only as listed below and only under written agreements that impose data-protection obligations equivalent to those in this DPA.
- Assist the Controller in fulfilling its obligations to respond to data-subject requests, conduct impact assessments, and consult with supervisory authorities.
- Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting the Controller’s data.
- At the choice of the Controller, delete or return all personal data at the end of the provision of services, subject to applicable retention obligations.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, on reasonable prior notice and subject to confidentiality.
4. Sub-processors
The Controller authorises the engagement of the following sub-processors:
- Hetzner Online GmbH (Germany) — infrastructure hosting, object storage, encrypted backups.
- Auth0 (Okta, Inc., USA) — identity provider.
- Paddle.com Market Ltd (United Kingdom) — merchant of record for billing.
- GitHub, Inc. (USA) — source-code access on Controller authorisation.
- Observability vendor — optional error telemetry with PII scrubbing, only when enabled.
We give the Controller at least 30 days’ prior notice of any intended changes to sub-processors. The Controller may object to a change in writing; if we cannot accommodate the objection, either party may terminate the Terms.
5. International transfers
Where personal data is transferred to a third country that does not ensure an adequate level of protection, we rely on the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914), together with supplementary technical measures (encryption in transit and at rest, pseudonymisation where feasible) as required by the Schrems II ruling.
6. Security measures
Annex II of the long-form DPA describes the technical and organisational measures in detail. Summary:
- TLS 1.2+ everywhere; HSTS; HTTP security headers.
- Encryption at rest on the database (LUKS) and object storage.
- AES-256-GCM application-layer encryption of OAuth tokens and per-project secrets.
- PostgreSQL row-level security (FORCE) and per-tenant context stamping for every connection.
- Append-only audit log; reviewed monthly; PII stripped at retention expiry.
- Least-privilege access; production access requires multi-factor authentication and is logged.
- Incident response runbook tested at least annually.
7. Personal-data breach notification
If the Processor becomes aware of a personal-data breach affecting the Controller’s data, the Processor will notify the Controller without undue delay and in any event within 72 hours of awareness. The notice will include, at minimum:
- A description of the nature of the breach.
- The categories and approximate number of data subjects.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its possible adverse effects.
8. Deletion and return
On expiry or termination of the Terms, the Processor will, at the Controller’s option, return or delete all personal data within 30 days. Build artifacts subject to a Controller-configured retention policy are deleted on the configured schedule regardless of termination. The Processor may retain personal data to the extent required by law, in which case the retained data continues to be protected by this DPA.
9. Liability
The liability of each party under this DPA is subject to the limitations in the Terms. Nothing in this DPA limits a data subject’s rights under applicable law.
10. Contact
Data Protection Officer: {{DPO_EMAIL}}
Postal address: {{COMPANY_NAME}}, {{ENTITY_ADDRESS}}.
Full long-form text including Annex I (description of processing) and Annex II (technical and organisational measures) is available at docs/dpa-template.md.