Data Processing Agreement
Last updated: 18 June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you or the organisation you represent ("Customer") and Kaustav Chakraborty, an individual operating the Angada service ("Angada AI", "we", "us"). It applies whenever we process personal data on the Customer's behalf in providing the service. If the Terms and this DPA conflict on data protection, this DPA controls.
Plain-language summary. When your team uses Angada, your team's GitHub and Slack identities are your data — you are the controller, we are your processor. This document is our contractual promise about how we handle that data: only on your instructions, securely, with a known list of sub-processors, and deleted when you leave.
1. Roles
- For personal data of the Customer's developers and team members processed to deliver the service (the "Customer Personal Data"), the Customer is the controller and Angada AI is the processor.
- For Angada AI's own account, billing, and product-analytics data, Angada AI is an independent controller, governed by our Privacy Policy.
2. Processing on instructions
We process Customer Personal Data only on the Customer's documented instructions — including the configuration choices made in the service (repositories, channels, schedules) and these terms — unless required by law, in which case we will inform the Customer first where legally permitted.
3. Confidentiality
We ensure that anyone authorised to process Customer Personal Data is bound by an obligation of confidentiality.
4. Security (Art. 32)
We implement appropriate technical and organisational measures, described in Annex II and at angada.ai/security. These include encryption of sensitive credentials at rest, tenant isolation, least-privilege access, and PII-redacted logging.
5. Sub-processors
- The Customer grants a general authorisation for us to engage the sub-processors listed in Annex III to process Customer Personal Data.
- We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance.
- We will give the Customer at least 30 days' notice before adding or replacing a sub-processor (by updating the list at angada.ai/privacy-policy and notifying registered account contacts). The Customer may object on reasonable data-protection grounds; if a resolution cannot be reached, the Customer may terminate the affected service.
6. International transfers
Most Customer Personal Data is stored and processed in the EU. Where a sub-processor processes personal data outside the EU/EEA (currently Vercel and Resend, in the United States), the transfer is governed by the EU Standard Contractual Clauses (SCCs) or another lawful transfer mechanism. Annex III notes each region.
7. Personal data breach
We will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide the information the Customer reasonably needs to meet its own notification obligations (GDPR Art. 33–34). Our internal procedure follows a 72-hour assessment-and-notify runbook.
8. Assistance with data-subject requests
Taking into account the nature of the processing, we will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). If a request reaches us directly, we will refer the individual to the Customer unless instructed otherwise.
9. Audits
We will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including by providing our security documentation and sub-processor records. Third-party audit reports, where available, satisfy this obligation.
10. Deletion and return
On termination of the service, or on the Customer's request, we will delete or return Customer Personal Data within a reasonable period, except where retention is required by law. Our deletion process irreversibly anonymises personal data and hard-deletes integration tokens; personal data in encrypted backups expires on a 14–30 day rollover. We retain irreversible hashed identifiers for fraud prevention as described in the Privacy Policy.
11. Liability and governing law
Each party's liability under this DPA is subject to the limitations in the Terms of Service. This DPA forms part of, and is governed by the same law as, the Terms of Service, without prejudice to any mandatory data-protection rights the Customer or its data subjects have under the law of their country of residence (including the GDPR).
Annex I — Details of processing
- Subject matter: delivery of GitHub pull-request notifications and reports into the Customer's messaging workspace.
- Duration: for the term of the Customer's use of the service.
- Nature and purpose: receiving GitHub events, posting and updating Slack messages, generating scheduled digests, and resolving GitHub↔Slack identities.
- Types of personal data: GitHub usernames and user IDs, profile emails, Slack user IDs and team IDs, integration tokens, and workspace/team configuration.
- Categories of data subjects: the Customer's developers, reviewers, and team members; workspace administrators.
- Special-category data: none processed.
Annex II — Security measures
Encryption of sensitive credentials at rest (AEAD); row-level tenant isolation; secrets held in a dedicated secrets manager; least-privilege access; structured logging with PII redaction; encrypted nightly backups with short rolling retention; secret-scanning and push protection on the codebase. Full description: angada.ai/security.
Annex III — Sub-processors
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Application database | EU |
| Railway | Application / API hosting | EU (Frankfurt) |
| Vercel | Website & app hosting (data in transit) | US (SCCs) |
| Cloudflare R2 | Encrypted backups | EU |
| PostHog | Product analytics (pseudonymous) | EU |
| Sentry | Error & performance monitoring | EU |
| Resend | Transactional email | US (SCCs) |
| Zoho Mail | Support correspondence | EU |
| Slack | Message delivery to the Customer's workspace | US |
| GitHub | Source of pull-request & identity data | US |
| Doppler | Secrets & configuration (no personal data) | US |
Contact
For any question about this DPA or our data practices, or to request a signable copy for your procurement process, contact us at hello@angada.ai.