Data Processing Agreement
Last updated: April 14, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween EnsureFix (the "Processor") and the customer organization (the "Controller"). It governs the processing of personal data by EnsureFix on behalf of the Controller in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
2. Scope of Processing
2.1 Subject Matter
EnsureFix processes data solely to provide the AI-powered code generation and review services described in the Terms of Service.
2.2 Categories of Data
- Account data: names, email addresses, organization membership.
- Technical data: IP addresses, user agents (for audit logging).
- Repository data: source code, ticket descriptions, AI-generated outputs.
- Credential data: encrypted VCS OAuth tokens.
2.3 Data Subjects
The Controller's employees, contractors, and other authorized users who access the EnsureFix platform.
3. Obligations of the Processor
EnsureFix shall:
- Process personal data only on documented instructions from the Controller, including transfers to third countries.
- Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Section 5).
- Not engage another processor without prior written authorization from the Controller.
- Assist the Controller in responding to data subject access requests.
- Assist the Controller in ensuring compliance with data breach notification obligations.
- Delete or return all personal data upon termination of the agreement, at the Controller's choice.
- Make available all information necessary to demonstrate compliance and allow for audits.
4. Sub-processors
EnsureFix uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI model inference (Claude API) | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
We will notify you at least 30 days before adding or replacing a sub-processor, giving you the opportunity to object. Anthropic does not use API-submitted data to train its models.
5. Security Measures
EnsureFix implements the following technical and organizational measures:
- Encryption at rest: VCS credentials encrypted with AES-256-GCM.
- Encryption in transit: all communications over TLS.
- Access control: role-based access with organization-scoped data isolation.
- Authentication: bcrypt-hashed passwords, HttpOnly session cookies, account lockout.
- Audit logging: tamper-detected via SHA-256 hash chains.
- Input validation: parameterized database queries, SSRF protection, rate limiting.
- Incident response: security incidents are investigated and reported within 72 hours.
6. Data Breach Notification
In the event of a personal data breach, EnsureFix will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:
- The nature of the breach, including categories and approximate number of data subjects affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach.
- Contact details for our data protection team.
7. International Transfers
When personal data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other appropriate safeguards as required by applicable law.
8. Data Retention & Deletion
- Account data is deleted within 30 days of account closure.
- Workspace tickets and AI outputs are automatically purged after 12 months.
- Audit logs are retained for 7 years (pseudonymized after account deletion).
- Upon written request, we will certify deletion of all personal data.
9. Audits
The Controller may audit EnsureFix's compliance with this DPA upon reasonable written notice (at least 30 days). Audits shall be conducted during normal business hours, no more than once per year, and at the Controller's expense.
10. Requesting a Signed DPA
Enterprise customers can request a countersigned copy of this DPA. Contact us at legal@ensurefix.com with your organization name and we will provide an executable copy within 5 business days.