Skip to content
  • Docs
  • Pricing
  • FAQ
Run Free Audit Log In

Data Processing Addendum

Effective date: 2026-07-13 · Version dpa-2026-07-13-r2

This Data Processing Addendum ("DPA") forms part of the Terms of Service for repod where Data Demon Systems Limited processes personal data on behalf of a customer. Data Demon Systems Limited is registered in England and Wales with company number 16158110. The DPA is intended for business customers using repod for GitHub access operations. The service is designed around GitHub organization metadata and access-control state, not repository source-code processing.

1. Roles

For customer-connected GitHub organisation metadata and access-control data, the customer is the controller and Data Demon acts as processor. For account registration, authentication, billing, security, support, website, analytics, marketing, and service-operation data, Data Demon acts as controller as described in the Privacy Policy.

GitHub is the customer-selected source platform for the connected GitHub organisation and is not treated as Data Demon's subprocessor for that customer-controlled GitHub environment.

Source-code boundary: in normal operation, repod does not clone repositories, retrieve repository contents, analyse source files, or process commit diffs, issue bodies, pull-request bodies, Actions logs, or build artifacts. The required core permissions do not include Repository Contents permission. If customer-provided GitHub credentials technically grant broader access than repod needs, the customer's documented instruction is limited to the metadata, access-control, and customer-authorised write operations described in this DPA unless a separate written instruction is agreed.

GitHub permission boundary: core sync, reporting, repo-to-team apply, and repository metadata workflows do not require Organization Members write and are not permissioned to create GitHub organization invitations. Optional Team management requires Organization Members write and should be enabled only where the customer accepts that elevated GitHub authority.

2. Processing Details

  • Subject matter: metadata-based GitHub access operations, governance reporting, access review, and authorised change workflows.
  • Duration: the term of the customer's repod account plus the retention and backup periods described in the Privacy Policy and retention schedule.
  • Nature of processing: collect, receive, store, retrieve, analyse, display, export, import, back up, secure, delete, and transmit GitHub organization metadata, access-control state, customer-submitted account data, and customer-authorised GitHub API changes.
  • Purpose: provide repod, maintain security, support troubleshooting, enforce plan limits, and perform customer-authorised GitHub access operations.
  • Data subjects: customer account users, GitHub organisation members, outside collaborators, contractors, maintainers, admins, support contacts, and billing contacts where present in customer data.
  • Personal data: GitHub login, GitHub IDs, email/name where available, organization membership, team names and membership, repository names and metadata, repository visibility/archive state, permission levels, audit records, change plans, account roles, support details, IP/log metadata, and customer-submitted GitHub credential configuration.
  • Excluded from normal processing: repository source files, full repository contents, commit diffs, issue and pull-request body text, Actions logs, build artifacts, and secrets, unless a customer deliberately submits that material to repod outside the normal GitHub sync flow.
  • Special category data: not intentionally requested or processed by repod.

3. Customer Instructions

Data Demon will process customer personal data only on documented customer instructions, including the Terms, this DPA, customer account configuration, GitHub connection settings, customer-authorised support requests, and other written instructions accepted by Data Demon.

If Data Demon believes a customer instruction infringes applicable data protection law, Data Demon will inform the customer unless the law prohibits doing so. Data Demon is not required to follow instructions that would require unlawful processing, compromise service security, or exceed the agreed service scope.

4. Confidentiality

Data Demon will ensure people authorised to process customer personal data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.

5. Security Measures

Data Demon will maintain appropriate technical and organisational measures for the service, including account scoping, role-based access controls, CSRF protection for web forms, encrypted GitHub PAT and GitHub App private-key storage, audit logging, security headers, production MFA for privileged access, and vulnerability reporting. Current controls are summarised on the Security page.

Security measures are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to customer personal data. Data Demon may update measures as long as the overall level of protection is not materially reduced.

6. Subprocessors

The customer gives Data Demon general authorisation to use subprocessors needed to provide, secure, operate, bill, monitor, email, and improve repod. Data Demon will maintain a public Subprocessors page and will impose materially equivalent data-protection obligations on subprocessors used for processor data.

Data Demon remains responsible to the customer for subprocessor performance of Data Demon's processor obligations. Where reasonably practicable, Data Demon will give advance notice of material new subprocessors by updating the Subprocessors page and, for material changes affecting processor data, by in-app notice or email. Customers may object on reasonable data-protection grounds by contacting support@repod.dev. If the objection cannot be resolved, the customer may stop using the affected service feature or terminate the affected subscription in accordance with the Terms.

7. International Transfers

Where Data Demon initiates a restricted transfer of customer personal data, Data Demon will use an appropriate UK transfer mechanism, such as an applicable adequacy regulation, UK IDTA, UK Addendum to EU SCCs, or another lawful safeguard.

Data Demon will take reasonable steps to ensure transfer safeguards remain appropriate for the nature of the customer personal data processed by repod.

8. Rights Requests And Assistance

Data Demon will reasonably assist the customer with data-subject requests relating to processor data, taking into account the nature of the processing and the information available to Data Demon. Data Demon handles requests relating to its controller data directly through the Privacy Policy contact route.

If Data Demon receives a request directly that appears to relate to customer-controlled processor data, Data Demon may redirect the requester to the customer or notify the customer where appropriate, unless legally prohibited.

9. Personal Data Breach

Data Demon will notify the customer without undue delay after becoming aware of a personal data breach affecting customer processor data. Data Demon will provide reasonable information and assistance needed for the customer to assess notification obligations.

Notification will normally include the nature of the incident, affected data categories where known, likely consequences where known, measures taken or proposed, and a contact route for follow-up. Data Demon may provide information in phases as investigation progresses.

10. Assistance With Security, DPIAs, And Regulators

Taking into account the nature of processing and information available to Data Demon, Data Demon will provide reasonable assistance to help the customer meet obligations relating to security of processing, personal data breach assessment, data protection impact assessments, and prior consultation with a supervisory authority where the request relates to processor data handled by repod.

11. Return And Deletion

At account closure or on documented request, Data Demon will delete or return customer processor data unless legal, security, backup, or dispute-resolution obligations require limited retention. Backup deletion follows the published retention schedule.

Unless a different written agreement applies, Data Demon will delete or de-identify applicable live-service processor data within a reasonable period, normally within 30 days after validated account closure or deletion instruction. Data that remains in backups is protected from ordinary use and expires under the backup lifecycle. Data Demon may retain limited records where required for legal, security, accounting, dispute, or compliance purposes.

12. Audit Information

Data Demon will make reasonable information available to demonstrate compliance with this DPA, including relevant security, subprocessor, and processing information. Any audit must be proportionate, protect other customers and service security, avoid access to confidential information unrelated to the customer, and be subject to confidentiality and reasonable scheduling controls. On-site or third-party audits require reasonable advance notice and may be refused or limited where they would create security, confidentiality, legal, or operational risk.

13. Liability And Precedence

The liability limits and exclusions in the Terms apply to this DPA unless a separate written agreement says otherwise. Nothing in this DPA reduces rights or obligations that cannot be limited under applicable data protection law.

14. Contact

DPA questions: support@repod.dev.

© 2026 Data Demon Systems Limited. repod.dev is a business SaaS product for GitHub access operations.
Docs Pricing Contact Terms DPA Privacy Cookies Subprocessors Security Vulnerability Disclosure LinkedIn

Data Demon Systems Limited is registered in England and Wales with company number 16158110.

Help improve repod Allow session analytics so we can understand which workflows are useful. Optional analytics begins only after consent in production. Sensitive GitHub data is never sent. Privacy details