DevsHub.ai
Request Access
Legal

Data Processing Agreement

Governing the processing of personal data by DevsHub on behalf of our customers.

Last updated: July 2025

1. Introduction & Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between DevsHub Technologies W.L.L., a company registered in Doha, Qatar ("DevsHub," "Processor," "we," "us," or "our"), and the customer ("Customer," "Controller," "you," or "your") who uses the DevsHub Service. This DPA applies when DevsHub processes Personal Data on behalf of the Customer in the course of providing the Service.

This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Qatar Personal Data Privacy Protection Law (PDPPL), and other applicable data protection laws that require a written agreement between a controller and a processor governing the processing of Personal Data.

2. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Terms of Service. In this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by DevsHub on behalf of the Customer in connection with the Service.
  • "Processing" means any operation performed on Personal Data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by DevsHub to process Personal Data on behalf of the Customer.
  • "Data Protection Laws" means all applicable data protection and privacy laws, including the GDPR, UK GDPR, Qatar PDPPL, and any implementing or successor legislation.
  • "Standard Contractual Clauses" or "SCCs" means the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), including any successor or amended versions.

3. Nature, Purpose & Duration of Processing

3.1 Subject Matter & Nature

The subject matter of the processing is the provision of the DevsHub Service — an autonomous AI software engineering platform that provisions ephemeral sandbox virtual machines for code execution, testing, and related development operations. The nature of processing includes:

  • Authentication and authorization of users.
  • Provisioning and orchestration of sandbox execution environments.
  • Transmission of code and configuration data to sandbox VMs via encrypted tunnels.
  • Storage of account information, usage metadata, and service logs.
  • Processing of support requests and communications.

3.2 Purpose

The purpose of processing is solely to provide, maintain, secure, and improve the Service as described in the Terms of Service and as instructed by the Customer through their use of the Service.

3.3 Duration

Processing shall continue for the duration of the Customer's use of the Service (the term of the Terms of Service). Upon termination, Personal Data shall be deleted or anonymized in accordance with Section 10 of this DPA.

4. Categories of Data & Data Subjects

4.1 Categories of Personal Data

The Personal Data processed may include:

  • Account Data: Name, email address, company name, job title, authentication credentials.
  • Usage Data: IP addresses, timestamps, CLI command metadata, session identifiers, API call records.
  • Communication Data: Content of emails, support tickets, and access request forms.
  • Billing Data: Billing contact information, payment method metadata (full payment card numbers are processed exclusively by our payment processor and are never received or stored by DevsHub).

Important: DevsHub does not process Customer source code, repository contents, or sandbox terminal output as Personal Data. These are treated as Customer Confidential Information under the Terms of Service and are not retained beyond the active sandbox session.

4.2 Categories of Data Subjects

  • Customer's employees, contractors, and authorized users of the Service.
  • Individuals who communicate with DevsHub on behalf of the Customer (e.g., via support or access request emails).

5. Processor Obligations

DevsHub shall:

  • Process only on documented instructions: Process Personal Data only on the Customer's documented instructions, which include the Terms of Service, this DPA, and the Customer's use of the Service features. If DevsHub is required by applicable law to process Personal Data beyond these instructions, we shall inform the Customer of that legal requirement before processing, unless prohibited by law.
  • Ensure confidentiality: Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement security measures: Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as described in our Security page and Section 7 of this DPA.
  • Assist with Data Subject rights: Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligation to respond to Data Subject requests under Data Protection Laws.
  • Assist with compliance: Assist the Customer in ensuring compliance with obligations regarding data security, data breach notification, data protection impact assessments (DPIAs), and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to DevsHub.
  • Notify of breaches: Notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting Customer Personal Data.
  • Delete or return data: At the Customer's choice, delete or return all Personal Data to the Customer after the end of the provision of the Service, and delete existing copies unless applicable law requires storage.
  • Make information available: Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

6. Sub-processors

6.1 Authorized Sub-processors

The Customer provides general written authorization for DevsHub to engage Sub-processors to assist in providing the Service. The current list of Sub-processors is set forth in Annex A below.

6.2 Sub-processor Changes

DevsHub will notify the Customer of any intended changes concerning the addition or replacement of Sub-processors at least fourteen (14) days in advance via email to the address associated with the Customer's account. The Customer may object to a new Sub-processor within that notice period by providing written notice to [email protected]. If the Customer objects on reasonable grounds related to data protection, the parties shall work together in good faith to resolve the objection. If resolution is not possible, the Customer may terminate the affected portion of the Service without penalty.

6.3 Sub-processor Obligations

DevsHub shall impose data protection obligations on all Sub-processors that are at least equivalent to those set forth in this DPA. DevsHub remains fully liable to the Customer for the performance of any Sub-processor's obligations.

7. Technical & Organizational Measures

DevsHub implements and maintains the following technical and organizational measures to protect Personal Data:

  • Encryption in Transit: TLS 1.3 for all network communications between clients, APIs, and infrastructure components.
  • Encryption at Rest: AES-256 encryption for all persistent storage volumes and databases.
  • Access Control: Role-based access control (RBAC), multi-factor authentication (MFA) for administrative access, and the principle of least privilege.
  • Network Security: Firewall rules, VPC isolation, and egress filtering on sandbox environments.
  • Ephemeral Processing: Sandbox VMs are single-tenant, ephemeral, and destroyed upon session completion. No cross-tenant data access is possible.
  • Logging & Monitoring: Centralized security logging, anomaly detection, and automated alerting for suspicious activity.
  • Vulnerability Management: Regular security assessments, dependency scanning, and prompt patching of identified vulnerabilities.
  • Business Continuity: Regular backups of critical infrastructure configuration, tested disaster recovery procedures.
  • Personnel Security: Background checks for personnel with access to production systems, regular security awareness training, and confidentiality agreements.

8. International Data Transfers

DevsHub's primary infrastructure is hosted on Google Cloud Platform (GCP). The Customer may select the cloud region(s) in which their sandbox environments are provisioned. Personal Data may be transferred to and processed in:

  • The State of Qatar (where DevsHub is headquartered).
  • Cloud regions selected by the Customer (e.g., GCP us-central1, europe-west4).
  • Countries where Sub-processors operate (as listed in Annex A).

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, DevsHub relies on:

  • The EU Standard Contractual Clauses (SCCs), Module Two (Controller-to-Processor), which are incorporated by reference into this DPA.
  • The UK International Data Transfer Addendum to the EU SCCs, where applicable.
  • Any other valid transfer mechanism recognized under applicable Data Protection Laws.

Upon request, DevsHub will provide the Customer with a signed copy of the applicable SCCs.

9. Audit Rights

Upon the Customer's written request and no more than once per calendar year (unless required by a supervisory authority or following a confirmed Personal Data breach), DevsHub shall make available to the Customer information necessary to demonstrate compliance with this DPA. This may include:

  • Summary reports of independent third-party security assessments or certifications (when available).
  • Responses to a written security questionnaire, subject to reasonable scope limitations.

If the information provided is insufficient to demonstrate compliance, the Customer may request an on-site audit at the Customer's expense. Audits must be:

  • Conducted during normal business hours.
  • Limited in scope to DevsHub's processing of Personal Data on behalf of the Customer.
  • Subject to reasonable confidentiality obligations.
  • Scheduled with at least thirty (30) days' advance written notice.

10. Data Deletion & Retention

Upon termination of the Service or at the Customer's written request:

  • DevsHub shall, at the Customer's election, delete or return all Personal Data processed on behalf of the Customer.
  • Deletion shall be completed within thirty (30) days of termination or request.
  • DevsHub may retain Personal Data to the extent required by applicable law, provided that such data remains protected in accordance with this DPA and is not processed for any other purpose.
  • Sandbox execution data (code, files, terminal state) is ephemeral by design and is destroyed immediately upon session completion. No retention or deletion action is required for this data.

11. Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service. Notwithstanding the foregoing, nothing in this DPA limits either party's liability for:

  • Breaches of its obligations under Data Protection Laws for which liability cannot be limited by contract.
  • Death or personal injury caused by negligence.
  • Fraud or fraudulent misrepresentation.

12. Relationship with Terms of Service

This DPA is supplementary to and forms an integral part of the Terms of Service. In the event of any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA shall prevail. Except as modified by this DPA, the Terms of Service remain in full force and effect.

13. Contact

For questions about this DPA or to exercise any rights under it, please contact:

Annex A — Sub-processors

The following Sub-processors are engaged by DevsHub to assist in providing the Service. This list is current as of the "Last updated" date above.

Sub-processor Service Provided Data Processed Location
Google Cloud Platform (GCP) Cloud infrastructure (compute, storage, networking) Account data, usage data, service logs Customer-selected regions (default: us-central1)
Stripe, Inc. Payment processing Billing contact information, payment method metadata United States (EU data via Stripe's EU entity where applicable)
Resend, Inc. Transactional email delivery Email address, email content United States

Note: If the Customer uses the Bring Your Own Cloud (BYOC) option, the Customer's own cloud provider (AWS, GCP, or other) is not a Sub-processor of DevsHub. The Customer acts as the controller and processor in relation to that infrastructure.

To receive notifications of Sub-processor changes, ensure your account email address is current. You may also contact [email protected] to request the current Sub-processor list at any time.