Data Processing Agreement
Effective Date: December 14, 2025
This Data Processing Agreement ("DPA") forms part of the agreement between Critical Context ("Processor," "we," "us") and the customer ("Controller," "you") for the use of our services. This DPA sets out the terms that apply when we process personal data on your behalf.
1. Definitions
In this DPA, the following terms have these meanings:
- "Controller" means the entity that determines the purposes and means of processing Personal Data (you, our customer).
- "Processor" means the entity that processes Personal Data on behalf of the Controller (Critical Context).
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Security Incident" means any unauthorized access to, acquisition of, or disclosure of Personal Data.
- "Services" means the Critical Context platform and related services.
2. Scope of Processing
2.1 Subject Matter
This DPA applies to all Personal Data processed by Critical Context in connection with providing the Services.
2.2 Nature and Purpose
We process Personal Data for the following purposes:
- Providing code intelligence and AI-powered analysis services
- Storing and processing repository content for analysis
- Facilitating chat interactions and message storage
- Managing user accounts and authentication
- Processing payments and managing subscriptions
- Providing integrations with third-party services (GitHub, Slack)
- Sending service-related communications
2.3 Types of Personal Data
The following categories of Personal Data may be processed:
- Account information (name, email, username)
- Authentication data (hashed passwords, OAuth tokens)
- Repository content (which may contain Personal Data within code or comments)
- Chat messages and AI-generated responses
- Usage data and logs
- Payment information (processed by Stripe)
- IP addresses and session data
2.4 Categories of Data Subjects
Data Subjects may include:
- Your employees and contractors who use the Services
- Individuals whose data appears in your repository content
- End users of your embedded chat widgets
2.5 Duration
Processing will continue for the duration of the service agreement and as required thereafter for legal compliance and legitimate business purposes.
3. Controller Obligations
As Controller, you agree to:
3.1 Lawful Basis
- Ensure you have a valid lawful basis for all Personal Data processing
- Obtain any required consents from Data Subjects
- Provide appropriate privacy notices to Data Subjects
3.2 Data Accuracy
- Ensure Personal Data provided to us is accurate and up to date
- Promptly notify us of any corrections required
3.3 Instructions
- Provide clear and lawful processing instructions
- Ensure instructions comply with applicable data protection laws
3.4 Repository Content
- Review repository content before connecting to ensure it does not contain unauthorized Personal Data
- Remove sensitive Personal Data that should not be processed by the Services
- Ensure you have rights to share any Personal Data contained in repositories
3.5 End User Consent
If you use embedded chat widgets, you are responsible for:
- Obtaining appropriate consent from end users
- Providing privacy notices about data collection
- Honoring end user rights requests
4. Processor Obligations
As Processor, we agree to:
4.1 Processing Instructions
- Process Personal Data only on your documented instructions
- Inform you if we believe any instruction infringes applicable law
- Not process Personal Data for our own purposes except as required to provide the Services
4.2 Confidentiality
- Ensure personnel with access to Personal Data are bound by confidentiality obligations
- Limit access to Personal Data to personnel who need it to perform their duties
4.3 Security
- Implement appropriate technical and organizational measures to protect Personal Data
- Regularly review and update security measures
4.4 Sub-processor Management
- Only engage Sub-processors with your authorization
- Ensure Sub-processors are bound by equivalent data protection obligations
- Remain liable for Sub-processor compliance
4.5 Assistance
- Assist you in responding to Data Subject requests
- Assist with data protection impact assessments when required
- Assist with regulatory consultations when required
4.6 Data Return and Deletion
- Upon termination, delete or return Personal Data at your request
- Provide certification of deletion upon request
- Retain data only as required by law
5. Security Measures
We implement the following security measures to protect Personal Data:
5.1 Technical Measures
- Encryption: Data encrypted at rest and in transit using industry-standard algorithms
- Access Controls: Role-based access controls and authentication requirements
- Network Security: Firewalls, intrusion detection, and network segmentation
- Monitoring: Logging and monitoring of system access and security events
- Vulnerability Management: Regular security assessments and patching
5.2 Organizational Measures
- Personnel Security: Background checks and security training for employees
- Access Management: Principle of least privilege for system access
- Incident Response: Documented incident response procedures
- Business Continuity: Backup and disaster recovery procedures
5.3 Multi-Tenant Considerations
IMPORTANT: Our Services operate on a multi-tenant architecture. While we implement logical separation measures:
- Customer data is stored on shared infrastructure
- We use database-level controls to separate customer data
- We cannot guarantee complete isolation of data
- Customers requiring physical isolation should use self-hosted options
6. Sub-processors
6.1 Authorized Sub-processors
You authorize our use of the following categories of Sub-processors:
| Category | Purpose | Data Processed |
|---|---|---|
| AI/LLM Providers | Code analysis and AI-powered responses | Repository content, chat messages |
| Cloud Infrastructure | Hosting and data storage | All customer data |
| Payment Processing | Subscription and billing management | Payment and billing information |
| Error Monitoring | Service reliability and debugging | Error logs, diagnostic data |
| Source Control Integration | Repository access and synchronization | OAuth tokens, repository metadata |
| Team Communication | Slack integration | OAuth tokens, messages |
6.2 Sub-processor Changes
We will notify you of any intended changes to Sub-processors. You may object to new Sub-processors within 30 days. If we cannot reasonably accommodate your objection, you may terminate the affected services.
6.3 Sub-processor Agreements
All Sub-processors are bound by data processing agreements that impose data protection obligations no less protective than this DPA.
7. International Data Transfers
7.1 Transfer Mechanisms
When Personal Data is transferred outside the European Economic Area, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Other lawful transfer mechanisms as appropriate
7.2 Additional Safeguards
We implement supplementary measures including:
- Encryption of data in transit and at rest
- Access controls limiting who can view data
- Contractual commitments from Sub-processors
7.3 Government Access
We will notify you of government requests for access to your data unless legally prohibited. We will challenge overly broad or unlawful requests.
8. Data Subject Rights
8.1 Assistance
We will assist you in responding to Data Subject requests for:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Objection to processing
8.2 Response Timeline
We will respond to your requests for assistance within 10 business days. Complex requests may require additional time.
8.3 Direct Requests
If we receive a Data Subject request directly, we will redirect the Data Subject to you unless legally required to respond directly.
9. Data Breach Notification
9.1 Notification to Controller
We will notify you of any Security Incident affecting Personal Data without undue delay after becoming aware. For GDPR-regulated data, we aim to notify within 48 hours to allow you time to meet your 72-hour notification obligation.
9.2 Information Provided
Our notification will include, to the extent known:
- Nature of the incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Contact point for more information
- Likely consequences of the incident
- Measures taken or proposed to address the incident
9.3 Cooperation
We will cooperate with your investigation and provide reasonable assistance in meeting your regulatory notification obligations.
9.4 Limitation
Notification does not constitute an admission of fault or liability. The liability limitations in Section 11 apply to Security Incidents.
10. Audit Rights
10.1 Right to Audit
You have the right to audit our compliance with this DPA, subject to the following conditions:
- Provide at least 30 days written notice
- Audits limited to once per year unless required by a regulator
- Audits conducted during normal business hours
- Auditors bound by confidentiality obligations
10.2 Third-Party Audits
We may satisfy audit requests by providing:
- Third-party audit reports (SOC 2, ISO 27001, etc.) when available
- Completed security questionnaires
- Documentation of security measures
10.3 Costs
You bear the costs of audits you request. We bear the costs of providing documentation and participating in audits.
11. Liability
11.1 Liability Cap
Our total liability under this DPA shall not exceed the amount you paid us in the twelve (12) months preceding the claim. This cap applies to all claims, regardless of the form of action.
11.2 Exclusions
We shall not be liable for:
- Indirect, incidental, special, consequential, or punitive damages
- Loss of profits, revenue, data, or business opportunities
- Your failure to comply with your obligations under this DPA
- Data breaches resulting from your negligence or misconduct
- Claims by your end users or Data Subjects (you agree to indemnify us)
- Security incidents at Sub-processors beyond our reasonable control
11.3 Controller Indemnification
You agree to indemnify us against claims arising from:
- Your failure to obtain required consents
- Your unlawful processing instructions
- Personal Data in your repository content
- Claims by your end users related to embedded chat functionality
- Your failure to comply with data protection laws
12. Term and Termination
12.1 Term
This DPA remains in effect for the duration of your service agreement with us.
12.2 Survival
Provisions regarding liability, indemnification, and confidentiality survive termination.
12.3 Data Handling on Termination
Upon termination of services:
- We will delete or return Personal Data within 90 days of your request
- You must request data return before account deletion
- We may retain data as required by law or for legitimate business purposes
- We will provide certification of deletion upon request
12.4 No Data Hostage
We will not hold your data hostage in disputes. You may request data export at any time, regardless of payment status.
13. Contact
For questions about this DPA or data protection matters:
- Email: dpa@critical.cx
- Website: https://critical.cx
14. Amendments
We may update this DPA to reflect changes in our practices or legal requirements. Material changes will be communicated via email to the account owner. Continued use of the Services after changes constitutes acceptance of the updated DPA.