Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy between you (the "Controller") and Governer (the "Processor") with respect to the processing of personal data through the Service.

This DPA is entered into in accordance with GDPR Article 28(3) and applies where Governer processes personal data on behalf of the Controller.

1. Definitions

• "Personal Data" has the meaning given in GDPR Article 4(1).
• "Processing" has the meaning given in GDPR Article 4(2).
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-Processor" means a third party engaged by the Processor to process Personal Data.

2. Scope of Processing

Governer processes Personal Data solely for the purpose of providing the Service as described in the Terms of Service. Specifically:

• Subject matter: AI governance scanning and website compliance analysis.
• Duration: For the term of the service agreement.
• Nature and purpose: Automated scanning, analysis, and report generation.
• Types of Personal Data: Account information (name, email), usage data, and any personal data contained in code or content submitted for scanning.
• Categories of Data Subjects: Users of the Service and individuals referenced in scanned content.

3. Obligations of the Processor

Governer shall:

• Process Personal Data only on documented instructions from the Controller.
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures (see our Security page).
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, etc.).
• Notify the Controller without undue delay (within 48 hours) upon becoming aware of a Personal Data breach.
• Delete or return all Personal Data at the end of the service relationship, at the Controller's choice.
• Make available all information necessary to demonstrate compliance and allow for audits.

4. Sub-Processors

The Controller authorises the use of the following Sub-Processors:

• Supabase Inc. (US) — Database hosting and authentication.
• Netlify Inc. (US) — Website hosting and CDN.
• Groq Inc. (US) — AI inference (temporary processing, no data retention).
• PostHog Inc. (EU/Germany) — Product analytics (anonymised, opt-in only).
• GitHub / Microsoft (US) — OAuth and repository integration.

Governer shall notify the Controller at least 14 days before adding or replacing a Sub-Processor. The Controller may object to any new Sub-Processor within 14 days of notification.

5. International Transfers

Where Personal Data is transferred outside the EEA, Governer ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).

6. Security Measures

Governer implements the following measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Row Level Security (RLS) isolating customer data.
• Regular security reviews and vulnerability assessments.
• Access controls with multi-factor authentication for production systems.
• Incident response procedures with 48-hour breach notification.

7. Data Breach Notification

In the event of a Personal Data breach, Governer shall notify the Controller within 48 hours of becoming aware, providing:

• Nature of the breach, including categories and approximate number of Data Subjects affected.
• Contact point for further information.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach.

8. Termination

Upon termination of the Service, Governer shall, at the Controller's choice, delete or return all Personal Data within 30 days and provide written certification of deletion.

9. Contact

For DPA-related enquiries: legal@governer.dev

To request a signed copy of this DPA, email legal@governer.dev with your company name and account details.