BestCoderBestCoder
Start free

Data Processing Agreement (DPA)

Last updated: 2026-04-28 · Version: 1.0 · Article 28 GDPR

This Data Processing Agreement ("DPA") supplements your subscription agreement and applies whenever BestCoder processes personal data on your behalf as a processor, with you acting as controller.

Download the signed PDF

For procurement and legal review, download the standalone signed version:

Download DPA v1.0 (PDF, ~30 KB)

The PDF and this page have identical content; either can be relied upon. The PDF is the canonical artifact for procurement processes that require a single document.

1. Subject matter and duration

BestCoder processes personal data only for the purpose of providing the Service to you, for the duration of your subscription plus the 90-day post-cancellation grace period.

2. Nature and purpose of processing

  • Operating the BestCoder control plane (account, billing, project metadata, AI session orchestration).
  • Operating the BestCoder Agent on your machines (local file system access, Vault for your BYOK credentials).
  • Sending transactional emails (welcome, verify, reset, payment alerts).

3. Categories of data subjects

End-users of your account: the team members you invite, and any third parties you choose to include via webhooks or integrations.

4. Categories of personal data

Email, name, role, IP-derived metadata (hashed), payment metadata (via Stripe), project metadata. Source code, secrets, and AI prompts are processed locally by the Agent and never reach BestCoder.

5. Subprocessor list

The full list is at /legal/subprocessors. We notify you 30 days in advance of any subprocessor change; you may object on reasonable grounds and terminate the affected service if the change cannot be avoided.

6. Security measures

See /legal/security for the full technical and organisational measures (TOMs).

7. Data subject requests

You handle data subject requests as the controller. We will support you in responding to access, rectification, deletion, restriction, portability, and objection requests within 7 business days of your written request.

8. Data breach notification

We notify you of any confirmed personal data breach without undue delay and at the latest within 48 hours of becoming aware of it. The notification includes the nature of the breach, the categories of data and approximate number of records affected, the consequences, and the measures taken or proposed.

9. Audits

You may, at your cost and no more than once per year (or as required by a competent authority), audit our compliance with this DPA. Audits must be scheduled with 30 days' notice and conducted under NDA. We will provide ISO 27001 (in progress, target Q4 2026) and SOC 2 Type II reports in lieu of on-site audits whenever available.

10. International transfers

For each subprocessor outside the EU we have signed the Standard Contractual Clauses (SCC) Module 3 and conducted a Transfer Impact Assessment (TIA). Both available on request.

11. Return and deletion

On termination of the underlying contract, we return or delete all personal data within 90 days, at your choice. Backups are automatically aged out within 35 days thereafter.

12. Liability

Liability under this DPA is governed by the limitations of the main agreement. No clause of this DPA reduces your statutory rights as a controller under GDPR.

13. Contact

DPO: dpo@bestcoder.app.