Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the master agreement (“Master Agreement”) between DEGU LABS, INC. with an address at 440 N Barranca Ave, #4556
Covina, CA 91723 (“Processor,” “Degu Labs”) and [Customer Legal Name]
[Customer Address] (“Controller” or “Customer”).
This DPA governs the processing of Personal Data by Degu Labs on behalf of Customer.
Effective Date: [Date]
1. Definitions
-
“Applicable Data Protection Laws” means GDPR, UK GDPR, CCPA/CPRA, and any other applicable privacy laws.
-
“Personal Data” means information relating to an identified or identifiable natural person.
-
“Processing” means any operation performed on Personal Data.
-
“Test Artifacts” means videos, logs, traces, screenshots, and any similar data uploaded or transmitted by Customer.
-
“Subprocessor” means a third-party service provider engaged by Degu Labs to process Personal Data.
2. Roles of the Parties
Customer is the Controller.
Degu Labs is the Processor.
Processor will process Personal Data only in accordance with:
-
Customer’s documented instructions
-
The Master Agreement
-
This DPA
3. Controller Responsibilities
Customer shall:
-
Ensure Personal Data is collected lawfully.
-
Not upload Prohibited Data, including but not limited to:
-
HIPAA PHI
-
PCI cardholder data
-
Children’s data under age 13
-
Classified or regulated government data
-
-
Ensure individuals are informed about data processing.
-
Respond to Data Subject Requests for which Customer is responsible.
-
Secure Customer’s own systems and infrastructure.
Degu Labs is not responsible for Customer’s accidental ingestion of prohibited or sensitive data.
4. Processor Obligations
4.1 Processing on Instructions
Degu Labs processes Personal Data only:
-
To provide the Service
-
In accordance with Customer instructions
-
As required by law
4.2 Confidentiality
Degu Labs ensures personnel accessing Personal Data are bound by confidentiality obligations.
4.3 Security Measures
Degu Labs maintains appropriate technical and organizational security measures, including:
-
Encryption in transit
-
Role-based access controls
-
Environment isolation
-
Logging and monitoring
-
Network security (Cloudflare)
-
Secure hosting (Hetzner)
See Schedule 2 for details.
4.4 Subprocessor Management
Degu Labs will:
-
Use only approved subprocessors
-
Impose data protection obligations on subprocessors
-
Notify Customer of material changes where required by law or contract
4.5 Assistance
Degu Labs will reasonably assist Customer with:
-
Data Subject Requests
-
Security incidents
-
Data Protection Impact Assessments (where required)
4.6 Data Deletion or Return
Upon termination of the Service:
-
Degu Labs will delete or return Personal Data upon written request
-
Metadata and aggregated analytics may be retained indefinitely unless restricted by law
5. Data Breach Notification
Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach.
Notification will include (where known):
-
Nature of the breach
-
Categories of affected data subjects
-
Likely consequences
-
Mitigation measures
Processor is not responsible for breaches arising from Customer’s systems.
6. International Transfers
Processor may transfer Personal Data internationally, including to the U.S.
Transfers are safeguarded using:
-
Standard Contractual Clauses (SCCs)
-
UK Addendum
-
Other legally recognized mechanisms
7. Audit Rights
Customer may conduct audits:
-
No more than once annually (unless required by law)
-
With reasonable notice
-
Primarily via questionnaire or remote audit
Onsite audits must:
-
Be limited in duration and scope
-
Not disrupt operations
-
Be at Customer’s expense
8. Liability
Liability is governed by the Master Agreement.
Degu Labs is not liable for:
-
Misuse of the Service by Customer
-
Customer’s ingestion of Prohibited Data
-
Security failures in Customer-managed environments
-
Indirect, consequential, or punitive damages
9. Term and Termination
This DPA remains effective:
-
For the duration of the Master Agreement
-
Until Processor deletes or returns Personal Data per Customer request
Upon termination:
-
Test Artifacts are deleted according to retention settings in the Subscription Plan
-
Metadata and aggregates may be retained indefinitely
SCHEDULE 1
Subprocessors
| Subprocessor | Purpose |
|---|---|
| Hetzner | Hosting and compute infrastructure |
| Cloudflare | CDN, network security, DDoS protection |
| Stripe | Payment processing |
SCHEDULE 2
Technical & Organizational Measures (TOMs)
Organizational Measures
-
Employee confidentiality agreements
-
Role-based access management
-
Security and privacy training
Technical Measures
-
TLS encryption
-
Network perimeter and traffic filtering
-
Environment and tenant isolation
-
Secure build and deployment pipelines
-
Vulnerability scanning
-
Logging and audit trails
-
Containerized workloads with security policies
Availability & Resilience
-
Redundant infrastructure layers
-
Monitoring and alerting
-
Incident response protocols
SCHEDULE 3
Categories of Data & Processing Purposes
Categories of Personal Data
-
Account information (name, email)
-
IP address and region
-
Usage metadata
-
Personal data incidentally included in Test Artifacts
Data Subjects
-
Customer employees
-
Customer contractors
-
End-users captured in Test Artifacts (if applicable)
Processing Purposes
-
Operating the Service
-
Processing Test Artifacts
-
Generating analytics
-
Troubleshooting and support
-
Security and reliability improvements
CONTACT
For privacy matters:
privacy@degulabs.com
legal@degulabs.com
Degu Labs, Inc.
440 N Barranca Ave, #4556
Covina, CA 91723