Data Processing Agreement
Last updated: March 6, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween CHKDSK Labs ("Processor," "we," "us") and the user of Ridge Sight ("Controller," "you"). This DPA governs the processing of personal data in connection with your use of the Ridge Sight service, in compliance with Regulation (EU) 2016/679 (the "GDPR") and applicable data protection laws.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Standard Contractual Clauses" ("SCCs") means the contractual clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 for the transfer of personal data to third countries.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor processes Personal Data on behalf of the Controller solely to provide the Ridge Sight service — a pull request dashboard that aggregates and displays GitHub pull request data, provides optional AI-powered insights, and supports team collaboration features.
2.2 Categories of Personal Data
| Category | Data Elements | Legal Basis |
|---|---|---|
| Account identifiers | GitHub user ID, username, display name, avatar URL | Contract performance (Art. 6(1)(b)) |
| Authentication credentials | OAuth access token, refresh token (encrypted at rest) | Contract performance |
| Repository metadata | Repository names, owners, IDs; PR titles, numbers, URLs, authors, labels, status | Contract performance |
| User preferences | Selected repos, saved/dismissed PRs, notification settings, AI model selection | Contract performance |
| Notification credentials | Slack webhook URLs, Pushover API keys (encrypted at rest) | Consent (Art. 6(1)(a)) |
| Payment identifiers | Stripe customer ID, subscription ID (no card data) | Contract performance |
| Usage data | API request metrics (anonymized), usage counters, audit log entries | Legitimate interest (Art. 6(1)(f)) |
2.3 Categories of Data Subjects
Users of the Ridge Sight service who authenticate via GitHub OAuth.
2.4 Duration of Processing
Processing continues for the duration of the Controller's use of the Service. Upon account deletion or GitHub App uninstallation, Personal Data is anonymized in accordance with our Privacy Policy data retention schedule.
3. Obligations of the Processor
- Lawful processing — Process Personal Data only on documented instructions from the Controller (i.e., through the Controller's use of the Service), unless required by applicable law.
- Confidentiality — Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Security measures — Implement appropriate technical and organizational measures as described in Section 4 of this DPA.
- Sub-processor management — Engage Sub-processors only with prior notification to the Controller and subject to equivalent data protection obligations (see Section 6).
- Data Subject rights — Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) through the Service's built-in features and, where necessary, additional assistance.
- Breach notification — Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach, providing details required under GDPR Article 33(3).
- Data return and deletion — Upon termination of the Service, delete or return all Personal Data to the Controller at the Controller's choice, subject to applicable law requiring retention.
- Audit support — Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections.
4. Technical and Organizational Security Measures
The Processor implements the following measures to protect Personal Data:
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256-GCM for tokens and credentials; Neon database-level encryption |
| Encryption in transit | TLS/HTTPS on all connections; HSTS preload enabled |
| Access control | Row-Level Security (RLS) on all user-data tables; session-based authentication with SHA-256 hashed tokens |
| Input validation | Centralized Zod schema validation on all API endpoints |
| Webhook verification | HMAC-SHA256 with constant-time comparison for GitHub and Stripe |
| Content Security Policy | Nonce-based CSP via middleware; additional security headers |
| Audit logging | Structured audit log for sensitive operations: merges, comments, account deletions, AI model changes, inference events |
| Data minimization | Only PR metadata sent to AI providers; no source code; Zero Data Retention policy |
| Automated cleanup | Daily cron cleans expired sessions, stale counters, old dismissed PRs, and metrics |
| Account deletion | Full anonymization flow: identifiers scrubbed, credentials deleted, sessions terminated, audit logged |
5. International Data Transfers
The Service is hosted in the United States via Vercel and Neon. Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland may be transferred to the United States. For such transfers, the Processor relies on the following mechanisms:
5.1 EU Standard Contractual Clauses (SCCs)
The Processor incorporates by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the primary safeguard for international data transfers. The applicable module depends on the relationship:
- Module Two (Controller to Processor) — applies to the transfer of Personal Data from the Controller (you) to the Processor (CHKDSK Labs) for hosting and processing within the Service.
- Module Three (Processor to Sub-processor) — applies to onward transfers from the Processor to Sub-processors listed in Section 6.
5.2 Supplementary Measures
In addition to the SCCs, the Processor implements the following supplementary measures as recommended by the EDPB:
- End-to-end encryption for sensitive credentials (AES-256-GCM)
- Data minimization — only necessary metadata is processed
- Zero Data Retention agreements with all AI model providers
- Pseudonymization of usage metrics (user ID removed from API request metrics on account deletion)
- Geographic processing constraints — the Service operates exclusively on Vercel's US infrastructure with Neon US-region databases
6. Sub-Processors
The Processor engages the following Sub-processors. The Controller is deemed to have provided general authorization for these Sub-processors. The Processor will notify the Controller of any changes to this list via updates to this page.
| Sub-Processor | Location | Purpose | Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| GitHub, Inc. | United States | Authentication, repository & PR data | OAuth tokens, user profile, repository/PR metadata | EU SCC |
| Neon, Inc. | United States | Database hosting | All stored application data (encrypted at rest) | EU SCC + SOC 2 |
| Stripe, Inc. | United States | Payment processing | Customer ID, subscription status, metered usage quantities | EU SCC + PCI DSS |
| Vercel, Inc. | United States | Application hosting, CDN, serverless compute | HTTP request metadata, application execution | EU SCC |
| AI Model Providers (via Vercel AI Gateway) | Various (US/EU) | AI inference for PR risk analysis (opt-in) | PR metadata only (no source code); Zero Data Retention | EU SCC via Vercel AI Gateway |
| Slack Technologies, LLC | United States | Optional notification delivery | Alert digest summaries (counts only, no PR details) | EU SCC |
| Superblock, Inc. (Pushover) | United States | Optional push notification delivery | Alert digest summaries (counts only) | EU SCC |
| Functional Software, Inc. (Sentry) | United States | Error monitoring and performance tracking | Error messages, stack traces, request metadata (no PII) | EU SCC + DPA |
Each Sub-processor is bound by data protection obligations no less protective than those in this DPA. The Processor conducts due diligence on Sub-processors before engagement and monitors compliance on an ongoing basis.
7. Data Subject Rights
The Processor assists the Controller in fulfilling Data Subject rights requests through the following built-in features:
| Right (GDPR Article) | Implementation |
|---|---|
| Access (Art. 15) | Data export feature in dashboard Settings → "Export My Data" downloads all stored Personal Data as JSON |
| Rectification (Art. 16) | Account data syncs from GitHub; update your GitHub profile to correct it |
| Erasure (Art. 17) | Dashboard Settings → "Delete Account" anonymizes all identifiable data |
| Restriction (Art. 18) | Users can disable AI insights, notifications, or deselect repositories |
| Portability (Art. 20) | Data export feature provides machine-readable JSON export |
| Objection (Art. 21) | Users can opt out of all optional processing (AI, notifications); core processing is based on contract performance |
For requests that cannot be fulfilled through self-service features, contact us at jay@chkdsklabs.io.
8. Data Breach Notification
- The Processor will notify the Controller without undue delay, and no later than 72 hours after becoming aware of a Personal Data breach.
- Notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
- The Processor maintains an incident response process documented in the AI Risk Assessment (Section 9) and SECURITY.md.
9. Term and Termination
- This DPA is effective for the duration of the Controller's use of the Service.
- Upon termination, the Processor will, at the Controller's choice: (a) return all Personal Data via the data export feature, or (b) delete all Personal Data via the account deletion process.
- The Processor will certify deletion upon request, except where retention is required by applicable law.
- Obligations under this DPA survive termination to the extent they relate to Personal Data still held by the Processor.
10. Governing Law and Jurisdiction
This DPA is governed by the laws of the European Union in respect of GDPR obligations. For Data Subjects in specific EU/EEA member states, the competent supervisory authority is determined by the Data Subject's habitual residence or place of work. All other aspects of this DPA are governed by the same law as the Terms of Service.
11. Contact Information
For questions about this DPA or to exercise your data protection rights:
- Email: jay@chkdsklabs.io
- GitHub: Open an issue on our GitHub repository