Codegen • Data Processing Addendum
Codegen

Data Processing Addendum

Legal agreement governing data processing

Effective date: upon your first use of the Services and thereafter for the term of your Agreement with Codegen.

Incorporation. This DPA forms part of, and is incorporated into, the Codegen Terms of Service (the "Agreement") and is referenced by the Privacy Policy. By using the Services, you agree that this DPA governs Codegen's Processing of Personal Data on your behalf.

Definitions

Capitalized terms not defined here have the meanings in the Agreement. The following defined terms are adopted verbatim from the underlying template: Applicable Data Protection Laws; CCPA; Controller Affiliate; Controller Purposes; Covered Data; Data Subject; Deidentified Data; EEA; GDPR; Member State; Personal Data; Processing; Security Incident; Services; Standard Contractual Clauses/SCCs; Sub-processor; Swiss Data Protection Laws; UK; US Data Protection Laws; Usage and Administration Data.

Interaction with the Agreement

This DPA supplements and, in case of conflict, supersedes the Agreement with respect to Processing of Covered Data.

Roles of the Parties

(a) Except as in 3(b), you act as Controller/Business and Codegen acts as Processor/Service Provider.

(b) For GDPR/Swiss DP Laws, Codegen acts as a controller for Usage and Administration Data processed for the Controller Purposes.

Details of Processing; Instructions

Processing details are in Schedule 1. Codegen will Process Covered Data only on Controller's documented instructions and in compliance with Applicable Data Protection Laws (excluding Usage/Administration Data processed per 3(b)). Prohibitions: no selling; no cross-context behavioral advertising; no use or disclosure beyond business purposes; no use outside the Parties' direct relationship; and no combining with other Personal Data except as permitted by law. Codegen will (i) provide information needed for any data protection assessments and (ii) notify if an instruction appears unlawful.

Controller Responsibilities

You will (i) provide required notices to Data Subjects, (ii) obtain any required consents (other than for Usage/Administration Data per 3(b)), and (iii) implement measures to effect Data Subject rights and respond within statutory timelines.

Confidentiality

Codegen limits access to Covered Data to personnel with a business need and binds them to confidentiality obligations no less protective than this DPA and the Agreement.

Sub-processors

  • Processing may occur where Codegen or its Sub-processors operate.
  • General authorization for Sub-processors listed in Schedule 4; written contracts with equivalent protections; Codegen remains liable.
  • Change notice: at least 15 days; Controller may object within 15 days. Parties will work in good faith to resolve; failing that within 15 days, Controller may terminate affected Services. Codegen will notify of any Sub-processor noncompliance.

Data Subject Requests

Codegen will (i) promptly notify you of Data Subject Requests, (ii) not respond except to direct the requester to Controller (unless instructed), and (iii) provide reasonable assistance.

Security

Codegen maintains appropriate technical and organizational measures considering the nature, scope, context, and risks, and at minimum those in Schedule 2.

Information & Audits

Codegen will notify if it can no longer meet its obligations. Controller may take reasonable steps to ensure compliant use and remediate unauthorized use. Audits: at least annually, on reasonable written notice, during normal business hours, without material disruption; third-party auditor permitted; scope/timing to be agreed. Controller will notify of any non-compliance; audit results are Codegen confidential information. Codegen may satisfy audits via certifications or documentation; if current (≤12 months) and with no material control changes, Controller agrees to accept them in lieu of on-site audits.

Security Incidents

Codegen will notify without undue delay upon becoming aware of a Security Incident, provide updates on nature, mitigation, and investigation status, and reasonably assist with legal obligations (including notifications). Notification/response is not an admission of fault.

Term; Deletion & Return

This DPA remains in force through deletion of all Covered Data. Within 30 days after Agreement expiry (the Retention Period), Codegen will provide a copy or self-service export on request; after the Retention Period, Codegen deletes Covered Data (except Usage/Administration Data processed for the Controller Purposes).

International Transfers; SCCs

The EU SCCs (2021/914) apply, and form part of this DPA, where required by law (including when exporter-jurisdiction laws require adequate safeguards). Execution/acceptance of the Agreement has the same effect as signing the SCCs. UK and Swiss addenda apply as set out in Schedule 3.

Deidentified Data

Where Codegen receives Deidentified Data, it will: (i) take reasonable measures to prevent association with a Data Subject, (ii) publicly commit to process only in deidentified form and not attempt reidentification, and (iii) bind recipients to the same.

General

Parties certify understanding and compliance. Any Agreement liability limitations do not apply to breaches of the SCCs. Parties will negotiate in good faith any amendments required by changes in Applicable Laws. (Signature blocks from the negotiated form are omitted because this DPA applies automatically via the Agreement.)

Schedule 1 — Details of Processing

A. Parties (for GDPR/EEA transfers)

Data Exporter: Controller entities in the EEA/UK/CH (and others where GDPR applies). Contact/DPO/representative details: supplied by Controller.

Data Importer: Codegen, Inc. — Contact: privacy@codegen.com; Address: 375 Alabama St, Suite 480, San Francisco, CA 94110; EU Representative (Art. 27 GDPR): DataRep, 27 Cork Street, Dublin 2, D02 TX94, Ireland. Activities: Processing Personal Data on Controller's behalf to provide the Services.

B. Description of Processing

Data Subjects: Controller employees/contractors; Controller's customers/personnel; marketing recipients; other authorized end users; individuals whose data appears in submitted content.

Personal Data: name, phone, email, IP, company, title, professional background, mailing address, GitHub username, Slack messages/metadata, source control metadata (commits, branches, diffs), task descriptions from tools (e.g., Linear/Jira), and other information submitted or generated through the Services.

Special Categories: N/A (none intentionally collected).

Frequency: continuous.

Subject matter/nature: receipt, indexing, analysis, transformation, storage, deletion of customer-provided code, messages, and related content to deliver AI assistant functionality; may include adaptation/aggregation/enrichment to fulfill support/automation requests.

Purpose: provision of Services to Controller.

Storage limitation: duration of this DPA unless earlier deleted per Controller request and law.

Sub-processors: https://codegen.com/subprocessors.

C. Competent Supervisory Authority

As specified by exporter establishment or representative; if non-established but in GDPR scope without representative, Ireland.

Schedule 2 — Technical and Organizational Measures (Minimum)

  1. Security program with dedicated personnel.
  2. Periodic audit/risk assessment and compliance monitoring.
  3. Encryption in transit over public/wireless networks and at rest/portable media.
  4. Logical segregation, least-privilege access, unique IDs/passwords, timely access revocation.
  5. Password policy (length, complexity, history, no plaintext storage, first-use reset).
  6. System/event logging and monitoring.
  7. Physical/environmental security for facilities hosting Personal Data.
  8. Secure configuration/maintenance; secure media/system disposal.
  9. Change management with testing/approval/tracking.
  10. Incident/problem management procedures.
  11. Network security (firewalls, IDS, traffic/event correlation).
  12. Vulnerability management, patching, anti-malware, scheduled monitoring.
  13. Business continuity/disaster recovery.

Schedule 3 — Cross-Border Transfer Mechanisms

EU SCCs.

  • Module One (C2C) applies to Codegen's Processing of Covered Data for the Controller Purposes; otherwise Module Two (C2P) applies.
  • Docking clause inapplicable; Clause 9(a) Option 2 (general authorization) with time period from §7.4; Clause 11(a) inapplicable.
  • Clause 17 governing law: Ireland; Clause 18 jurisdiction: courts of Ireland.
  • Annex I: see Schedule 1; Annex II: Schedule 2.

UK Addendum.

  • Incorporates ICO Addendum (vB.1.0) by reference; Addendum EU SCCs = SCCs above; Table 1 from Schedule 1; Appendix Information from Schedules 1–2; Table 4—importer termination right per §19; §16 excluded.

Swiss Addendum.

  • Reads SCCs consistent with Swiss law; replaces EU-specific references as required; competent authority = FDPIC; governing law = Switzerland; jurisdiction = Swiss courts (plus data subject forum).

Global Transfers under other laws.

  • SCCs read to avoid conflicts with exporter-jurisdiction law; amendments substitute references (e.g., GDPR/EU → exporter regime/jurisdiction; competent authority = exporter authority; Clauses 17–18 = exporter law/courts).
  • If an alternative approved mechanism supersedes the SCCs, parties will enter a supplementary agreement incorporating Schedules 1–2 and taking precedence for those transfers; exporter files where required.

Schedule 4 — Authorized Sub-processors

Current list: https://codegen.com/subprocessors (name, location, processing description; kept current).