Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service ("Agreement") between you ("Customer", "Controller") and BattleHarden, operated by Michael Miller ("Processor").

This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the BattleHarden service. This DPA is designed to comply with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• "Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
• "Controller" means the Customer who determines the purposes and means of processing Personal Data.
• "Processor" means BattleHarden (operated by Michael Miller), which processes Personal Data on behalf of the Controller.
• "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the BattleHarden code analysis service, including:

• Authenticating and managing Customer accounts.
• Cloning and analyzing source code repositories submitted by the Customer.
• Generating and delivering security scan reports.
• Processing subscription payments.
• Sending transactional communications related to the Service.

3. Duration

This DPA remains in effect for the duration of the Customer's subscription to the Service. Processing of Personal Data will continue until the Agreement is terminated and all Personal Data is deleted or returned in accordance with Section 10.

4. Types of Personal Data Processed

• Email addresses (for account authentication and communication).
• Repository URLs submitted for scanning.
• Commit metadata visible in scanned repositories (author names, email addresses, timestamps) — accessed during analysis but not stored.
• Payment information (processed by Stripe; never stored on our servers).
• IP addresses and browser metadata (collected by Vercel for hosting).

Note: Source code is not Personal Data in most cases. Repository clones are temporary and deleted immediately after scanning. We do not retain copies of your codebase.

5. Categories of Data Subjects

• Customer (the account holder).
• Customer's developers and team members (whose commit metadata may appear in scanned repositories).
• Third-party contributors to open-source repositories scanned by the Customer (whose commit metadata may appear in scanned repositories).

6. Processor Obligations

The Processor shall:

• Process on documented instructions only. Process Personal Data only on the documented instructions of the Controller (i.e., as described in this DPA and the Agreement), unless required by applicable law. If legally compelled to process data beyond the Controller's instructions, the Processor will notify the Controller before processing (unless prohibited by law).
• Confidentiality. Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures (Article 32). Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
  • TLS 1.3 encryption for all data in transit.
  • Encrypted database storage (managed by Supabase).
  • Isolated, ephemeral scan environments with no persistent storage.
  • HMAC-signed and JWT-authenticated access to reports.
  • In-memory-only handling of GitHub tokens (never persisted).
• Sub-processor management. Not engage another processor without prior written consent of the Controller. The current list of authorized sub-processors is available on our Security page. The Controller consents to the sub-processors listed there as of the effective date of this DPA. The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
• Data subject rights. Assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection).
• Breach notification. Notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach, providing sufficient information for the Controller to meet its obligations under Articles 33 and 34 GDPR.
• Data Protection Impact Assessments. Assist the Controller with Data Protection Impact Assessments and prior consultations with supervisory authorities where required under Articles 35 and 36 GDPR.
• Deletion or return. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage. Account deletion removes all associated data.
• Audit rights. Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor. Audit requests should be directed to privacy@battleharden.dev.

7. Sub-processors

The following sub-processors are authorized to process Personal Data on behalf of the Controller:

Each sub-processor is bound by data processing terms no less protective than those in this DPA. The Processor remains fully liable for the acts and omissions of its sub-processors.

8. International Transfers

Personal Data may be transferred to and processed in the United States, where the Processor and its sub-processors are located. These transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).

Where required, the Processor will execute the Standard Contractual Clauses with the Controller as Module Two (Controller to Processor). Copies of applicable SCCs can be requested by emailing privacy@battleharden.dev.

9. Data Breach Procedures

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach.
• Provide the Controller with sufficient information to enable the Controller to notify the relevant supervisory authority within 72 hours (GDPR Article 33), including: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to address the breach.
• Cooperate with the Controller in notifying affected Data Subjects where required (GDPR Article 34).
• Take immediate steps to contain, investigate, and remediate the breach.
• Provide a post-incident report documenting root cause, impact, and preventive measures.

10. Term and Termination

This DPA is effective from the date the Customer begins using the Service and remains in effect until the Agreement is terminated.

• Upon termination, the Processor will delete all Personal Data within 30 days, unless applicable law requires continued storage.
• The Controller may request deletion at any time by deleting their account or by emailing privacy@battleharden.dev.
• Sections 6 (Processor Obligations), 8 (International Transfers), and 9 (Data Breach Procedures) survive termination.

11. Enterprise Customers

This is a self-serve DPA applicable to all BattleHarden customers. Enterprise customers requiring a custom, negotiated DPA with additional terms (e.g., specific security requirements, audit schedules, or data residency commitments) may contact us at privacy@battleharden.dev to discuss.

12. Contact

For questions about this DPA or to exercise any rights described herein: