Data Processing Addendum

Effective date: May 26, 2026

1. Overview

This Data Processing Addendum ("DPA") forms part of the agreement between Keyes AI, Inc. ("Keyes AI," "Processor") and the entity identified in the applicable order ("Customer," "Controller") for the provision of the GitDB platform (the "Service").

This DPA applies where and only to the extent that Keyes AI processes Personal Data on behalf of Customer in the course of providing the Service, and such Personal Data is subject to Data Protection Laws of the European Economic Area (EEA), the United Kingdom, Switzerland, or other applicable jurisdictions.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
  • "Data Protection Laws" means the GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act (CCPA), and any other applicable data protection legislation.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
  • "Subprocessor" means a third party engaged by Keyes AI to process Personal Data on behalf of Customer.

3. Scope of processing

Keyes AI processes Customer Personal Data solely to provide the Service as described in the Terms of Service and as instructed by Customer. The categories of Personal Data processed and the purposes of processing are determined by Customer's use of the Service.

3.1 Categories of data subjects

  • Customer's employees, contractors, and authorized end users.
  • Individuals whose Personal Data may be included in Customer's repositories or content.

3.2 Types of Personal Data

  • Account information (name, email address).
  • Source code and repository content that may contain Personal Data.
  • Usage data and API access logs.

4. Obligations of Keyes AI

  • Process Personal Data only on documented instructions from Customer, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data are bound by obligations of confidentiality.
  • Implement and maintain the technical and organizational security measures described in our Security Measures document.
  • Assist Customer in responding to requests from data subjects exercising their rights under Data Protection Laws.
  • Notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.
  • Delete or return all Personal Data upon termination of the Service, at Customer's election, unless retention is required by applicable law.
  • Make available to Customer all information necessary to demonstrate compliance with obligations under this DPA and allow for audits.

5. Subprocessors

Customer authorizes Keyes AI to engage the Subprocessors listed on our Subprocessors page. Keyes AI will provide Customer with at least 30 days' advance notice before engaging a new Subprocessor. If Customer objects to a new Subprocessor within that period, the parties will work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected Service without penalty.

6. International data transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that does not provide an adequate level of data protection, Keyes AI will ensure appropriate safeguards are in place. These safeguards include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor).
  • UK International Data Transfer Addendum, where applicable.
  • Swiss-U.S. Data Privacy Framework certification, where applicable.

7. Audits

Customer may audit Keyes AI's compliance with this DPA up to once per year, with at least 30 days' written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Keyes AI's operations. Customer shall bear the costs of such audits unless the audit reveals a material breach by Keyes AI.

8. Duration and termination

This DPA shall remain in effect for the duration of Keyes AI's processing of Personal Data on behalf of Customer. Upon termination of the Service, Keyes AI will delete all Personal Data within 90 days, unless Customer requests return of data or retention is required by applicable law.

9. Execution

To execute this DPA, please contact us at legal@keyes.ai with your company name, contact information, and the GitDB services covered. We will provide a countersigned copy within five business days.