GitHits Data Processing Agreement

When you use GitHits, we may process personal data on your behalf — for example, when your users submit queries that contain personal information, or when we generate outputs that reference identifiable individuals. Data protection laws such as the GDPR require a written agreement between the party that controls the data (typically you, the customer) and the party that processes it on your behalf (GitHits). This Data Processing Agreement (“DPA”) is that written agreement. It defines each party’s responsibilities, describes the safeguards we apply, and ensures that we handle your data in compliance with applicable privacy laws.

This DPA forms part of the agreement between GitHits, Inc. (“GitHits,” “we,” “us,” or “our”) and the customer identified in the applicable order form or agreement (“Customer” or “you”), covering your use of the Service. It forms part of the GitHits Legal Framework, which also includes the [Terms of Service], [Privacy Policy], [Cookie Policy], and [Subprocessor List].

Capitalized terms that this document does not define have the meaning that the Agreement provides.

The “Agreement” means the GitHits Terms of Service or other applicable agreement between you and GitHits that governs your use of the Service.

The “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq) and its implementing regulations.

“Customer Personal Data” means all Personal Data that (i) you or someone acting on your behalf provides to GitHits through use of the Service (including Inputs), or (ii) GitHits generates on your behalf through the Service (including Outputs), to the extent such data constitutes Personal Data. For clarity, Customer Personal Data as used in this DPA covers Personal Data contained in both Inputs and Outputs. The term “Customer Content” as used in the Terms of Service refers to content that you provide and does not include Outputs.

“Data Protection Requirements” means the applicable obligations that the GDPR, any subordinate legislation or regulations implementing the GDPR, the CCPA, and any other applicable laws, regulations, and other legal requirements impose on either party, and that relate to (i) privacy and data security, or (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.

The “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, together with the UK GDPR as section 3(10) of the Data Protection Act 2018 defines it, each as amended from time to time.

A “GitHits Affiliate” means any entity that controls GitHits, that GitHits controls, or that shares common control with GitHits.

“Instructions” mean the activities you instruct GitHits to perform as Processor acting on your behalf.

A “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data that GitHits processes on your behalf.

The “Standard Contractual Clauses” or “SCCs” refer to three instruments depending on the applicable law. Where the GDPR applies, they are the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (the “EU SCCs”). Where the UK GDPR applies, they are the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” that the Information Commissioner issued under s.119A(1) of the Data Protection Act 2018 (the “UK Addendum”). Where the Swiss Data Protection Act (“Swiss DPA”) applies, they are the applicable standard data protection clauses that the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) issued, approved, or otherwise recognized (the “Swiss SCCs”).

The “Service” has the meaning that the Agreement (GitHits Terms of Service) gives it.

A “Subprocessor” means a third-party Processor that GitHits retains to process Customer Personal Data.

The “Subprocessor List” means the list of Subprocessors that the GitHits website or documentation, or a successor location, identifies.

The terms “Controller,” “Data Subject,” “Personal Data,” “Process,” and “Processor” have the meanings that the GDPR ascribes to them.

This DPA applies to all aspects of the Service in which GitHits processes Customer Personal Data. If any conflict or inconsistency exists between the terms of this DPA and any other terms in the Agreement, the terms of this DPA will prevail and supersede any conflicting provisions with respect to the processing of Customer Personal Data.

You are the Controller of Customer Personal Data, and GitHits is the Processor of that data. There are two exceptions: (i) if you are yourself a Processor of the Customer Personal Data, then GitHits is a Subprocessor; and (ii) GitHits is an independent Controller when processing Customer Personal Data for the purposes that Section 3.3 lists.

You instruct GitHits, acting as Processor on your behalf, to perform the following activities. GitHits will operate, maintain, and update the Service as you or your users configure and use it, including troubleshooting and keeping the Service performant while enhancing user productivity, reliability, efficacy, quality, privacy, accessibility, and security. GitHits will process Customer Personal Data as the Agreement sets out, as Annex I to the Standard Contractual Clauses describes (where applicable), and as any other documented instruction that you provide and that GitHits acknowledges in writing as constituting instructions for purposes of this DPA. GitHits will process Customer Personal Data only in accordance with your documented Instructions, unless EU or Member State law to which GitHits is subject requires GitHits to process the data for another reason. In that case, GitHits will inform you of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

GitHits processes some Customer Personal Data as an independent Controller. GitHits conducts such processing in compliance with Data Protection Requirements generally, and the GDPR specifically, and in a manner consistent with the purposes that the GitHits Privacy Policy outlines. Those purposes, restated here for transparency and convenience, are as follows. GitHits manages accounts, billing, customer relationships, and related customer correspondence. GitHits complies with legal obligations, including responding to Data Subject requests for Personal Data that GitHits processes as Controller (for example, website data), fulfilling tax requirements, managing agreements, and resolving disputes. GitHits detects, prevents, and protects against abuse, and scans to detect violations of the Terms of Service. GitHits creates aggregated statistical data for internal reporting, financial reporting, revenue planning, capacity planning, and forecast modeling (including product strategy).

GitHits will not use or otherwise process Customer Personal Data for user profiling, advertising or similar commercial purposes, data selling or brokering, or any other purpose beyond those set out in this section. You agree that GitHits may conduct this processing.

GitHits does not use Customer Personal Data, Inputs, or Outputs to train foundational machine learning models, whether proprietary or third-party. If GitHits offers an opt-in mechanism that permits the use of de-identified queries and related Outputs to improve GitHits’ own service quality and safety (as the Privacy Policy and Terms of Service describe), such use applies only where you have expressly opted in and is limited to tuning, evaluation, and safety improvements — not training foundational models.

You bear responsibility for ensuring that your Instructions comply with Data Protection Requirements. GitHits is not responsible for determining what laws or regulations apply to your business, or for determining whether your use of the Service meets the requirements of such laws. You will ensure that processing Customer Personal Data in accordance with your Instructions will not cause GitHits to violate any law or regulation, including Data Protection Requirements. GitHits will immediately inform you if it becomes aware, or reasonably believes, that your Instructions violate any applicable data protection law or regulation.

You will not submit to the Service any special categories of Personal Data as Article 9 of the GDPR defines them (for example, data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data for identification purposes), payment card numbers subject to PCI-DSS, or government-issued identification numbers, unless GitHits has expressly agreed in writing to process such data. If you submit prohibited data categories in violation of this section, you bear sole responsibility for any consequences, and GitHits has no obligation to apply processing safeguards beyond those this DPA describes. Your indemnification obligations under the Agreement apply to any claims, losses, or damages arising from your breach of this section, and the liability limitations in Section 13 do not cap your liability for such breach.

The parties will agree to additional instructions outside the scope of the Agreement or DPA in writing.

GitHits will not disclose or provide access to any Customer Personal Data unless your Instructions authorize the disclosure, this DPA describes the disclosure, or law requires the disclosure. GitHits will not disclose or provide access to any Customer Personal Data to law enforcement unless law requires or legal process compels such disclosure. GitHits will direct requests by law enforcement for Customer Personal Data to you where possible. GitHits will contact you if legal process compels disclosure of your Customer Personal Data and will provide a copy of the legal process compelling the disclosure, unless law prohibits GitHits from doing so.

If GitHits receives a request from one of your Data Subjects pertaining to the Service where GitHits functions as your Processor or Subprocessor, GitHits will redirect the Data Subject to you. Taking into account the nature of the processing, GitHits will assist you through appropriate technical and organizational measures, insofar as this is possible, to fulfil your obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (Articles 15–22). You are solely responsible for responding to these requests. You will use the Service’s self-service features to fulfil Data Subject requests to the extent the Service supports them. To the extent that fulfilling a request requires GitHits to expend material resources beyond providing standard self-service functionality, GitHits may charge a reasonable fee based on GitHits’ administrative costs.

Taking into account the nature of the processing and the information available to GitHits, GitHits will assist you in ensuring compliance with your obligations under Articles 32 to 36 of the GDPR (or equivalent provisions under applicable Data Protection Requirements). This assistance covers obligations relating to the security of processing, notification of a Security Incident to the supervisory authority and to Data Subjects, data protection impact assessments, and prior consultation with supervisory authorities.

GitHits will ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. These confidentiality obligations survive the termination of the personnel’s engagement with GitHits.

GitHits will implement and maintain appropriate technical and organizational measures and security safeguards as Annex II sets out, to ensure a level of security appropriate to the risk. These measures will include, as appropriate, the following. GitHits will pseudonymize and encrypt Personal Data where appropriate. GitHits will ensure the ongoing confidentiality, integrity, availability, and resilience of its processing systems and services. GitHits will maintain the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident. GitHits will regularly test, assess, and evaluate the effectiveness of its technical and organizational measures for ensuring the security of the processing.

GitHits will provide you with security compliance reporting, such as external audit reports or certifications (where available), upon your request. If you need to respond to a regulatory or supervisory request that requires GitHits’ participation, and GitHits’ standard security compliance reports cannot reasonably satisfy your obligations, GitHits will promptly respond to your additional Instructions and requests for information, in accordance with the following terms and conditions.

GitHits will provide access to relevant knowledgeable personnel, documentation, and application software. You and GitHits will agree in writing upon the scope, timing, duration, control, and evidence requirements.

Unless law or a supervisory authority of competent jurisdiction otherwise requires, the following conditions apply to audits that you or your appointed representatives conduct: You will use an independent and accredited third-party audit firm. The audit must take place during regular business hours and on 30 days advance written notice. GitHits will provide access only to your data and to those GitHits systems or facilities involved in the relevant Service. Neither you nor your appointed auditors will have access to any data from GitHits’ other customers or to GitHits systems or facilities not involved in the Service. Nothing in this section limits the powers of a supervisory authority under applicable law.

You will compensate GitHits for the expenses that such cooperation incurs, including all out-of-pocket costs and reasonable costs and fees for time GitHits expends, or services GitHits provides, in connection with such cooperation. If the audit reveals a material breach of GitHits’ obligations under this DPA, GitHits will bear the reasonable costs of that audit. Unless law prohibits you from doing so, you will share with GitHits any reports, findings, or recommended actions pertaining to GitHits.

If GitHits becomes aware of a confirmed Security Incident, GitHits will notify you without undue delay and, where feasible, within 72 hours of becoming aware of it. GitHits will investigate the Security Incident and provide you with detailed information about it. GitHits will take reasonable steps to mitigate the effects of the Security Incident and minimize any resulting damage.

GitHits’ notification of or response to a Security Incident under this section does not constitute an acknowledgement of any fault or liability.

You are solely responsible for complying with your obligations under any incident notification laws. GitHits will assist you to the extent that applicable law requires in fulfilling your obligation to notify the relevant authorities and data subjects.

You must notify GitHits promptly about any possible misuse of your accounts or authentication credentials, or any Security Incident related to the Service.

You authorize GitHits to transfer and process Customer Personal Data to the United States and to any other country in which GitHits or its Subprocessors operate, subject to the safeguards described in this section. GitHits may disclose Customer Personal Data to Subprocessors, GitHits Affiliates, and professional advisors to the extent necessary to provide, secure, and support the Service.

Some of these countries may not have received an adequacy decision from the European Commission, the FDPIC, or the UK Information Commissioner’s Office (that is, a finding that the country ensures an adequate level of data protection). Where GitHits transfers Customer Personal Data from the EU, the European Economic Area (“EEA”), Switzerland, or the United Kingdom to such a country, the parties will rely on the Standard Contractual Clauses as set out below. GitHits will ensure that all international transfers comply with Data Protection Requirements and this DPA.

For the Standard Contractual Clauses, the parties agree as follows.

The SCCs will apply to Personal Data that the GDPR protects and that GitHits processes in accordance with Section 3.3 of this DPA. Module One will apply. In Clause 7, the optional docking clause will apply. In Clause 11, the optional language will not apply. In Clause 17, Option 1 will apply, and Irish law will govern the EU SCCs. In Clause 18(b), the parties will resolve disputes before the courts of Ireland.

The SCCs will apply to Personal Data that the GDPR protects and that GitHits processes in accordance with Section 3.2 of this DPA. Module Two or Module Three will apply, as applicable. In Clause 7, the optional docking clause will apply. In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as Section 10 of this DPA sets out. In Clause 11, the optional language will not apply. In Clause 17, Option 1 will apply, and Irish law will govern the EU SCCs. In Clause 18(b), the parties will resolve disputes before the courts of Ireland.

In relation to Personal Data that the UK GDPR protects, the UK Addendum will apply. The SCCs will also apply to transfers of such Personal Data, subject to the following. The parties deem Tables 1 to 3 of the UK Addendum completed with relevant information from the SCCs as this DPA’s Controller-to-Controller and Controller-to-Processor sections set out above. The parties deem the option “Importer” checked in Table 4. The start date of the UK Addendum is the date of this DPA.

In relation to Personal Data that the Swiss DPA protects, the EU SCCs will apply in accordance with the Controller-to-Controller and Controller-to-Processor sections above, with the following modifications. The parties will interpret any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” as references to the Swiss Federal Data Protection Act. The parties will interpret references to “EU,” “Union,” “Member State,” and “Member State law” as references to Switzerland and Swiss law, as applicable. The parties will interpret references to the “competent supervisory authority” and “competent courts” as references to the FDPIC and competent courts in Switzerland. If the parties cannot use the SCCs as implemented above to lawfully transfer such Personal Data in compliance with the Swiss DPA, the Swiss SCCs will instead form an integral part of this DPA by incorporation by reference and will apply to such transfers. In that case, the relevant Annexes of the Swiss SCCs will draw their content from the information contained in Annexes I and II of this DPA.

To assist you in conducting transfer impact assessments, GitHits maintains standardized documentation describing the legal framework applicable to GitHits in the destination country, the technical and organizational measures GitHits applies to transferred data, and any relevant government access requests GitHits has received. GitHits will make this documentation available upon request and will update it as circumstances materially change.

You are responsible for exporting any Customer Personal Data you wish to retain by using the Service’s available export functionality before the end of your subscription or service term. Following the completion or termination of the Service, to the extent that GitHits is a Processor and unless the law prohibits it, GitHits will delete all Customer Personal Data from active systems within 90 days. Customer Personal Data that resides in encrypted, immutable backups will be deleted in accordance with GitHits’ standard backup retention schedule, provided that such data remains subject to the security standards of this DPA until permanently deleted. GitHits is not obligated to maintain or provide Customer Personal Data after the active deletion period has ended. If applicable law prohibits deletion, GitHits will restrict any further processing of the retained Customer Personal Data to the minimum that the law requires and will continue to protect it in accordance with this DPA until deletion becomes permissible.

GitHits may hire Subprocessors of its choosing. By entering into this DPA, you give prior written consent for GitHits to subcontract the processing of Customer Personal Data to any Subprocessor on the Subprocessor List.

From time to time, GitHits may engage new Subprocessors. GitHits will give you notice of such engagements by updating the Subprocessor List and providing you with notice of that update at least 30 days before providing that Subprocessor with access to Customer Personal Data.

If you have a reasonable, data-protection-related objection to a new Subprocessor, you will notify GitHits in writing with the grounds for your objection within 14 days of receiving notice of the new Subprocessor. GitHits will use commercially reasonable efforts to address your objection, which may include proposing an alternative Subprocessor or implementing additional safeguards. If GitHits cannot resolve your objection within a reasonable period, you may terminate the affected subscription for the Service without penalty by providing written notice of termination before the end of the relevant notice period.

GitHits bears responsibility for its Subprocessors’ compliance with GitHits’ obligations in this DPA, and will engage such Subprocessors through written agreements that comply with the GDPR’s requirements governing the use of Subprocessors. GitHits will oversee the Subprocessors to ensure that they meet their contractual obligations.

If and to the extent GitHits processes personal information (as the CCPA defines that term) on your behalf and in accordance with your documented Instructions, the following restrictions apply. In this section, “personal information” has the meaning the CCPA gives it.

GitHits will comply with all applicable obligations under the CCPA and will provide the same level of privacy protection for the personal information as the CCPA requires of a business.

GitHits will not sell the personal information as the CCPA defines the term “selling.” GitHits will not share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate the personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money changes hands. GitHits will not retain, use, or disclose the personal information for any purpose other than for the business purposes that this DPA and the Agreement specify, or as the CCPA otherwise permits. GitHits will not retain, use, or disclose the personal information outside of the direct business relationship with you. GitHits will not combine the personal information with personal information that GitHits receives from or on behalf of a third party or collects from California residents. However, GitHits may combine personal information to perform any business purpose as the CCPA or any regulations adopted or issued under the CCPA permit.

You have the right to take reasonable and appropriate steps to help ensure that GitHits uses the personal information in a manner consistent with your obligations under the CCPA.

GitHits will notify you promptly, and in any event within 30 days, after determining that it can no longer meet its obligations under the CCPA.

Upon receiving such notice, or upon otherwise becoming aware of unauthorized use of personal information, you have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use.

Where Article 27 of the GDPR requires it, the GitHits Privacy Policy identifies GitHits’ EU representative.

The limitations of liability set out in the applicable Agreement govern liability under this DPA, except to the extent that applicable law prohibits such limitations. The liability limitations in the Agreement do not apply to your liability arising from a breach of Section 3.5 (Prohibited data categories).

The subject matter of processing is the provision of the Service, which provides AI-assisted code search via web app, MCP server, CLI, and APIs.

The processing will last for the term of the Agreement, plus any retention period necessary for deletion or return of data and for legal compliance.

GitHits processes Customer Personal Data by hosting, storing, analyzing, and processing Inputs, Outputs, and related metadata to provide search results and AI features. GitHits also processes data for logging, security monitoring, and customer support.

The categories of data subjects include your end users, employees, contractors, and other authorized users of the Service, as well as any other individuals whose Personal Data you or your users inadvertently or intentionally include in Inputs.

The types of Personal Data that GitHits may process as Processor include name, email, user identifiers, Inputs and Outputs (to the extent they contain Personal Data), and support communications. GitHits also collects device data (such as IP address, device identifiers, and browser type) and aggregated usage data (such as feature usage and performance metrics) in connection with the Service. To the extent GitHits processes such device and usage data as an independent Controller under Section 3.3, that data is not subject to the deletion obligations in Section 9.

GitHits does not process special categories of Personal Data as defined in Article 9 of the GDPR. Section 3.5 of this DPA prohibits you from submitting such data unless GitHits has expressly agreed in writing.

GitHits implements measures appropriate to the risk. These measures may include the following.

GitHits encrypts data in transit using TLS and encrypts data at rest, where the infrastructure supports it. GitHits enforces access controls based on the principle of least privilege and logs administrative access. GitHits segments environments and follows best practices for secret management to protect credentials and keys. GitHits maintains monitoring, alerting, and incident response procedures. GitHits manages vulnerabilities through patching and dependency scanning. GitHits maintains availability measures and backups to protect against data loss.

For the current list of authorized subprocessors, including descriptions of processing, processing locations, and links to each subprocessor’s privacy policy, see the GitHits Subprocessor List maintained at https://www.githits.com/legal/subprocessors. This DPA incorporates the Subprocessor List by reference.