1. Parties
This Data Processing Agreement (“DPA”) is between Knod, Inc. doing business as Codemend (“Processor”) and the customer using Codemend services (“Controller”). This DPA supplements our Terms of Service and Privacy Policy.
2. Definitions
- Personal Data — Any information relating to an identified or identifiable natural person processed through Codemend
- Processing — Any operation performed on Personal Data, including collection, storage, analysis, and deletion
- Sub-processor — A third-party service that processes Personal Data on behalf of the Processor
3. Scope of Processing
Codemend processes the following categories of data on behalf of the Controller:
- Error data — Error messages, stack traces, source URLs, browser information from the Controller's end users
- Source code — Temporarily accessed from Controller's GitHub repositories during error analysis only
- Account data — Controller's email, username, and configuration preferences
Processing purpose: To analyze application errors, generate AI-powered fix suggestions, create pull requests, and send notifications as configured by the Controller.
4. Processor Obligations
- Process Personal Data only on documented instructions from the Controller (i.e., the Controller's use of Codemend features)
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Not engage additional sub-processors without prior notice to the Controller
- Assist the Controller in responding to data subject access requests
- Delete or return all Personal Data upon termination of the service, at the Controller's choice
- Make available all information necessary to demonstrate compliance with these obligations
5. Security Measures
- Encryption in transit (TLS 1.3) for all data transmission
- Encryption at rest (AES-256) for all stored data
- AES-256-GCM encryption for sensitive credentials (API keys)
- Row-level security ensuring data isolation between customers
- Authentication via OAuth 2.0 (GitHub, Google) or secure password hashing
- Rate limiting on all API endpoints
- No long-term storage of source code — only accessed during analysis
6. Sub-processors
The following sub-processors are authorized to process Personal Data:
| Sub-processor | Purpose | Location |
|---|
| Supabase (AWS) | Database, authentication | US East |
| Anthropic | AI error analysis | US |
| Vercel | Application hosting | US |
| GitHub | OAuth, repository access | US |
| Stripe | Payment processing | US |
| Resend | Email delivery | US |
| Cloudflare | DNS, CDN | Global |
The Controller will be notified of any changes to sub-processors via email at least 14 days before the change takes effect.
7. Data Breach Notification
In the event of a personal data breach, Codemend will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, and measures taken to address it.
8. Data Transfers
All data is processed in the United States. For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as appropriate. Our sub-processors maintain their own compliance with applicable data transfer mechanisms.
9. Term and Termination
This DPA is effective for the duration of the Controller's use of Codemend services. Upon termination, all Personal Data will be deleted within 30 days, except as required by law or as retained in encrypted backups (up to 90 days).
10. Contact
For questions about this DPA or to exercise data protection rights:
- Email: privacy@codemend.ai
- Entity: Knod, Inc.