Data Processing

Data Processing Addendum

Available to every VizRepo customer — Free, Pro, and Enterprise. Outlines how VizRepo processes personal data on your behalf, in line with GDPR Articles 28 and 32.

1. Parties & roles

For any personal data VizRepo processes on your behalf, you are the data controller and VizRepo (“Processor”) is the data processor within the meaning of Article 4 of the GDPR. This DPA forms part of, and incorporates by reference, the VizRepo Terms of Service.

2. What we process

VizRepo processes the minimum data needed to operate the service:

  • Account data: name, email, hashed authentication identifier, organisation name, billing details (handled by Stripe).
  • Project metadata: repository URLs, branch names, integration configuration. We do not store source code.
  • Generated content: documentation sections, endpoint maps, schema metadata, diagrams produced by the scan.
  • Operational telemetry: request logs, error traces, scan timings — retained for up to 30 days for debugging and abuse prevention.

Source code is fetched into ephemeral storage during a scan and deleted immediately after. We retain only the structural metadata extracted from it.

3. Sub-processors

VizRepo uses the following sub-processors to deliver the service:

  • Stripe (payments, billing) — Ireland / United States.
  • OpenAI (LLM inference for documentation prose) — United States. Source code is never sent; only the structural metadata required to generate prose.
  • Firebase Authentication (Google) — European Economic Area.
  • MongoDB Atlas (primary database) — Frankfurt, Germany.

We will give you reasonable advance notice of any addition or replacement of sub-processors, including via this page.

4. Security measures

  • All data in transit is protected with TLS 1.2 or higher.
  • Customer credentials and integration tokens are encrypted at rest with AES-256-GCM. Encryption keys live in an isolated secrets manager.
  • Source code is never stored — only fetched into ephemeral storage for the duration of a scan and deleted immediately after.
  • Production access is restricted to named individuals via SSO and audited.
  • See the full Security overview for detail.

5. Data subject rights

Where data subjects exercise their rights under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection), VizRepo will, taking into account the nature of the processing, assist you in fulfilling such requests by appropriate technical and organisational measures. Contact privacy@vizrepo.com.

6. International transfers

VizRepo's primary infrastructure is hosted in the European Union (Frankfurt). Where personal data is transferred outside the EEA — for example, to a US sub-processor — such transfers are covered by the European Commission's Standard Contractual Clauses (SCCs).

7. Breach notification

VizRepo will notify you without undue delay, and in any event no later than 72 hours, after becoming aware of a personal data breach affecting your data, providing the information required under GDPR Article 33(3) to the extent it is available.

8. Term & deletion

This DPA remains in force for as long as VizRepo processes personal data on your behalf. Upon termination of the underlying agreement, we will delete or return all personal data within 30 days unless retention is required by law.

Request a signed copy

For procurement or compliance reviews requiring a counter-signed DPA, request one below and we'll send a copy to be executed. No charge, no plan restriction.

This DPA is provided for transparency and forms part of the VizRepo customer agreement. It does not constitute legal advice. Last updated: .