Data Processing Addendum

Last updated: June 29, 2026

Overview

This Data Processing Addendum ("DPA") forms part of the agreement between Scrapybara, Inc. ("Capy," "we," "us," or "Processor") and the customer using Capy ("Customer," "you," or "Controller") when Capy processes Customer Personal Data on behalf of Customer in connection with the Services.

This DPA is incorporated into the Terms of Service unless Customer and Capy have signed a separate data processing agreement. If there is a conflict between this DPA and the Terms, this DPA controls for the processing of Customer Personal Data. If there is a conflict between this DPA and a signed agreement, the signed agreement controls.

1. Definitions

Capitalized terms not defined in this DPA have the meaning given in the Terms.

Account Data means personal information processed by Capy as a controller for account administration, billing, security, support, marketing, contracting, and business relationship management.

Customer Content means data submitted to or made available through the Services by Customer or its users, including source code, repositories, prompts, messages, files, integrations, logs, generated content, and related context.

Customer Personal Data means personal data, personal information, or similar information contained in Customer Content that Capy processes on behalf of Customer to provide the Services.

Data Protection Laws means all privacy, data protection, and data security laws applicable to the processing of Customer Personal Data, including GDPR, UK GDPR, Swiss data protection law, and U.S. state privacy laws such as CCPA/CPRA where applicable.

GDPR means Regulation (EU) 2016/679.

Security Incident means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Capy under this DPA.

Subprocessor means a third party engaged by Capy to process Customer Personal Data on Capy’s behalf to provide the Services.

UK GDPR means the UK General Data Protection Regulation and the UK Data Protection Act 2018.

2. Roles of the parties

For Customer Personal Data, Customer is the controller, business, or equivalent role under Data Protection Laws, and Capy is the processor, service provider, contractor, or equivalent role.

For Account Data, Capy acts as an independent controller and processes that data under the Privacy Policy, not this DPA, except where Data Protection Laws require otherwise.

Each party will comply with its obligations under Data Protection Laws.

3. Processing instructions

Customer instructs Capy to process Customer Personal Data to provide, secure, support, monitor, improve, and maintain the Services, including:

  • running AI coding agents and review agents;
  • cloning, reading, indexing, editing, and synchronizing repositories and related development context;
  • processing prompts, messages, files, logs, screenshots, terminal output, and generated Output;
  • creating branches, commits, summaries, review findings, comments, and pull requests when instructed;
  • routing Customer Content to model providers and other service providers as needed to provide the Services;
  • operating cloud VMs, task queues, workflow orchestration, databases, storage, analytics, logging, support, billing, and security systems;
  • processing data from connected integrations such as GitHub, Slack, Linear, Sentry, and Vercel as Customer configures them;
  • preventing, detecting, and investigating abuse, fraud, security incidents, and policy violations;
  • complying with law and lawful requests; and
  • performing any additional processing Customer instructs through the Services, an order form, support request, or written instruction.

Customer’s documented instructions include the Terms, this DPA, the applicable order form, Customer’s configuration in the Services, and any written instructions agreed by the parties.

Capy will process Customer Personal Data only on Customer’s documented instructions, unless required by law. If Capy believes an instruction violates Data Protection Laws, Capy will notify Customer unless prohibited by law.

4. Customer obligations

Customer is responsible for:

  • providing all required notices and obtaining all required rights, permissions, consents, and legal bases for processing Customer Personal Data through the Services;
  • ensuring Customer Content is lawful and appropriate for processing by Capy and its Subprocessors;
  • configuring repositories, integrations, permissions, secrets, environments, models, BYOK settings, retention settings, and user access appropriately;
  • not submitting prohibited regulated data unless a written agreement expressly permits it;
  • responding to data subject requests where Customer is the controller;
  • maintaining backups and records Customer needs outside the Services; and
  • ensuring its users comply with the Terms and Data Protection Laws.

Customer acknowledges that agent prompts, source code, logs, tickets, Slack messages, Linear issues, Sentry issues, and similar development content may contain personal data, and Customer controls what is made available to the Services.

5. Capy obligations

Capy will:

  • process Customer Personal Data in accordance with Customer’s documented instructions;
  • ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
  • maintain appropriate technical and organizational measures described in Annex II;
  • assist Customer with data subject requests to the extent reasonably possible given the nature of the Services;
  • assist Customer with data protection impact assessments and regulator consultations to the extent required by Data Protection Laws and reasonably available to Capy;
  • notify Customer of Security Incidents as described below;
  • make information reasonably necessary to demonstrate compliance with this DPA available as described in the audit section;
  • impose data protection obligations on Subprocessors; and
  • delete or return Customer Personal Data after termination as described below.

6. Restrictions under U.S. privacy laws

To the extent U.S. state privacy laws apply to Customer Personal Data, Capy will not:

  • sell Customer Personal Data;
  • share Customer Personal Data for cross-context behavioral advertising;
  • retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by law;
  • retain, use, or disclose Customer Personal Data for purposes other than providing the Services, complying with law, securing the Services, or other purposes permitted for service providers or processors; or
  • combine Customer Personal Data with personal information obtained from other sources except as permitted by applicable law.

Capy may use aggregated or de-identified information in accordance with the Terms and applicable law. Capy will maintain de-identified information in de-identified form and will not attempt to reidentify it except to test whether de-identification works or as otherwise permitted by law.

7. Subprocessors

Customer authorizes Capy to engage Subprocessors to process Customer Personal Data. Capy’s current Subprocessor list is available at Subprocessors.

Capy will:

  • impose written obligations on Subprocessors that are at least as protective as those required by this DPA in substance;
  • remain responsible for Subprocessors’ processing of Customer Personal Data to the extent required by applicable law and the agreement;
  • update the Subprocessor list when new material Subprocessors are added; and
  • provide a reasonable opportunity to object to new Subprocessors where required by Data Protection Laws or the applicable agreement.

If Customer reasonably objects to a new Subprocessor on data protection grounds, Customer must notify Capy at support@capy.ai with the subject "Subprocessor Objection." The parties will work in good faith to resolve the objection. If the objection cannot be resolved and the affected Service cannot be provided without the Subprocessor, Customer may stop using the affected Service or terminate the affected order to the extent required by applicable law or the agreement.

Customer-directed integrations, BYOK model providers, external subscriptions, MCP servers, and other third-party services enabled by Customer may not be Capy Subprocessors because they process data at Customer’s direction or under Customer’s separate relationship with that provider.

8. Security

Capy will implement and maintain technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and accidental loss, destruction, or damage. Current measures are described in Annex II.

Capy may update security measures from time to time, provided the updates do not materially decrease the overall security of the Services during the applicable term.

Customer is responsible for securing its own accounts, devices, credentials, repositories, branches, CI/CD systems, cloud systems, connected integrations, secrets, and downstream use of Output.

9. Security incident notice

Capy will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data and, where feasible, within 72 hours.

The notice will include available information about the nature of the Security Incident, affected data, likely consequences, mitigation steps, and contact information. Capy may provide information in phases as investigation continues.

Capy’s notice of or response to a Security Incident is not an admission of fault or liability.

10. Data subject requests

If Capy receives a data subject request relating to Customer Personal Data, Capy will, where legally permitted and reasonably identifiable as relating to Customer, direct the requester to Customer or notify Customer. Capy will not independently respond to the request except to confirm that the request relates to Customer, to redirect the requester, to comply with law, or as instructed by Customer.

Taking into account the nature of the processing, Capy will provide reasonable assistance for Customer to fulfill data subject requests, including access, deletion, correction, portability, restriction, and objection requests.

11. Audits and compliance information

Upon reasonable written request, Capy will make available information necessary to demonstrate compliance with this DPA, which may include security documentation, summaries of third-party audits, SOC 2 reports, certifications, penetration-test summaries, vendor questionnaires, or similar materials under appropriate confidentiality obligations.

Customer may request an audit no more than once in any 12-month period, unless required by a regulator or following a confirmed Security Incident affecting Customer Personal Data. Before any audit, the parties will agree on scope, timing, confidentiality, security, and process. Audits must be conducted during normal business hours, with at least 30 days’ notice, at Customer’s expense, and without unreasonable disruption or access to other customers’ data, Capy confidential information, or systems that cannot be safely exposed.

Capy may satisfy audit requests by providing independent third-party audit reports or certifications where permitted by Data Protection Laws.

12. Return and deletion

Upon termination of the Services or written request, Capy will delete or return Customer Personal Data in accordance with the agreement and Customer’s instructions, unless retention is required or permitted by law.

Deletion may exclude:

  • Account Data processed by Capy as a controller;
  • billing, tax, accounting, legal, security, abuse-prevention, and dispute records;
  • aggregated or de-identified data;
  • data retained in encrypted backups until backup expiration;
  • data retained by customer-directed integrations or third-party services outside Capy’s control; and
  • information that must be retained to comply with law or protect legal rights.

13. International transfers

Customer authorizes Capy and its Subprocessors to process Customer Personal Data in the United States and other countries where Capy or its Subprocessors operate.

For transfers of Customer Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries that do not provide an adequate level of protection, the parties rely on the Standard Contractual Clauses and UK Addendum as described in Annex III, unless another lawful transfer mechanism applies.

14. Changes

Capy may update this DPA at any time in its sole discretion, subject to Data Protection Laws and any signed agreement between the parties. Unless a longer period is required by law, an agreement, or a notice we provide, changes are effective when posted for future processing and continued use of the Services. If a change would materially reduce protections for Customer Personal Data during an active paid term, the change applies only to the extent permitted by Data Protection Laws and the applicable agreement.

15. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the agreement, unless prohibited by Data Protection Laws.

16. Term

This DPA remains in effect for as long as Capy processes Customer Personal Data on behalf of Customer.

Annex I: Details of processing

Subject matter

Capy’s processing of Customer Personal Data to provide AI software engineering, agent execution, code review, automation, collaboration, integration, API, support, security, and related services.

Duration

For the term of Customer’s use of the Services and any post-termination retention period described in the agreement or required by law.

Nature of processing

Collection, receipt, access, hosting, storage, organization, retrieval, consultation, use, disclosure, transmission, analysis, generation, modification, synchronization, deletion, and other processing necessary to provide the Services.

Purposes

Providing, securing, monitoring, supporting, troubleshooting, billing, improving, and maintaining the Services; running agents; generating Output; creating and reviewing code; operating integrations; preventing abuse; complying with law; and carrying out Customer’s instructions.

Categories of data subjects

Customer’s users, employees, contractors, candidates, customers, end users, open-source contributors, GitHub/Slack/Linear/Sentry/Vercel users, people referenced in Customer Content, and other individuals whose personal data appears in Customer Content.

Categories of Customer Personal Data

Names, email addresses, usernames, profile identifiers, IP addresses, device identifiers, account IDs, organization IDs, repository metadata, commit metadata, issue and PR content, Slack messages, Linear issues, Sentry issue content, logs, terminal output, prompts, generated Output, code comments, documentation, screenshots, files, and any other personal data included in Customer Content.

Sensitive data

The Services are not intended for protected health information, payment-card numbers, bank account numbers, government identifiers, biometric identifiers, children’s personal information, or other highly regulated or sensitive personal data unless expressly permitted in a signed agreement. Customer controls whether such data is included in Customer Content.

Frequency

Continuous or as initiated by Customer and its users through use of the Services.

Annex II: Technical and organizational measures

Capy maintains a security program designed for a cloud AI software engineering platform, including:

Access control

  • Role-based access controls for internal systems.
  • Multi-factor authentication for employee access where supported.
  • Least-privilege access practices.
  • Approval and review processes for production access.
  • Prompt access revocation for departing personnel.

Data protection

  • Encryption in transit using TLS.
  • Encryption at rest for production data stores where supported.
  • Segregation of customer organizations and projects at the application and infrastructure layers.
  • Controls for secrets and environment variables.
  • Backups and recovery procedures for critical systems.

Infrastructure and agent isolation

  • Isolated execution environments for agent work.
  • Repository and branch scoping based on Customer configuration.
  • Logging and monitoring for operational health and abuse detection.
  • Controls designed to prevent unauthorized cross-customer access.

Secure development

  • Code review and change-management practices.
  • Dependency and vulnerability monitoring.
  • Security testing appropriate to risk.
  • Separation of production and non-production access where practical.

Incident response

  • Procedures for detecting, investigating, escalating, mitigating, and documenting security incidents.
  • Security contact at security@capy.ai.
  • Customer notification process for Security Incidents.

Vendor management

  • Review of material service providers.
  • Written agreements with Subprocessors.
  • Subprocessor inventory maintained at Subprocessors.

Availability and resilience

  • Monitoring of production systems.
  • Backup, recovery, and operational continuity procedures.
  • Capacity and reliability monitoring for critical services.

Annex III: International transfer terms

For Customer Personal Data subject to GDPR, UK GDPR, or Swiss data protection law that is transferred to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 as follows:

  • Module Two applies where Customer is a controller and Capy is a processor.
  • Module Three applies where Customer is a processor and Capy is a subprocessor.
  • Clause 7 optional docking clause does not apply unless the parties agree otherwise.
  • Clause 9 Option 2, general written authorization for subprocessors, applies with notice as described in this DPA.
  • Clause 11 optional language does not apply.
  • Clause 17 governing law is the law of Ireland for EEA transfers unless another EU member state law is required.
  • Clause 18 forum is the courts of Ireland for EEA transfers unless another EU member state forum is required.
  • Annex I details are set out in Annex I of this DPA.
  • Annex II security measures are set out in Annex II of this DPA.
  • Annex III subprocessors are listed at Subprocessors.

For UK transfers, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses is incorporated. For Swiss transfers, references to GDPR include the Swiss Federal Act on Data Protection as applicable, and the Swiss Federal Data Protection and Information Commissioner is the competent authority where required.