Data Processing Agreement

This Data Processing Agreement ("DPA") applies between Coday, Inc., a Delaware corporation ("Coday", "Processor"), and you, the customer of the Coday platform ("Customer", "Controller"), and forms part of the Coday Terms of Service.

When your application deployed on Coday collects, stores, or otherwise processes personal data of its own users ("End-User Data"), Customer is the Controller of that End-User Data and Coday is the Processor acting on Customer's documented instructions.

This DPA does not change the roles for data that Coday collects to provide and bill the platform itself — that data is covered by the Coday Privacy Policy, where Coday acts as Controller.

Subject matter: hosting, building, and operating the Customer's deployed application on cloud infrastructure provisioned by Coday.

Duration: for the term of the Customer's active subscription, plus a 30-day grace period after subscription termination or account deletion to allow data export and recovery.

Coday processes End-User Data only to provide the Service:

• Storing End-User Data in databases (Amazon Aurora PostgreSQL) provisioned by Coday in the region selected by the Customer.
• Storing object data in Amazon S3 buckets provisioned by Coday in the region selected by the Customer.
• Serving HTTP requests through Amazon ECS Fargate containers running the Customer's application image.
• Transmitting messages over WebSocket via the Coday realtime gateway (when used).
• Producing and retaining build logs, runtime logs, and operational metrics for the purpose of running the Service.

Coday does not access End-User Data except as necessary to provide the Service or as required by law.

The categories of data subjects are those determined by the Customer's application. Typical categories include the Customer's end users, employees, and other persons whose data the Customer chooses to store.

The categories of personal data are those determined by the Customer's application. Coday does not direct what personal data Customer collects.

Coday processes End-User Data only on Customer's documented instructions, which are set out in (i) this DPA, (ii) the Coday Terms of Service, and (iii) the Customer's use of the Service through the dashboard, API, and deployed applications.

Coday will notify Customer if, in its opinion, an instruction infringes applicable data protection law, in which case Coday may suspend the affected processing until the instruction is amended or confirmed.

Customer authorizes Coday to engage the following sub-processors to perform parts of the Service:

• Amazon Web Services, Inc. — cloud infrastructure (Aurora, ECS, S3, ALB, ECR, ElastiCache, Lambda, CloudWatch). Region of processing: us-east-1 (United States, N. Virginia) and eu-central-1 (Germany, Frankfurt), selected per project by the Customer.
• Stripe, Inc. — payment processing for Customer's subscription.
• Cloudflare, Inc. — DNS, edge proxy, TLS termination, and origin certificates.
• Resend (Drip Email, Inc.) — transactional email delivery from the Coday platform (not from Customer's deployed applications unless they integrate Resend separately).
• GitHub, Inc. — source code clone for build, repository metadata, and OAuth identity. Customer source code is read at build time only and not retained beyond the deployment artifact.
• Anthropic PBC — build-time error analysis and security validation, used on Coday operational metadata; not used on End-User Data.

Coday will give Customer at least 30 days' notice of new sub-processors or of material changes to sub-processor scope by updating this page. Customer may object on reasonable grounds related to data protection; in that case the parties will work in good faith to find an alternative.

Each project deployed on Coday is bound to the region selected at project creation. End-User Data of EU-region projects (eu-central-1, Frankfurt) is stored and processed exclusively in the European Union; it is not transferred to the United States.

Coday platform operational data — such as the Customer's own Coday account, billing data, and audit logs — is stored in the United States (us-east-1). For transfers of personal data of EU/UK/Swiss data subjects to the United States, the parties rely on the Standard Contractual Clauses (Module Two: Controller-to-Processor) as set out in the SCC page.

Coday implements the following technical and organizational measures, at minimum:

• Encryption at rest: AWS KMS-managed encryption for Aurora databases, S3 buckets, EBS volumes, and Secrets Manager.
• Encryption in transit: TLS 1.2+ for all public endpoints; TLS for intra-region database, cache, and ALB traffic.
• Access control: least-privilege IAM, SSO with mandatory TOTP MFA for administrators, audited via CloudTrail organization trail.
• Network isolation: dedicated VPC per region, security groups restricting traffic to required ports, private subnets for databases.
• Multi-tenant database isolation: each Customer project receives a dedicated PostgreSQL database and role with narrow GRANTs inside a shared Aurora cluster.
• Secrets management: AWS Secrets Manager with replication for region-agnostic credentials, no plaintext secrets in source control, gitleaks pre-build scanning.
• Application security: dependency CVE auditing, custom static analysis for auth bypass / env leakage / XSS, blocking on critical/high findings.
• Backup and recovery: Aurora automated backups with point-in-time recovery for 7 days; S3 versioning for 90 days.

Coday personnel with access to End-User Data are bound by written confidentiality obligations and access is limited to those personnel whose role requires it.

Coday will make available to Customer, on reasonable written request and no more than once per twelve (12) months, a summary report describing its security monitoring, access controls, and processing of End-User Data.

Where Customer has a regulatory obligation to perform a deeper audit, the parties will agree in good faith on the scope, timing, and any reasonable cost reimbursement.

Coday will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting End-User Data processed under this DPA.

The notice will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

If Coday receives a request from a data subject relating to End-User Data, Coday will, unless legally prohibited, refer the data subject to Customer without responding to the request itself.

Coday will, to the extent reasonably possible, assist Customer in responding to data subject requests through standard platform features such as data export and deletion.

On termination of the Service or on Customer's written request, Coday will, within 30 days, return or delete all End-User Data unless retention is required by law.

Operational backups containing End-User Data are retained for up to 90 days after deletion and then permanently destroyed.

This DPA is governed by the laws of the State of Delaware, United States, except where overridden by the SCC for transfers covered by them.

Privacy and DPA inquiries: [email protected]

Operating entity: Coday, Inc., a Delaware corporation (United States).