Standard Contractual Clauses

These Standard Contractual Clauses ("SCC") apply to transfers of personal data covered by the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection from a data exporter located in the EU/UK/Switzerland to Coday, Inc. ("Coday") in the United States.

They incorporate by reference the Standard Contractual Clauses set out in the Annex to European Commission Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor.

Coday account and platform-operational data — your Coday account identity, billing, audit logs, support correspondence — is stored in the United States (us-east-1, N. Virginia). When such data includes personal data of EU/UK/Swiss data subjects, these SCC apply between you (as data exporter) and Coday (as data importer).

Personal data of end users of applications you deploy in the EU region (eu-central-1, Frankfurt) is stored and processed exclusively in the European Union. It is not transferred to the United States, and the SCC are not engaged for that data.

Data exporter: the Coday Customer, whose contact details are those associated with the Customer's Coday account. The exporter's role is Controller of the personal data transferred.

Data importer: Coday, Inc., a Delaware corporation, address available on request to [email protected]. The importer's role is Processor.

Categories of data subjects:

• The Customer's own users of the Coday platform (typically the Customer's engineering, finance, and operations personnel).
• End users of the Customer's applications, to the extent that limited identifiers (such as account email used as login) are propagated into platform-operational data.

Categories of personal data:

• Account information: email, name, hashed password, two-factor authentication state.
• Billing information: invoice metadata and payment method tokens (full card numbers are processed by Stripe, not stored by Coday).
• Authentication telemetry: login history, IP address, user agent, geolocation derived from IP.
• Support correspondence: subject, body, and attachments of messages sent to [email protected] and similar channels.

Sensitive data: none expected.

Frequency: continuous, for the duration of the Customer's subscription.

Nature and purpose: hosting and providing the Coday platform, billing, security monitoring, and customer support.

Period of retention: as set out in the Coday Privacy Policy and the Data Processing Agreement.

Where the data exporter is established in an EU member state, the competent supervisory authority is the authority of that member state.

Where the data exporter is not established in an EU member state but is subject to the GDPR by virtue of Article 3(2), the competent supervisory authority is the Irish Data Protection Commission, as the lead authority for cross-border processing under Module Two of Implementing Decision (EU) 2021/914.

Where the data exporter is located in the United Kingdom, the competent supervisory authority is the UK Information Commissioner's Office. Where the data exporter is located in Switzerland, the competent authority is the Swiss Federal Data Protection and Information Commissioner.

Coday relies on the sub-processors listed in the Data Processing Agreement. Of those, the following sub-processors process platform-operational data in the United States:

• Amazon Web Services, Inc. — us-east-1 (N. Virginia).
• Stripe, Inc. — United States.
• Cloudflare, Inc. — global edge network with US-based control plane.
• Resend (Drip Email, Inc.) — United States.
• GitHub, Inc. — United States.
• Anthropic PBC — United States.

EU-region projects (eu-central-1, Frankfurt) use AWS sub-processing in the European Union only and are not within the scope of these SCC.

The technical and organizational measures applied by Coday as data importer are set out in the "Security measures" section of the Data Processing Agreement. In summary, they include encryption at rest (AWS KMS) and in transit (TLS 1.2+), least-privilege IAM with TOTP MFA for administrators, multi-tenant database isolation, dependency CVE auditing, custom static analysis for common application security issues, and operational backups with point-in-time recovery.

Customers may, on request, receive a counter-signed copy of these SCC for their records. A self-service signature flow in the Coday dashboard is on the post-launch backlog; until then, requests for a signed copy can be sent to [email protected].

These SCC take effect on the date the Customer first uses the Coday Service after they are published, or on the date Customer signs them, whichever is earlier.

In accordance with Clause 17 of Module Two of Implementing Decision (EU) 2021/914, these SCC are governed by the law of Ireland. Disputes arising from these SCC will be resolved before the courts of Ireland, without prejudice to any rights of data subjects under Clause 18.

SCC and international transfer inquiries: [email protected]

Operating entity: Coday, Inc., a Delaware corporation (United States).