Data Processing Agreement.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Hackerman AB ("Processor", "we", "us"), a Swedish limited company (org. nr. 559079-1918), and the organisation subscribing to the Codebahn service ("Controller", "you").
This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and governs our processing of personal data on your behalf when we provide the Codebahn service ("Service").
By creating an account, you agree to this DPA as part of the Terms of Service. If you need a countersigned copy for your records, email legal@codebahn.net and we will provide one.
1. Definitions
Terms not defined here have the meaning given in the GDPR or the Terms of Service.
- "Customer Data" means all personal data that Controller uploads to or creates within the Service, including repository content, issues, pull requests, CI artifacts, user profiles, and any other content processed on Controller's behalf.
- "Sub-processor" means a third party engaged by the Processor to process Customer Data on behalf of the Controller.
- "Data Protection Laws" means the GDPR and any applicable national implementing legislation, including the Swedish Data Protection Act (dataskyddslagen 2018:218).
2. Roles and scope
2.1. Controller determines the purposes and means of processing Customer Data. Processor processes Customer Data solely to provide the Service as described in the Terms of Service.
2.2. The categories of data subjects, types of personal data, and nature of processing are described in Annex 1 at the end of this DPA.
2.3. The duration of processing corresponds to the term of Controller's subscription to the Service, plus the data retention periods described in section 10.
3. Processing instructions
3.1. Processor shall process Customer Data only on documented instructions from Controller (Article 28(3)(a) GDPR), unless required to process by EU or Swedish law, in which case Processor shall inform Controller of that legal requirement before processing (unless the law prohibits such information).
3.2. The Terms of Service and this DPA constitute Controller's documented instructions. Controller may issue additional written instructions consistent with the Terms of Service by emailing legal@codebahn.net.
3.3. If Processor believes an instruction from Controller infringes Data Protection Laws, Processor shall promptly inform Controller.
4. Confidentiality
4.1. Processor shall ensure that all persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).
4.2. This obligation continues after the termination of the individual's engagement with Processor.
5. Security measures
5.1. Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR (Article 28(3)(c) GDPR). These measures include:
- Encryption in transit (TLS 1.2+ for all connections; TLS 1.3 where supported by both endpoints).
- Encryption at rest (managed encryption for block storage, object storage, and managed PostgreSQL).
- Daily encrypted backups stored in a separate EU region from primary infrastructure.
- SSH key authentication for Git operations.
- Passwordless authentication via email verification codes for web access.
- CI builds run in per-tenant ephemeral virtual machines. Each VM is dedicated to a single tenant and terminated after a maximum of 6 hours. Jobs execute in Docker containers within the VM.
- Access to production infrastructure restricted to Hackerman AB employees via SSH key authentication and IP allowlisting.
- Individual access keys with audit logging. No shared credentials.
- All infrastructure and backup storage operated by EU-incorporated providers.
5.2. Processor shall regularly assess the adequacy of these measures and update them as necessary to maintain an appropriate level of protection.
5.3. We do not currently hold ISO 27001 or SOC 2 certification. If this changes, we will update this section.
6. Sub-processors
6.1. Controller grants Processor general written authorisation to engage sub-processors for the processing of Customer Data (Article 28(2) GDPR).
6.2. The current list of sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Scaleway (Iliad Group) | Infrastructure: compute, block storage, object storage, managed PostgreSQL | France (fr-par) |
| Hetzner Online GmbH | Backup storage (encrypted, object storage) | Germany (fsn1) |
| Mollie B.V. | Payment processing (payment data only, no access to Customer Data) | Netherlands |
The full, current list is maintained at docs.codebahn.net/reference/subprocessors.
6.3. Processor shall notify Controller at least 30 days before adding or replacing a sub-processor, by email to the address associated with Controller's account and by updating the sub-processor list. Controller may object to the change within 30 days by emailing legal@codebahn.net (Article 28(2) GDPR).
6.4. If Controller objects and Processor cannot reasonably provide the Service without the new sub-processor, either party may terminate the subscription with 30 days' notice. Processor shall refund any prepaid fees for the unused portion of the subscription.
6.5. Processor shall impose on each sub-processor, by way of contract, the same data protection obligations as set out in this DPA. Processor remains liable to Controller for the performance of each sub-processor's obligations, subject to the limitations set out in section 13 (Article 28(4) GDPR).
7. Data subject rights
7.1. Processor shall assist Controller in fulfilling its obligations to respond to data subject requests exercising their rights under Articles 15 to 22 GDPR (access, rectification, erasure, restriction, portability, objection) (Article 28(3)(e) GDPR).
7.2. If Processor receives a data subject request directly, Processor shall promptly redirect the data subject to Controller and notify Controller, unless otherwise instructed.
7.3. The Service provides self-service tools that Controller can use to respond to many data subject requests (e.g. exporting data, deleting accounts, modifying user information). For requests that require Processor's assistance beyond these tools, Controller may email privacy@codebahn.net.
8. Breach notification
8.1. Processor shall notify Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer Data (Article 28(3)(f), Article 33(2) GDPR).
8.2. The notification shall include, to the extent known:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- The name and contact details of the point of contact for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its effects.
8.3. If full details are not available within 48 hours, Processor shall provide an initial notification with available information and supplement it as further details become known.
8.4. Processor shall assist Controller in fulfilling its obligations under Articles 33 and 34 GDPR (notification to supervisory authority and communication to data subjects).
9. Assistance with compliance obligations
9.1. Processor shall assist Controller with data protection impact assessments and prior consultations with supervisory authorities where required (Articles 35 and 36 GDPR), taking into account the nature of processing and the information available to Processor (Article 28(3)(f) GDPR).
10. Data return and deletion
10.1. On termination of the Service, at Controller's choice, Processor shall (Article 28(3)(g) GDPR):
- Return: Controller may export all Customer Data using the Service's standard export tools (Git clone, Forgejo export) during a 30-day read-only period following termination. No ticket or approval is required.
- Delete: After the 30-day export window, Processor shall delete all Customer Data within 90 days. Backups containing Customer Data are rotated out within 90 days of deletion.
10.2. Processor shall delete all existing copies of Customer Data unless EU or Swedish law requires continued storage. Where such a legal obligation exists, Processor shall inform Controller of the requirement and limit processing to what is strictly necessary for compliance.
10.3. Billing records (organisation name, billing email, VAT number, country code, invoice amounts, payment dates) are retained for 7 years as required by Swedish bookkeeping law (BFL 7:2). This retention applies regardless of deletion requests and is disclosed to Controller in the Privacy Policy.
11. Audit rights
11.1. Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller (Article 28(3)(h) GDPR).
11.2. Audit procedure:
- Information requests. Controller may request documentation, records, and other information demonstrating Processor's compliance. Processor shall respond within 30 days.
- Third-party audit reports. Where Processor obtains third-party certifications or audit reports (e.g. ISO 27001, SOC 2), Processor shall make these available to Controller on request as an alternative to on-site audits.
- On-site audits. Controller may conduct on-site audits with at least 30 days' written notice, during normal business hours, no more than once per 12-month period (unless required by a supervisory authority or following a personal data breach). Controller bears the cost of such audits. The auditor must agree to reasonable confidentiality obligations.
11.3. Processor shall immediately inform Controller if, in Processor's opinion, an instruction from Controller infringes Data Protection Laws (Article 28(3), final paragraph, GDPR).
12. International data transfers
12.1. All processing of Customer Data takes place within the European Union and the European Economic Area. Processor does not transfer Customer Data to any country outside the EU/EEA.
12.2. No sub-processor is incorporated in a country outside the EU/EEA. No sub-processor is a subsidiary of a company incorporated outside the EU/EEA that could be subject to third-country government access requests under non-EU law.
12.3. If a change in law or circumstances makes an international transfer necessary, Processor shall notify Controller before the transfer and implement appropriate safeguards under Chapter V GDPR (e.g. Standard Contractual Clauses). Controller may object to any proposed international transfer and terminate the subscription without penalty if the objection cannot be resolved.
13. Liability
13.1. Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except that nothing in this DPA or the Terms of Service limits either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted under applicable law.
14. Term and termination
14.1. This DPA takes effect when Controller begins using the Service and remains in effect for the duration of Processor's processing of Customer Data on behalf of Controller.
14.2. Sections 4 (Confidentiality), 8 (Breach notification), 10 (Data return and deletion), 11 (Audit rights), and 13 (Liability) survive termination of this DPA.
15. Governing law
15.1. This DPA is governed by the laws of Sweden, without regard to conflict-of-law principles.
15.2. Any dispute arising out of or in connection with this DPA shall be resolved by the courts of Gothenburg, Sweden.
16. Changes to this DPA
16.1. We may update this DPA to reflect changes in Data Protection Laws or our processing practices. We will notify Controller of material changes at least 30 days before they take effect, by email. If Controller objects to a material change, Controller may terminate the subscription without penalty before the change takes effect.
Annex 1: Description of processing
| Element | Description |
|---|---|
| Subject matter | Provision of the Codebahn managed Git hosting service |
| Duration | Duration of the subscription, plus retention periods in section 10 |
| Nature and purpose | Hosting Git repositories, issue tracking, CI/CD, container/package registries, and related collaboration tools |
| Categories of data subjects | Controller's employees, contractors, and other users granted access to Controller's organisation on the Service |
| Types of personal data |
|
| Processing operations | Storage, retrieval, transmission, display, backup, deletion, and any other processing necessary to provide the Service |
Annex 2: Technical and organisational measures
The current technical and organisational measures are described in section 5 of this DPA and section 10 of the Privacy Policy. A summary:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all connections (TLS 1.3 where supported); SSH for Git |
| Encryption at rest | Scaleway managed encryption (block storage, object storage, managed PostgreSQL) |
| Backup | Daily encrypted backups via Restic to Hetzner Object Storage (Falkenstein, Germany), a separate EU location from primary infrastructure |
| Access control | SSH key + IP allowlist for production infrastructure. Individual access keys, no shared credentials. Audit logging. |
| Authentication | Passwordless email verification codes for web access, SSH key authentication for Git |
| CI isolation | Per-tenant ephemeral VMs (max 6h lifetime), one tenant per VM, jobs in Docker containers. Cross-tenant isolation at infrastructure layer. |
| Data location | Primary: Scaleway fr-par (Paris, France). Backups: Hetzner fsn1 (Falkenstein, Germany). No data outside EU/EEA. |
| Personnel | All personnel with access to Customer Data bound by confidentiality obligations |
Hackerman AB
Drakenbergsgatan 33, 412 69 Gothenburg, Sweden
Org. nr: 559079-1918
legal@codebahn.net · privacy@codebahn.net · security@codebahn.net