Data Processing Agreement
Effective date: April 15, 2026
Last updated: April 15, 2026
This Data Processing Agreement ("DPA") is incorporated into and forms part of the SigmaShake Terms of Use between SigmaShake ("Processor," "we," "us") and the customer ("Controller," "you"). It applies when you use SigmaShake Pro or Enterprise services that involve the processing of personal data.
1. Definitions
- "Personal Data" — any information relating to an identified or identifiable natural person.
- "Processing" — any operation on Personal Data (collection, storage, use, disclosure, deletion).
- "Data Subject" — the individual to whom Personal Data relates.
- "Sub-processor" — a third party engaged by SigmaShake to process Personal Data on your behalf.
- "GDPR" — EU General Data Protection Regulation 2016/679.
- "CCPA" — California Consumer Privacy Act.
2. Scope and Nature of Processing
SigmaShake processes the following categories of data on your behalf:
| Category | Examples | Purpose |
|---|---|---|
| Agent tool-call metadata | Tool name, command fragments, timestamps | Rule evaluation, audit log |
| User identifiers | GitHub user ID, email (Pro/Enterprise only) | Authentication, plan enforcement |
| Rule evaluation results | Decision (allow/block/ask), matched rule ID | Dashboard display, audit export |
| Usage metrics | Evaluation count, latency | Quota enforcement, billing |
SigmaShake does not process:
- Content of files the agent reads or writes (only file paths and write-content fragments that trigger rules)
- Source code in its entirety
- Credentials or secrets (our rules block their transmission)
3. Controller Obligations
You agree to:
- Ensure you have a lawful basis for any Personal Data processed through SigmaShake
- Provide appropriate privacy notices to your data subjects
- Respond to data subject rights requests using the mechanisms in Section 5
4. Processor Obligations
SigmaShake agrees to:
- Process Personal Data only on your documented instructions
- Ensure that personnel authorized to process Personal Data are bound by confidentiality
- Implement the security measures described in Section 6
- Not transfer Personal Data to third countries without appropriate safeguards
- Notify you within 72 hours of becoming aware of a Personal Data breach
5. Data Subject Rights
To exercise data subject rights (access, rectification, erasure, portability, restriction), contact privacy@sigmashake.com. We will respond within 30 days. For erasure requests, data is deleted from all systems within 30 days, except where retention is required by law.
6. Security Measures
SigmaShake implements the following technical and organizational measures:
- Encryption in transit: TLS 1.3 for all API communications
- Encryption at rest: AES-256 for D1 database storage via Cloudflare
- Access control: Role-based access; production data access limited to authorized engineers
- Audit logging: All administrative access to production systems is logged
- Incident response: Documented breach response procedure; 72-hour notification SLA
7. Sub-processors
SigmaShake uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, CDN, KV/D1 storage | USA (SCCs apply for EEA data) |
| Stripe, Inc. | Payment processing | USA (SCCs apply for EEA data) |
We will notify you at least 30 days before adding new sub-processors.
8. International Data Transfers
For transfers of EEA Personal Data to the United States, SigmaShake relies on the EU Standard Contractual Clauses (SCCs) as the appropriate safeguard. A copy of the applicable SCCs is available upon request at privacy@sigmashake.com.
9. Audit Rights
Upon written request with reasonable notice, SigmaShake will provide information necessary to demonstrate compliance with this DPA. We may satisfy this obligation through third-party audit certifications (when available) or questionnaire responses.
10. Data Retention and Deletion
| Data type | Retention period |
|---|---|
| Audit log events (Starter) | Not stored in cloud |
| Audit log events (Pro) | Retained during active subscription; enforced day-count limits ship in a future release |
| Audit log events (Enterprise) | Extended retention during active subscription; enforced limits and immutability ship in a future release |
| Billing records | 7 years (legal requirement) |
| Account data | Until account deletion + 30 days |
On termination of your subscription, we will delete your Personal Data within 30 days unless legally required to retain it.
11. Contact
For DPA-related questions: privacy@sigmashake.com
For security incidents: security@sigmashake.com
Enterprise customers requiring a countersigned DPA should contact sales@sigmashake.com.