Last updated: April 29, 2026 · Version 1.0
This Data Processing Addendum (“DPA”) supplements the PullGuard subscription agreement (“Agreement”) between the customer (“Controller”) and PullGuard (“Processor”) and applies where PullGuard processes Personal Data on the Controller’s behalf in connection with the PullGuard service.
This DPA is offered as a standalone document for review under GDPR Article 28. Enterprise customers requiring a signed counterpart for their procurement records can request execution by emailing hello@pullguard.dev; counter-signed PDFs are returned within 5 business days.
PullGuard’s analysis runs entirely on the Controller’s GitHub Actions runners — source code, file contents, and analysis results never reach PullGuard infrastructure. Accordingly the only Personal Data processed under this DPA is the limited account-administration data described in Section 3.
Source code analyzed by the PullGuard image is not processed by PullGuard within the meaning of GDPR Article 4(2). The Controller remains the sole controller and processor of its source code at all times.
PullGuard processes Personal Data solely to (a) authenticate license keys at scan time, (b) issue and rotate license keys, (c) deliver service-related notifications, and (d) bill subscription fees. Processing continues for the duration of the Agreement and the post-termination wind-down period defined in Section 9.
| Category | Purpose | Retention |
|---|---|---|
| Account email address | License-key delivery, billing notifications, service updates | Subscription term + 30 days post-cancellation |
| Organization name and bound repository identifier | License-key binding (which org / repo a Pro tier covers); Team-tier 10-repo cap accumulator | Subscription term + 30 days post-cancellation |
| Source IP address (license validation requests) | Short-window rate limiting on the validation API to prevent token enumeration | 60 seconds (TTL on the rate-limit KV key) |
| Stripe customer identifier | Subscription lifecycle events (renewal, cancellation, refund) | Subscription term + statutory accounting retention via Stripe |
Data subjects are limited to (i) the Controller’s billing contact and (ii) any individual whose source IP transits the Cloudflare Worker during a license-validation request from the Controller’s GitHub Actions runner.
PullGuard engages the following sub-processors to deliver the service. Each is bound by GDPR-aligned data protection terms in their respective customer agreements.
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. (Workers + KV) | License-validation API, license-key issuance, static site hosting | Global edge network with EU-resident eligibility |
| Stripe, Inc. | Subscription billing and payment processing | USA / EU (depending on customer billing entity) |
| Resend (Resend Inc.) | Outbound transactional email (license-key delivery, renewal notices) | USA |
| GitHub, Inc. | Marketplace App identity, OAuth authentication for the App install flow, container image registry (GHCR) | USA |
PullGuard will provide at least 30 days’ notice before adding or replacing a sub-processor. The Controller may object to a sub-processor change on reasonable grounds; if the parties cannot resolve the objection, the Controller may terminate the Agreement on a pro-rata refund basis.
Where Personal Data is transferred outside the European Economic Area (EEA), the parties rely on the European Commission Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor) as the transfer mechanism. By executing the subscription Agreement, the Controller is deemed to have entered into Module 2 with PullGuard as the data importer; PullGuard’s sub-processors operate under their own SCC arrangements with PullGuard.
PullGuard maintains the technical and organizational measures listed below. They are aligned with industry baselines for a SaaS service of this scope and may be updated to reflect evolving best practice without weakening overall protection.
Cache-Control: private, no-store to prevent edge caching of credentials.PullGuard will assist the Controller in responding to data subject requests under GDPR Articles 15–22 within 30 days of receiving the request. Because PullGuard does not process source code, requests typically reduce to (i) producing a copy of the email address and Stripe customer identifier we hold, (ii) correcting them, or (iii) erasing them on subscription cancellation.
PullGuard will notify the Controller of any confirmed Personal Data breach affecting the Controller’s data without undue delay, and in any event within 72 hours of confirmation. Notice will include the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and the measures taken or proposed to address it.
On termination of the Agreement, PullGuard will delete all Personal Data within 30 days unless retention is required by law. Stripe-side billing records subject to statutory retention are retained for the period required by applicable accounting legislation. The Controller may request a final export of account-level data prior to deletion.
PullGuard makes available to the Controller, upon reasonable written request, the information necessary to demonstrate compliance with this DPA, including the SOC 2 Security Evidence reports generated continuously by the PullGuard scanner against its own codebase. The Controller may, no more than once per calendar year and at its own cost, conduct an audit of PullGuard’s controls relevant to this DPA, subject to a reasonable confidentiality undertaking and not unreasonably interfering with PullGuard’s business.
This DPA is governed by the laws of Ireland and is interpreted in accordance with the Agreement’s governing-law provisions. Any conflict between this DPA and the Agreement is resolved in favor of this DPA solely with respect to the processing of Personal Data.
All notices, sub-processor objections, audit requests, breach inquiries, and DPA execution requests should be directed to hello@pullguard.dev.
This DPA is offered as Version 1.0 of the standard PullGuard data-processing terms. Bespoke amendments for specific Enterprise procurement requirements (e.g. additional sub-processor restrictions, expanded audit rights, custom breach-notification windows) are available on request as part of the Enterprise contract.
← Back to PullGuard