← Back to PullGuard

Data Processing Addendum

Last updated: April 29, 2026 · Version 1.0

This Data Processing Addendum (“DPA”) supplements the PullGuard subscription agreement (“Agreement”) between the customer (“Controller”) and PullGuard (“Processor”) and applies where PullGuard processes Personal Data on the Controller’s behalf in connection with the PullGuard service.

This DPA is offered as a standalone document for review under GDPR Article 28. Enterprise customers requiring a signed counterpart for their procurement records can request execution by emailing hello@pullguard.dev; counter-signed PDFs are returned within 5 business days.

1. Scope and Limited Processing Boundary

PullGuard’s analysis runs entirely on the Controller’s GitHub Actions runners — source code, file contents, and analysis results never reach PullGuard infrastructure. Accordingly the only Personal Data processed under this DPA is the limited account-administration data described in Section 3.

Source code analyzed by the PullGuard image is not processed by PullGuard within the meaning of GDPR Article 4(2). The Controller remains the sole controller and processor of its source code at all times.

2. Subject Matter and Duration

PullGuard processes Personal Data solely to (a) authenticate license keys at scan time, (b) issue and rotate license keys, (c) deliver service-related notifications, and (d) bill subscription fees. Processing continues for the duration of the Agreement and the post-termination wind-down period defined in Section 9.

3. Categories of Personal Data and Data Subjects

CategoryPurposeRetention
Account email address License-key delivery, billing notifications, service updates Subscription term + 30 days post-cancellation
Organization name and bound repository identifier License-key binding (which org / repo a Pro tier covers); Team-tier 10-repo cap accumulator Subscription term + 30 days post-cancellation
Source IP address (license validation requests) Short-window rate limiting on the validation API to prevent token enumeration 60 seconds (TTL on the rate-limit KV key)
Stripe customer identifier Subscription lifecycle events (renewal, cancellation, refund) Subscription term + statutory accounting retention via Stripe

Data subjects are limited to (i) the Controller’s billing contact and (ii) any individual whose source IP transits the Cloudflare Worker during a license-validation request from the Controller’s GitHub Actions runner.

4. Sub-Processors

PullGuard engages the following sub-processors to deliver the service. Each is bound by GDPR-aligned data protection terms in their respective customer agreements.

Sub-processorPurposeRegion
Cloudflare, Inc. (Workers + KV) License-validation API, license-key issuance, static site hosting Global edge network with EU-resident eligibility
Stripe, Inc. Subscription billing and payment processing USA / EU (depending on customer billing entity)
Resend (Resend Inc.) Outbound transactional email (license-key delivery, renewal notices) USA
GitHub, Inc. Marketplace App identity, OAuth authentication for the App install flow, container image registry (GHCR) USA

PullGuard will provide at least 30 days’ notice before adding or replacing a sub-processor. The Controller may object to a sub-processor change on reasonable grounds; if the parties cannot resolve the objection, the Controller may terminate the Agreement on a pro-rata refund basis.

5. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the parties rely on the European Commission Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor) as the transfer mechanism. By executing the subscription Agreement, the Controller is deemed to have entered into Module 2 with PullGuard as the data importer; PullGuard’s sub-processors operate under their own SCC arrangements with PullGuard.

6. Security Measures

PullGuard maintains the technical and organizational measures listed below. They are aligned with industry baselines for a SaaS service of this scope and may be updated to reflect evolving best practice without weakening overall protection.

7. Data Subject Rights

PullGuard will assist the Controller in responding to data subject requests under GDPR Articles 15–22 within 30 days of receiving the request. Because PullGuard does not process source code, requests typically reduce to (i) producing a copy of the email address and Stripe customer identifier we hold, (ii) correcting them, or (iii) erasing them on subscription cancellation.

8. Personal Data Breach Notification

PullGuard will notify the Controller of any confirmed Personal Data breach affecting the Controller’s data without undue delay, and in any event within 72 hours of confirmation. Notice will include the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and the measures taken or proposed to address it.

9. Return or Deletion

On termination of the Agreement, PullGuard will delete all Personal Data within 30 days unless retention is required by law. Stripe-side billing records subject to statutory retention are retained for the period required by applicable accounting legislation. The Controller may request a final export of account-level data prior to deletion.

10. Audit Rights

PullGuard makes available to the Controller, upon reasonable written request, the information necessary to demonstrate compliance with this DPA, including the SOC 2 Security Evidence reports generated continuously by the PullGuard scanner against its own codebase. The Controller may, no more than once per calendar year and at its own cost, conduct an audit of PullGuard’s controls relevant to this DPA, subject to a reasonable confidentiality undertaking and not unreasonably interfering with PullGuard’s business.

11. Governing Law

This DPA is governed by the laws of Ireland and is interpreted in accordance with the Agreement’s governing-law provisions. Any conflict between this DPA and the Agreement is resolved in favor of this DPA solely with respect to the processing of Personal Data.

12. Contact

All notices, sub-processor objections, audit requests, breach inquiries, and DPA execution requests should be directed to hello@pullguard.dev.

This DPA is offered as Version 1.0 of the standard PullGuard data-processing terms. Bespoke amendments for specific Enterprise procurement requirements (e.g. additional sub-processor restrictions, expanded audit rights, custom breach-notification windows) are available on request as part of the Enterprise contract.

← Back to PullGuard