Legal

Data Processing
Agreement

GDPR-compliant data processing for enterprise customers.

Request Signed DPALast updated: February 27, 2026
00

Introduction

This Data Processing Agreement ("DPA") forms part of the Redshift Terms of Service and governs the processing of Personal Data by Redshift on behalf of Customer. This DPA reflects the parties' commitment to comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and equivalent regulations.

01

Definitions

"Controller"The Customer (you), who determines the purposes and means of processing Personal Data.

"Processor"Redshift, which processes Personal Data on behalf of the Controller.

"Personal Data"Any information relating to an identified or identifiable natural person processed via the Redshift service.

"Data Subject"An identified or identifiable natural person whose Personal Data is processed.

"Subprocessor"Any third party appointed by Redshift to process Personal Data.

02

Details of Processing

Subject Matter

Provision of the Redshift workflow automation platform and related services.

Duration

The term of the Customer's subscription, plus a 90-day post-termination period for data return/deletion.

Nature of Processing

Cloud-based software-as-a-service (SaaS) platform for developer workflow management.

Purpose of Processing

To provide workflow automation, issue tracking integration, code review, AI-powered assistance, and team collaboration features as directed by Customer.

Categories of Personal Data

01User account information (name, email, GitHub profile data)
02Repository metadata (commit messages, branch names, file names)
03Issue tracking data (ticket descriptions, comments, status updates)
04Workspace and team membership information
05User-generated content (notes, todos, pre-PR descriptions)
06Usage and activity data (login times, feature usage, AI token consumption)

Categories of Data Subjects

01Customer's employees
02Customer's contractors and consultants
03Customer's end users (if applicable)
03

Processor Obligations

Redshift will:

Process Personal Data only on documented instructions from Customer
Ensure persons authorized to process Personal Data have committed to confidentiality
Implement appropriate technical and organizational measures (see Security Overview)
Not engage subprocessors without prior notice (see Subprocessors)
Assist Customer in responding to Data Subject requests
Assist Customer in ensuring compliance with security obligations
Delete or return Personal Data upon termination (at Customer's choice)
Make available information necessary to demonstrate compliance
04

Security Measures

Redshift implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data at rest (AES-256-CBC) and in transit (TLS 1.3)
Role-based access controls and session authentication
Regular security monitoring and vulnerability assessments
Automated backup and disaster recovery procedures
Incident response and breach notification procedures

For complete details, see our Security Overview.

05

Subprocessors

Customer provides general authorization for Redshift to engage subprocessors listed on our Subprocessors page.

Redshift will provide at least 30 days advance notice before adding or replacing subprocessors. Customer may object to new subprocessors on reasonable data protection grounds by contacting hello@redshifthub.com.

Redshift ensures all subprocessors are bound by data protection obligations equivalent to those in this DPA.

06

Data Subject Rights

Redshift will assist Customer in fulfilling its obligations to respond to Data Subject requests, including:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to data portability
Right to restriction of processing
Right to object

Submit Data Subject requests to hello@redshifthub.com. Redshift will respond within 30 days.

07

Data Breach Notification

Redshift will notify Customer within 24 hours of becoming aware of any Personal Data breach. Notification will include:

Nature of the breach and categories of data affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact information for further inquiries
08

Audit Rights

Customer may request security documentation and compliance evidence annually. Upon request, Redshift will provide:

Security policies and procedures documentation
Infrastructure provider certifications (SOC 2 or equivalent)
Responses to standard security questionnaires
Third-party audit reports (where available)

On-site audits are available by prior written agreement only and may be subject to reasonable fees and scheduling constraints.

09

International Data Transfers

Personal Data may be transferred to and processed in the United States. For transfers from the EU/EEA, Redshift relies on:

EU-US Data Privacy Framework (via Firebase (Google Cloud))
Standard Contractual Clauses (SCCs) as approved by the European Commission
Appropriate safeguards as required under GDPR Article 46
10

Return and Deletion of Data

Upon termination of the Customer's subscription, Redshift will:

Provide Customer with the option to export all Personal Data in JSON format
Delete all Personal Data within 30 days of termination
Retain only data required for legal compliance (e.g., billing records) as permitted by law

Request expedited deletion by contacting hello@redshifthub.com.

11

Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Redshift Terms of Service. Nothing in this DPA reduces either party's liability under applicable data protection laws.

12

Governing Law

This DPA is governed by the same law and jurisdiction provisions as the Redshift Terms of Service.

Need an Executed DPA?

Enterprise customers can request a signed, executable Data Processing Agreement. We'll work with your legal team to ensure all requirements are met.

Request Signed DPA
Last updated: February 27, 2026
PrivacySecuritySubprocessors