DPA

When this DPA applies

This Data Processing Addendum applies when a customer agreement, order form, or online terms incorporate it by reference and Bilbis processes Customer Personal Data on behalf of that customer. If a signed agreement conflicts with this DPA, the signed agreement controls to the extent of the conflict.

Controller and processor roles

Customer

Customer is the controller, business, or equivalent role for Customer Personal Data submitted to the Bilbis service.

Bilbis

Bilbis is the processor, service provider, or equivalent role when processing Customer Personal Data only to provide and secure the service.

Users

Users are customer personnel, contractors, or collaborators authorized to use a customer workspace.

Processing details

Subject matter

AI-assisted software engineering workflows, including ticket intake, code analysis, pull request generation, review, QA, reporting, and support.

Duration

For the term of the customer agreement and any retention period required by law, backup, security, or customer instruction.

Nature and purpose

Hosting, accessing, analyzing, transforming, transmitting, securing, and deleting Customer Personal Data as needed to provide the service.

Data subjects

Customer users, employees, contractors, candidates, end users, customers, and other individuals whose data appears in tickets, repositories, logs, or connected systems.

Data categories

Account details, identifiers, communications, engineering artifacts, tickets, code comments, logs, metadata, support records, and any personal data included by customer in connected systems.

Customer instructions

Bilbis will process Customer Personal Data only on documented customer instructions, including the customer agreement, product configuration, workspace settings, support requests, and lawful written instructions. Bilbis will inform customer if it believes an instruction violates applicable data protection law, unless prohibited by law.

Confidentiality and personnel access

Bilbis limits personnel access to Customer Personal Data to people who need it to provide, support, secure, or improve the service. Personnel with access are subject to confidentiality obligations and access is reviewed under internal security procedures.

Technical and organizational measures

• Access controls, least-privilege permissions, and administrative access review.
• Encryption in transit, secure credential handling, and secret redaction where technically feasible.
• Audit logs, monitoring, vulnerability management, backup controls, and incident response procedures.
• Logical separation of customer workspaces and customer-controlled integrations where configured.
• Secure development practices, code review, dependency review, and change management.
• Vendor review for providers that process Customer Personal Data for Bilbis.

Sub-processors

Customer gives Bilbis general authorization to use sub-processors that help provide the service. Bilbis will impose data protection obligations on sub-processors that are materially no less protective than this DPA. Bilbis remains responsible for sub-processor performance as required by applicable law. Customers may request the current sub-processor list and object to material new sub-processors on reasonable data protection grounds.

Rights requests and compliance support

Taking into account the nature of the processing and information available to Bilbis, Bilbis will reasonably assist customer with data subject requests, security obligations, data protection impact assessments, regulator consultations, and breach notifications. Customer is responsible for deciding how to respond to requests where customer controls the relevant data.

Security incidents

Bilbis will notify customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data. Notices will include available information reasonably needed for customer to meet its breach notification obligations. Security notices may be sent to account administrators or security@bilbis.ai.

International transfers

If Customer Personal Data protected by EEA, UK, or Swiss data protection law is transferred to a country without an adequacy decision, the parties will use appropriate transfer safeguards where required, such as standard contractual clauses, UK addenda, or equivalent mechanisms. Customer authorizes Bilbis and its sub-processors to make such transfers as needed to provide the service.

Audit and information rights

Bilbis will make available information reasonably necessary to demonstrate compliance with this DPA. Where required by law, customer may request an audit through an independent third-party auditor under confidentiality obligations, subject to reasonable scope, timing, and security limits. The parties should first use available security documentation, reports, and written responses before requesting an on-site audit.

Return and deletion

At the end of the service, Bilbis will delete or return Customer Personal Data according to customer instructions, product capabilities, and the customer agreement, unless retention is required by law. Backup copies may remain for a limited period before being overwritten under standard backup cycles.