Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Reproit ("Processor", "we") and the customer accepting the Terms ("Controller", "you"), and applies whenever we process personal data on your behalf while providing the hosted service. If you need a countersigned copy, email agho@reproit.com.
1. Roles and scope
For crash telemetry your apps send us and for reproduction artifacts your CI posts back, you are the controller and we are the processor. For your account data (email, workspace membership, billing plan) we are an independent controller. We process personal data only to provide, secure, and support the service, and only on your documented instructions, which are: the Terms, this DPA, and your configuration of the service.
2. What is processed
- Subject matter and nature: ingestion, deduplication, and orchestration of crash telemetry so bugs can be reproduced deterministically in your own CI.
- Categories of data: derived crash signatures, normalized error messages, structural interaction paths, PII-safe input fingerprints (length, character classes, scripts; never raw values), coarse environment data (platform, OS version, locale, timezone), an optional hashed user id you may supply, and reproduction verdicts and synthetic-replay recordings your CI uploads.
- What is never processed: your source code, builds, or simulators; the raw values your users type; session recordings or pixels of real user sessions. The SDKs are built not to transmit them.
- Data subjects: end users of your applications and members of your workspace.
- Duration: your plan's retention window, after which telemetry is deleted automatically; the agreement lasts as long as the Terms.
3. Our obligations
- Process personal data only on your documented instructions, and tell you if we believe an instruction violates applicable data-protection law.
- Ensure everyone we authorize to process personal data is bound by confidentiality.
- Maintain appropriate technical and organizational measures: workspace-isolated databases, encryption in transit, encryption of integration credentials at rest, hashed session tokens, audited administrative access, and retention-window deletion. The architecture itself is the primary measure: reproduction runs execute in your CI, so the most sensitive material never reaches us.
- Notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information we have at the time.
- Assist you, to the extent reasonable given the nature of the processing, with data-subject requests and with your security and impact-assessment obligations.
- Delete your personal data at termination: deleting your workspace deletes its database, stored evidence, keys, and members. Export is available on request before deletion.
- Make available the information reasonably necessary to demonstrate compliance, and allow audits as required by law, normally satisfied by our documentation and security summaries.
4. Sub-processors
You authorize the sub-processors listed at reproit.com/subprocessors. We will notify account holders by email at least 30 days before adding or replacing a sub-processor; if you object on reasonable data-protection grounds and we cannot resolve it, you may terminate and receive a pro-rated refund of prepaid fees. Sub-processors are bound by data-protection obligations no less protective than this DPA.
5. International transfers
Where personal data originating in the EEA, the UK, or Switzerland is transferred to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module Two, controller to processor), and for UK transfers the UK International Data Transfer Addendum, by reference into this DPA. Annex details (parties, data, measures) are as described in this DPA and on the sub-processor page.
6. Precedence and liability
If this DPA conflicts with the Terms, this DPA controls for data-protection matters. Liability under this DPA is subject to the limitations in the Terms. This DPA is governed by the same law and venue as the Terms.