we45, Inc. · VibeReview
Data Processing Agreement
Standard DPA terms for customers processing personal data through VibeReview.
Effective Date: May 22, 2026
Last Updated: May 22, 2026
This Data Processing Agreement ("DPA") is entered into between the customer identified in the applicable subscription agreement ("Controller," "Customer," or "you") and we45, Inc., doing business as VibeReview ("Processor," "Company," "we," or "our"). This DPA supplements the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller in connection with the VibeReview platform (the "Service").
1. Definitions
In addition to terms defined elsewhere in this DPA, the following definitions apply:
- "Applicable Data Protection Laws" means all applicable laws relating to the processing of personal data, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other similar laws.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
- "Sub-Processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses approved by the European Commission for the transfer of personal data to countries outside the EEA.
2. Scope and Roles
2.1 Roles
For the purposes of this DPA: (a) the Customer is the Controller, determining the purposes and means of Processing; and (b) the Company is the Processor, Processing Personal Data on behalf of the Controller in connection with the Service.
2.2 Types of Personal Data Processed
The Service may process the following categories of Personal Data:
Category | Details |
Account Data | Name, email address, organization name, role/title |
Authentication Data | Hashed credentials, OAuth tokens (encrypted), SSO identifiers |
Repository Metadata | Repository names, contributor names/emails (from Git metadata), branch names |
Usage Data | IP addresses, browser information, session identifiers, feature usage logs |
Billing Data | Billing name, address, payment method identifiers (processed by third-party payment processor) |
2.3 Purpose of Processing
Personal Data is processed solely for the purpose of providing the Service, including: account management, repository profiling and threat modeling, guardrail generation and delivery, PR review, dashboard analytics, billing, and customer support.
3. Obligations of the Processor
The Processor shall:
- 3.1 Process Personal Data only on documented instructions from the Controller, unless required by law. If the Processor is required by law to process Personal Data, it shall notify the Controller of that requirement before processing (unless prohibited by law).
- 3.2 Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- 3.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 5.
- 3.4 Assist the Controller in responding to requests from data subjects exercising their rights under Applicable Data Protection Laws.
- 3.5 Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities.
- 3.6 At the Controller's choice, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless storage is required by law.
- 3.7 Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
4. Sub-Processors
4.1 Authorization
The Controller provides general authorization for the Processor to engage Sub-Processors. The Processor shall maintain a current list of Sub-Processors, available upon request and on our trust page.
4.2 Sub-Processor Obligations
The Processor shall: (a) conduct due diligence on each Sub-Processor's data protection capabilities; (b) impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA; and (c) remain liable for the acts and omissions of its Sub-Processors.
4.3 Notification of Changes
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-Processors. The Controller may object to a new Sub-Processor by notifying the Processor in writing within 15 days. If the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the affected Service.
4.4 Current Sub-Processors
The following Sub-Processors are engaged as of the effective date:
Sub-Processor | Purpose | Location |
DigitalOcean, LLC | Cloud hosting for application and database infrastructure | United States |
Cloudflare, Inc. | CDN, DNS, edge compute, MCP server hosting, website hosting, transactional email delivery | United States (global edge network) |
Requesty | AI inference for threat modeling, guardrail generation, and code review | United States |
Stripe, Inc. | Subscription billing and payment processing | United States |
Google LLC (Workspace) | Corporate email for user communications and support | United States |
Google LLC (Analytics) | Website and product usage analytics | United States |
Matomo (InnoCraft Ltd) | Privacy-focused product usage analytics | New Zealand / self-hosted |
Zitadel Cloud (CAOS AG) | Identity provider: authentication, authorization, RBAC, SCIM provisioning, SSO | Switzerland / Europe |
5. Security Measures
The Processor implements and maintains the following technical and organizational security measures:
5.1 Encryption
- Data in transit: TLS 1.2 or higher for all communications
- Data at rest: AES-256 encryption for stored data
- OAuth tokens and API keys: encrypted at rest with separate key management
5.2 Access Controls
- Role-based access control (RBAC) for all internal systems
- Principle of least privilege for employee and system access
- Multi-factor authentication (MFA) required for all internal access
- Regular access reviews and revocation of unnecessary permissions
5.3 Infrastructure Security
- Hosted on SOC 2 Type II and ISO 27001 certified infrastructure
- Network segmentation and firewall controls
- Intrusion detection and prevention systems
- Regular vulnerability scanning and penetration testing
5.4 Operational Security
- Security incident response plan with defined escalation procedures
- Employee security awareness training
- Background checks for personnel with access to Personal Data
- Secure software development lifecycle (SSDLC)
5.5 Source Code Handling
Critical: Customer source code is accessed transiently during repository profiling and is not stored at rest. Source code is processed in memory, and only derived metadata is persisted. Source code is never transmitted to Sub-Processors in raw form.
6. Data Breach Notification
6.1 The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Data Breach affecting Controller Personal Data.
6.2 The notification shall include: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects affected; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach; and (e) the contact details of the Processor's data protection officer or point of contact.
6.3 The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
7. International Data Transfers
7.1 The Processor is based in the United States. Personal Data from the European Economic Area, United Kingdom, or Switzerland may be transferred to the United States.
7.2 For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, the parties agree to the Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission, which are incorporated by reference into this DPA.
7.3 The Processor shall implement supplementary measures as necessary to ensure that Personal Data transferred internationally receives an essentially equivalent level of protection.
8. Data Subject Rights
8.1 The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in responding to data subject requests, including requests for access, rectification, erasure, data portability, restriction of processing, and objection.
8.2 If the Processor receives a request from a data subject directly, it shall promptly redirect the data subject to the Controller and notify the Controller, unless otherwise instructed.
9. Data Retention and Deletion
9.1 The Processor retains Personal Data only for as long as necessary to provide the Service and as set forth in the Privacy Policy.
9.2 Upon termination of the Service or at the Controller's written request, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law.
9.3 The Processor shall provide written confirmation of deletion upon the Controller's request.
10. Audits
10.1 The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. Audits shall be conducted during normal business hours, with reasonable advance notice (at least 30 days), and shall not unreasonably interfere with the Processor's operations.
10.2 The Processor shall make available SOC 2 Type II and ISO 27001 audit reports upon request. The Controller agrees that such reports shall satisfy audit requirements unless specific concerns warrant additional investigation.
10.3 The Controller shall bear its own costs for audits, except where an audit reveals a material breach of this DPA.
11. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Laws to the extent such limitation is prohibited by law.
12. Term and Termination
12.1 This DPA commences on the date the Controller begins using the Service and continues until the Service agreement is terminated.
12.2 The obligations of the Processor regarding the return or deletion of Personal Data and the provisions of Sections 5, 6, 7, 10, and 11 shall survive termination.
13. Governing Law
13.1 This DPA is governed by the laws of the State of Wyoming, except that data protection provisions shall be interpreted in accordance with the Applicable Data Protection Laws of the data subject's jurisdiction.
13.2 For EEA data subjects, the courts of the EEA Member State in which the data subject resides shall have jurisdiction in matters relating to data protection rights.
14. Contact
For questions about this Data Processing Agreement:
we45, Inc.
30 N Gould St, Sheridan, WY 82801
Data Protection Contact: privacy@we45.com
Legal: legal@we45.com
Security: security@we45.com
Website: https://vibereview.app