/dpa
Data Processing Addendum
Last updated: July 12, 2026
This Data Processing Addendum ("DPA") forms part of the devsplit Terms of Service between the customer ("Customer") and Denvo LLC, 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, United States ("Denvo"). It applies whenever Denvo processes personal data on behalf of the Customer in the course of design, engineering, deployment, hosting, or care services for the Customer's projects.
This DPA reflects the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and applies automatically to all customers; no signature is required. In case of conflict between this DPA and the Terms of Service, this DPA prevails for data protection matters.
1. Roles and scope
The Customer is the controller for personal data contained in its projects and systems. Denvo acts as processor when it processes that data to provide the agreed services, and only on the Customer's documented instructions.
Denvo acts as an independent controller for its own business operations, such as contact handling, contracts, billing, security, and legal compliance. That processing is described in the Privacy Policy, not this DPA.
2. Subject matter, duration, nature and purpose
Subject matter: design, development, deployment, maintenance, and support of the Customer's websites, SaaS platforms, and AI products, including hosting and care services where agreed.
Duration: for the term of the engagement, until its completion or termination, plus any period required by law. Nature and purpose: developing, configuring, deploying, debugging, and supporting the Customer's project systems as instructed, which can involve access to personal data stored in those systems.
3. Categories of data subjects and personal data
Data subjects: end users, customers, employees, and other individuals whose personal data the Customer stores in its project systems. The categories of personal data are determined by the Customer and may include any data stored in the systems covered by the engagement.
Customers should avoid granting access to special categories of data (Art. 9 GDPR) unless they have a lawful basis and appropriate safeguards, and should inform Denvo before doing so.
4. Processing instructions
Denvo processes Customer data only on documented instructions, given through the engagement agreement, project briefs, tickets, support requests, this DPA, the Terms of Service, and any written agreement signed by both parties.
Denvo will inform the Customer without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection law, and may suspend execution of that instruction until it is confirmed or changed. Denvo may process data where required by applicable law; in that case Denvo will inform the Customer before processing unless the law prohibits it.
5. Confidentiality
Denvo restricts access to Customer data to personnel and systems that need it to provide, secure, or support the services. All personnel authorized to process Customer data are bound by contractual or statutory confidentiality obligations that survive the end of their engagement.
6. Security (Art. 32 GDPR)
Taking into account the state of the art and the risks of the processing, Denvo implements appropriate technical and organizational measures, including: HTTPS/TLS encryption in transit; encryption at rest where the chosen stack supports it; least-privilege, role-based access to Customer systems; separation of development, staging, and production environments; code review before deployment; and no copies of production data outside the Customer's systems without instruction.
Denvo may update these measures over time provided the overall level of protection is not reduced.
7. Subprocessors
The Customer grants Denvo general authorization to engage subprocessors to provide hosting, infrastructure, and development workflows. Subprocessors are chosen per project as agreed in the project documentation; typical subprocessors are:
- Vercel (United States / global infrastructure): hosting for websites and web applications; processes HTTP requests, IP addresses, headers, logs, and deployment metadata.
- Supabase (region per project): authentication, database, and storage where the project uses it; processes the project data stored in those systems.
- GitHub (United States / global infrastructure): source code hosting and deployment workflows; processes repository content and related metadata.
- Stripe (United States / global infrastructure): payment processing where the project includes billing; processes the billing data handled by the project.
8. Subprocessor changes
Denvo imposes data protection obligations on subprocessors consistent with this DPA and remains liable for their performance. Denvo will inform the Customer of intended additions or replacements of subprocessors at least 10 days in advance by updating this page and, for material changes affecting an active engagement, by email. The Customer may object on reasonable data protection grounds; if no solution is found, the Customer may terminate the affected service.
9. Assistance and data subject requests
Taking into account the nature of the processing, Denvo will assist the Customer with appropriate technical and organizational measures in fulfilling the Customer's obligations to respond to data subject requests (Art. 12-23 GDPR), and with the Customer's obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), where the request relates to data processed by Denvo and cannot be handled directly by the Customer.
If a data subject contacts Denvo directly about data processed on behalf of the Customer, Denvo will forward the request to the Customer without undue delay and will not respond on the merits without the Customer's instruction, unless legally required.
10. Personal data breach notification
Denvo will notify the Customer without undue delay, and no later than 72 hours after becoming aware, of a personal data breach affecting Customer data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate volume of data and data subjects concerned, likely consequences, and measures taken or proposed. Denvo will cooperate with the Customer in investigating and remediating the breach.
11. Deletion and return
Project systems and their data live in Customer-controlled accounts wherever possible and remain under the Customer's control. After the end of the services, Denvo will delete or return remaining Customer data in its possession, at the Customer's choice, unless applicable law requires storage.
12. Audits and information
Denvo will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR, including summaries of security measures and relevant provider certifications. Where this is insufficient, Denvo will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, at reasonable intervals, with reasonable prior written notice, during business hours, without disrupting operations, and subject to confidentiality. The Customer bears the costs of such audits unless they reveal material non-compliance.
13. International transfers
Because Denvo is located in the United States, processing of Customer data can involve a transfer of personal data from the EU/EEA, the United Kingdom, or Switzerland to the United States. For these transfers, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module Two (controller to processor), with the Customer as data exporter and Denvo as data importer, including the UK International Data Transfer Addendum and the Swiss adaptations where applicable. Sections 2, 3, 6, and 7 of this DPA serve as the annexes describing the processing, data categories, security measures, and subprocessors.
Where a subprocessor is certified under the EU-U.S. Data Privacy Framework, transfers to that subprocessor may instead rely on the corresponding adequacy decision.
14. Governing law and contact
This DPA is governed by the laws of the State of New Mexico, USA, except where mandatory data protection law of the Customer's jurisdiction applies, including the Standard Contractual Clauses, which are governed as set out in the clauses themselves.
For DPA or data processing questions, contact: hello@devsplit.io.