Data Processing Agreement
Last updated: February 5, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Agreement between ReleaseQA ("Processor") and the customer ("Controller") for the provision of the ReleaseQA test analytics platform ("Services").
This DPA is designed to ensure compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.
2. Definitions
- Personal Data — any information relating to an identified or identifiable natural person.
- Processing — any operation performed on Personal Data, including collection, storage, use, and deletion.
- Data Subject — the individual to whom the Personal Data relates.
- Sub-processor — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Scope of Processing
The Processor processes Personal Data solely for the purpose of providing the Services, which includes:
- Storing and displaying test run results, metrics, and analytics
- Managing user accounts, authentication, and team memberships
- Processing billing and subscription information
- Sending transactional emails (invitations, alerts, reports)
- Generating AI-powered test failure analysis (when opted in)
Categories of Data Subjects
- Controller's employees and contractors who use the Services
- Individuals whose data may be included in test result metadata
Types of Personal Data
- Name, email address, profile information
- Authentication credentials (hashed)
- IP addresses and usage logs
- Test run metadata (commit SHAs, branch names, CI job URLs)
- Payment information (processed by Stripe; not stored by ReleaseQA)
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Not engage another processor without prior written consent of the Controller
- Assist the Controller in responding to data subject rights requests
- Delete or return all Personal Data upon termination of the Agreement
- Make available to the Controller all information necessary to demonstrate compliance
5. Security Measures
The Processor implements the following security measures:
- Encryption in transit: All data transmitted over TLS 1.2+
- Encryption at rest: Database encryption via Neon PostgreSQL
- Access control: Role-based access control (RBAC) with owner, admin, member, and viewer roles
- Authentication: Multi-factor authentication (TOTP), SAML SSO, OAuth 2.0
- API security: SHA-256 hashed API keys, rate limiting, HMAC-signed webhooks
- Audit logging: Comprehensive audit trail of all administrative actions
- Vulnerability management: Automated dependency scanning (Trivy), CodeQL SAST, Gitleaks secret detection
- Incident response: Documented incident response runbook with severity-based SLAs
6. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting & CDN | United States |
| Neon Inc. | PostgreSQL database hosting | United States |
| Stripe Inc. | Payment processing | United States |
| Resend Inc. | Transactional email delivery | United States |
| Upstash Inc. | Redis cache & rate limiting | United States |
| Anthropic PBC | AI-powered test analysis | United States |
| Sentry Inc. | Error monitoring & performance | United States |
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
8. Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. Notification shall include:
- The nature of the breach, including categories and approximate number of Data Subjects affected
- Contact details of the data protection officer or relevant contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach
The Processor aims to notify the Controller within 48 hours of becoming aware of a breach, in advance of the GDPR's 72-hour notification requirement.
9. Data Retention & Deletion
Test run data is retained according to the Controller's plan tier:
- Free plan: 7 days
- Pro plan: 30 days
- Team plan: 90 days
- Enterprise plan: Custom retention (up to unlimited)
Upon termination, the Processor shall delete all Personal Data within 30 days unless retention is required by applicable law. The Controller may request data export in CSV or JSON format prior to termination.
10. International Transfers
Personal Data is processed in the United States. For transfers from the EEA/UK, the Processor relies on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) as appropriate.
11. Contact
For questions regarding this DPA or to request a signed copy for your organization, please contact us at privacy@releaseqa.com.
Enterprise Customers
Need a custom DPA or have specific compliance requirements? Contact our sales team at enterprise@releaseqa.com to discuss your needs.