Data Processing Addendum (DPA)
Last updated: 19 February 2026
About this document:
This Data Processing Addendum summarizes the terms under which Dagg Intelligence Services AB processes personal data on behalf of customers using the DIS platform. It forms part of the agreement between you (the Customer) and Dagg Intelligence Services AB, and supplements our Terms of Use and Privacy Policy.
1. Parties and Scope
This DPA applies to the processing of personal data by Dagg Intelligence Services AB (“Processor” or “DIS”) on behalf of the customer organization (“Controller” or “Customer”) in connection with the DIS platform.
The Customer acts as the data controller, determining the purposes and means of processing personal data submitted to DIS. DIS acts as the data processor, processing personal data solely on the Customer’s documented instructions and in accordance with this DPA.
2. Definitions
Terms used in this DPA have the meanings given to them in the GDPR (Regulation (EU) 2016/679), including but not limited to:
- Personal data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- Controller: The entity that determines the purposes and means of processing personal data.
- Processor: The entity that processes personal data on behalf of the controller.
- Subprocessor: A third party engaged by the processor to process personal data on behalf of the controller.
3. Data Processing Scope
Data Subjects
Personal data processed under this DPA may relate to the following categories of data subjects:
- Customer employees and contractors who use or are referenced in the DIS platform.
- Individuals whose personal data appears in Customer content ingested into DIS (such as commit authors, issue assignees, and message participants).
Types of Data
- Names, email addresses, and user identifiers from connected platforms.
- Author information and timestamps from source code, issues, and documentation.
- Messages and communications from connected platforms (e.g., Slack).
- Usage and interaction data within the DIS platform.
Processing Activities
- Ingestion and indexing of Customer content from connected integrations.
- Construction and maintenance of knowledge graphs.
- Generation of vector embeddings for semantic search.
- AI-powered analysis and agent workflows.
- Storage, backup, and retrieval of Customer data.
4. Processor Obligations
In accordance with Article 28 of the GDPR, DIS as Processor undertakes the following obligations:
- Documented instructions: Process personal data only on the Customer’s documented instructions, including with regard to transfers of personal data outside the EEA, unless required by EU or member state law.
- Confidentiality: Ensure that all personnel authorized to process personal data have committed to confidentiality or are under appropriate statutory obligations.
- Security measures (Art. 32): Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access controls, and regular security testing.
- Data subject request assistance: Assist the Customer in fulfilling its obligations to respond to data subject requests under GDPR Articles 15-22.
- DPIA assistance: Assist the Customer with Data Protection Impact Assessments and prior consultations with supervisory authorities where required.
- Deletion or return on termination: Upon termination of the service, delete or return all personal data to the Customer, and delete existing copies unless EU or member state law requires retention.
- Audit availability: Make available to the Customer all information necessary to demonstrate compliance with Article 28 obligations, and allow for and contribute to audits and inspections.
5. Controller Obligations
The Customer as Controller is responsible for:
- Lawful basis: Ensuring that a valid legal basis exists for the processing of personal data submitted to DIS.
- Written instructions: Providing documented instructions for the processing of personal data, and ensuring such instructions comply with applicable data protection laws.
- Records maintenance: Maintaining records of processing activities as required by Article 30 of the GDPR.
6. Subprocessors
DIS currently engages the following subprocessors:
| Subprocessor | Purpose | Data Location |
|---|---|---|
| Google Cloud Platform (GCP) | Infrastructure, storage, databases, compute | Belgium, EU |
| Auth0 (Okta) | Authentication and identity management | EU / US + SCCs |
The Customer provides general authorization for DIS to engage subprocessors. DIS will notify the Customer of any intended changes to subprocessors, providing at least 30 days notice before the new subprocessor begins processing personal data. The Customer may object to a new subprocessor within this notice period.
7. Security Measures
DIS implements appropriate technical and organizational security measures as described in our Security & Trust documentation. Key measures include:
- Encryption in transit: All data transmission is encrypted using TLS.
- Encryption at rest: All databases, backups, and stored data are encrypted using GCP-managed encryption keys.
- Access controls: Strict least-privilege access to production systems, with access restricted to authorized engineering personnel.
- Audit logging: Authentication events, administrative actions, and data access operations are logged and monitored.
- Application-level encryption: Sensitive items such as access tokens are additionally encrypted at the application level before storage.
- Network security: VPC isolation, firewall rules, WAF, and DDoS protection.
8. International Data Transfers
DIS processes Customer data primarily within the EU/EEA, using GCP infrastructure in europe-west1 (Belgium).
Where personal data is transferred outside the EEA (for example, through subprocessors with infrastructure in the United States), DIS ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical measures where necessary.
9. Data Breach Notification
In the event of a personal data breach affecting Customer data, DIS will notify the Customer without undue delay and in any event within 48 hours of becoming aware of the breach.
The notification will include:
- A description of the nature of the breach.
- The categories and approximate number of data subjects and records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
10. Audit Rights
The Customer has the right to audit DIS’s compliance with this DPA. Audits are subject to the following conditions:
- Reasonable notice: The Customer must provide at least 30 days written notice before conducting an audit.
- Annual audit reports: DIS will make available annual audit reports or certifications to demonstrate compliance, which may satisfy the Customer’s audit requirements.
- Scope and conduct: Audits shall be conducted during normal business hours, shall not unreasonably interfere with DIS operations, and shall be subject to appropriate confidentiality obligations.
11. Data Deletion and Return
Upon termination of the service agreement, DIS will, at the Customer’s choice, delete or return all personal data processed on the Customer’s behalf within 30 days of termination.
- Active data stores will be purged within 24 hours of receiving a deletion request.
- Encrypted backups will be retained for up to 30 days and then automatically expired.
- DIS will provide written certification of deletion upon the Customer’s request, confirming that all personal data has been deleted or returned.
12. Liability
Each party’s liability arising out of or related to this DPA is subject to the limitations set out in our Terms of Use, and each party is liable for damage caused by processing that infringes the GDPR in accordance with Article 82.
13. Term and Termination
This DPA is effective for the duration of the Customer’s use of the DIS platform. The obligations relating to data processing, confidentiality, and deletion survive termination of the service agreement for the period necessary to complete the deletion of all personal data, including the backup retention period.
14. Contact
For questions or requests regarding this Data Processing Addendum:
- Privacy inquiries: privacy@dagg.ai
- Legal inquiries: legal@dagg.ai
Additional Resources:
For more information about how we protect your data and operate our service, please review:
- Privacy Policy - How we collect, use, and protect your data
- GDPR Data Policy - Our GDPR compliance and data subject rights
- Terms of Use - Legal terms governing your use of DIS
- Security & Trust - Our security architecture and practices