Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between «Registered legal entity name, e.g. Pyor Software SAS / Pyor Software, Inc.» (“Pyor”, “we”, “us”, the “Processor”) and the business customer that subscribes to Pyor Teams (“Customer”, “you”, the “Controller”) (each a “party”, together the “parties”). It governs the processing of personal data carried out by Pyor on the Customer’s behalf in connection with Pyor Teams and its billing (the “Services”). It is entered into under Article 28 of the EU General Data Protection Regulation (“GDPR”) and applies, as relevant, the UK GDPR, the Swiss Federal Act on Data Protection (“FADP”), and Québec’s Act respecting the protection of personal information in the private sector (“Law 25”). Capitalised terms not defined here have the meaning given in the Terms or in applicable data-protection law (“Data Protection Law”).

1. Roles of the parties — and why there’s no server in the middle

For the personal data processed under this DPA, the Customer is the controller (or itself a processor acting for its own customers) and Pyor is the processor (or sub-processor) within the meaning of Data Protection Law. The Customer determines the purposes and means of the processing; Pyor processes the data only on the Customer’s behalf as described here.

The defining feature of Pyor matters for how this DPA is scoped. Pyor is a client-side product: there is noPyor-operated backend that receives, stores, or indexes your repositories, pull requests, diffs, or review comments. The app communicates directly with GitHub’s API from each user’s device, using that user’s own GitHub credentials, and the access token and any cached review data remain on that device.

Consequently, your source code, diffs, and review content are not processed by Pyor at all — they never flow through us, and they are outside the scope of this DPA. Pyor acts as a processor only for the limited account and billing personal data it handles on your behalf to operate Teams (described in §4 and Annex I). The Customer’s and its users’ use of GitHub remains subject to GitHub’s own terms and privacy statement; GitHub is not a Pyor sub-processor.

2. Scope and duration

This DPA is incorporated into the Terms of Service for Pyor Teams customers and applies whenever Pyor processes personal data on the Customer’s behalf. Where it conflicts with the Terms on the subject of data processing, this DPA prevails for that subject. It takes effect when the Customer subscribes to Teams (or otherwise accepts the Terms) and continues for as long as Pyor processes personal data on the Customer’s behalf — that is, for the duration of the Teams subscription and until deletion or return of the data under §5.

3. Nature and purpose of the processing

Pyor processes the personal data described in Annex I for the sole purpose of providing and supporting Pyor Teams and the related billing on the Customer’s behalf — namely creating and administering Customer accounts and Teams workspaces, authenticating users, managing organisation and seat membership, taking payment for the subscription, providing support, and meeting Pyor’s own legal obligations (such as tax and accounting records). The nature of the processing comprises the operations set out in Annex I (collection, storage, use, disclosure to sub-processors, and deletion). Pyor does not process the data for its own independent purposes, and does not sell or share it for advertising.

4. Categories of personal data and data subjects

The personal data Pyor processes on the Customer’s behalf is limited to what running Teams and billing requires. It does not include source code, diffs, pull-request contents, or review notes (which never reach Pyor), and it includes no special categories of data.

Categories of personal data: identity and account data (name, username/ display name, GitHub login or handle); contact data (email address); organisation and membership data (organisation/workspace name, role, seat assignment and seat count); and billing data (billing email, plan, country, VAT/tax identifier, and payment status; card details are processed by Stripe, and Pyor stores only a payment token and the last four digits, never the full card number). Limited security and operational logs (such as IP address and timestamps) may also be processed to keep the Services secure and available.

Categories of data subjects: the Customer’s authorised users of Teams — typically your team members, developers, and workspace administrators, and the billing contact for the account.

5. Obligations of Pyor as processor

Pyor shall:

• Process only on documented instructions. Process the personal data only on the Customer’s documented instructions — including this DPA, the Terms, and the Customer’s configuration and use of the Services — including as to international transfers, unless required by EU, Member-State, or other applicable law to do otherwise (in which case Pyor will inform the Customer first, unless the law prohibits it). If Pyor believes an instruction infringes Data Protection Law, it will tell the Customer.
• Ensure confidentiality of staff. Ensure that persons authorised to process the personal data are bound by an appropriate duty of confidentiality and process it only as instructed.
• Implement security measures. Implement and maintain the technical and organisational measures required by Article 32 GDPR, as described in §7 and Annex II.
• Engage sub-processors responsibly. Engage sub-processors only in accordance with §6.
• Assist with data-subject requests. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, so far as possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). If Pyor receives such a request directly, it will, where permitted, refer the data subject to the Customer.
• Assist with breach, DPIA, and prior consultation. Assist the Customer in ensuring compliance with its obligations under Articles 32–36 GDPR — security of processing, personal-data-breach notification (see §9), data protection impact assessments, and prior consultation — taking into account the nature of the processing and the information available to Pyor.
• Delete or return data on termination. At the Customer’s choice, delete or return all the personal data to the Customer after the end of the provision of the Services, and delete existing copies unless EU, Member-State, or other applicable law requires storage (for example, retention of billing and tax records under §3).
• Demonstrate compliance. Make available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR and contribute to audits as set out in §8.

6. Sub-processing

The Customer grants Pyor a general written authorisation to engage sub-processors to process personal data on its behalf. The current sub-processors — such as our hosting, payment, and email providers — are listed at Sub-processors. Where Pyor engages a sub-processor, it imposes data-protection obligations no less protective than those in this DPA (in particular the Article 32 measures), and Pyor remains fully liable to the Customer for the sub-processor’s performance.

Pyor will give the Customer prior notice of any intended addition or replacement of a sub-processor (for example via the Sub-processors page or by email to the account’s billing or admin contact), giving the Customer a reasonable opportunity to object on reasonable data-protection grounds. If the parties cannot resolve a timely, reasonable objection, the Customer may, as its sole remedy, terminate the affected Services in accordance with the Terms.

7. International transfers

Pyor and its sub-processors may process personal data in countries outside the Customer’s own, including in the United States. Where a transfer of personal data is subject to the GDPR and goes to a country without an adequacy decision, the parties agree that the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, the “SCCs”) are incorporated into this DPA by reference and apply to that transfer:

• Module Two (controller-to-processor) where the Customer acts as controller; and
• Module Three (processor-to-processor) where the Customer acts as a processor for a third-party controller.

For transfers subject to the UK GDPR, the SCCs apply as supplemented by the UK Information Commissioner’s International Data Transfer Addendum (the “UK Addendum”). For transfers subject to the Swiss FADP, the SCCs apply with the amendments needed under Swiss law (including references to the Swiss Federal Data Protection and Information Commissioner and protection of legal entities’ data, where applicable). The optional docking clause applies; the relevant module, the parties’ roles, and the Annexes are completed by Annex I, Annex II, and Annex III of this DPA. Where required, Pyor carries out a transfer-impact assessment and applies supplementary measures. The parties will confirm the applicable module(s) and any final transfer terms for the Customer’s specific circumstances on request.

8. Security measures (Article 32)

Pyor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. These are summarised in Annex II and on our Security page. The strongest control is architectural: because your code, diffs, and reviews never reach Pyor, the most sensitive data simply isn’t in scope to be breached. Pyor may update its measures over time provided the level of protection is not materially reduced.

9. Audits

Pyor will make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To satisfy such requests, Pyor may first provide relevant documentation — for example its security overview and any third-party reports or certifications it holds. Audits are conducted on reasonable prior notice, during normal business hours, no more than once a year (unless required by a supervisory authority or following a personal-data breach), subject to confidentiality, and in a manner that does not unreasonably disrupt Pyor’s operations or compromise other customers’ data.

10. Personal-data breach notification

Pyor will notify the Customer without undue delay after becoming aware of a personal-data breach affecting personal data processed on the Customer’s behalf. The notification will describe, to the extent known and as it becomes available, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate its effects, so the Customer can meet its own obligations under Articles 33–34 GDPR (or equivalent law). Pyor will provide reasonable cooperation and assistance. A notification is not an acknowledgement of fault or liability.

11. Liability

Each party’s liability arising out of or related to this DPA — whether in contract, tort, or otherwise — is subject to the limitations and exclusions of liability set out in the Terms, and any reference there to the liability of a party is taken to include that party’s liability under this DPA. Nothing in this DPA limits any liability that cannot be limited under applicable law, or a data subject’s rights under Data Protection Law.

12. Governing law and jurisdiction

This DPA is governed by the law and subject to the jurisdiction stated in the Terms, except where Data Protection Law (or the SCCs) requires a particular governing law, forum, or supervisory authority — in which case that requirement prevails for the matter it governs. Where the SCCs apply, the governing law and forum specified in the SCCs (as completed in the Annexes) control the SCCs themselves.

13. How this agreement is signed

This DPA is incorporated by reference into the Terms and takes effect automatically when the Customer subscribes to Pyor Teams (or otherwise accepts the Terms) — no separate signature is required for it to be binding. If your organisation needs a countersigned copy for its records, email legal@pyor.review with your entity details (see Annex I) and we’ll arrange one. The parties agree that the SCCs, UK Addendum, and Swiss amendments referenced in §7 are likewise incorporated and signed by reference through acceptance of this DPA.

Annex I — Description of the processing

A. Parties

Data exporter / Controller (Customer):

• Entity: «Customer legal entity name»
• Address: «Customer registered address»
• Contact (name, role, email): «Customer data-protection contact»
• Role: Controller (or processor acting on behalf of its own controller). Activities relevant to the transfer: subscribing to and using Pyor Teams.

Data importer / Processor (Pyor):

• Entity: «Registered legal entity name, e.g. Pyor Software SAS / Pyor Software, Inc.» («Legal form, e.g. SAS / Inc. / Ltd.»)
• Address: «Registered street address», «Postal code» «City», «Region / State / Province», «Country»
• Contact: data-protection / legal team — legal@pyor.review (privacy: privacy@pyor.review; DPO, where appointed: dpo@pyor.review)
• Role: Processor (or sub-processor). Activities relevant to the transfer: providing and supporting Pyor Teams and its billing.

B. Description of processing

• Subject matter: processing of account and billing personal data to provide Pyor Teams on the Customer’s behalf.
• Nature and purpose: as described in §3 — account creation and administration, authentication, organisation/seat management, billing, support, and legally-required record-keeping.
• Duration: for the term of the Teams subscription and until deletion or return of the data under §5 (see also §2).
• Frequency: continuous, for the duration of the subscription.

C. Categories of data and data subjects

• Categories of personal data: identity/account data, contact data, organisation and seat/membership data, and billing data, as detailed in §4. Excluded: source code, diffs, pull-request contents, and review notes, which never reach Pyor.
• Special categories: none processed.
• Categories of data subjects: the Customer’s authorised Teams users — team members, developers, and workspace administrators — and the account’s billing contact.
• Competent supervisory authority (where the SCCs apply): determined by the Customer’s establishment or EU representative; for Pyor’s default French baseline, the CNIL (Commission nationale de l’informatique et des libertés).

Annex II — Technical and organisational security measures

Pyor maintains measures appropriate to the risk under Article 32 GDPR, including the following. The list reflects current practice and may evolve provided protection is not materially weakened; see also Security.

• Encryption in transit. Data transmitted to and from Pyor’s website and billing systems is protected with TLS.
• Encryption at rest. Account and billing data is encrypted at rest by our infrastructure and payment providers.
• Access controls & least privilege. Access to systems and personal data is restricted to authorised personnel on a need-to-know basis, with role-based, least-privilege permissions and unique credentials.
• Authentication. Multi-factor authentication is required for administrative access to Pyor’s key systems and provider consoles.
• Data minimisation. We collect and retain the minimum personal data needed; payment card numbers are handled by Stripe and never stored by Pyor. By design, source code and review content never reach us.
• Confidentiality. Personnel are bound by confidentiality obligations and receive guidance on secure handling of personal data.
• Vendor due diligence. Sub-processors are assessed for adequate security and bound by data-protection terms no less protective than this DPA (see Annex III).
• Availability & logging. Use of reputable infrastructure providers, with minimal, short-lived operational logs to keep the Services available and to detect and respond to abuse.
• Breach response. Procedures to detect, assess, and notify the Customer of personal-data breaches without undue delay (see §10).

Pyor holds the certifications listed on its Security page (none are claimed where an audit has not completed), and will not overstate its posture.

Annex III — List of sub-processors

The Customer has authorised the use of the sub-processors maintained on our Sub-processors page, which identifies each sub-processor, the processing it performs, and its location. That page is incorporated into this Annex III by reference and is kept current; changes are notified in accordance with §6. GitHub is not a Pyor sub-processor — the app talks to GitHub directly from each user’s device under the user’s own GitHub relationship.