Data processing agreement (DPA)

Last updated: April 8, 2026

1. Scope and Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Yosuble AI LLC ("Processor", "Codunk", "we") and the customer ("Controller", "you") who uses Codunk to create and deploy websites or web applications that may collect personal data from end users.

This DPA applies when Codunk processes personal data on your behalf as a data processor under GDPR (EU) 2016/679, UK GDPR, or equivalent data protection laws.

2. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1).
  • Processing: any operation performed on personal data, including collection, storage, retrieval, transmission, and erasure.
  • Controller: you, the customer who determines the purposes and means of processing personal data via your deployed sites.
  • Processor: Codunk, which processes personal data on your behalf by hosting and serving your deployed sites.
  • Sub-processor: a third party engaged by Codunk to process personal data on behalf of the Controller.

3. Data Processing Details

  • Subject matter: Hosting, serving, and building websites and web applications created by the Controller using Codunk.
  • Duration: For the term of the Controller's Codunk account, plus any retention period required by law.
  • Nature and purpose: Hosting deployed sites on Codunk infrastructure, compiling code, serving static and dynamic content to end users.
  • Types of personal data: Any data collected by the Controller's deployed sites (e.g., names, email addresses, form submissions). Codunk does not determine what data is collected.
  • Categories of data subjects: End users of the Controller's deployed websites and applications.

4. Processor Obligations

Codunk shall:

  • Process personal data only on documented instructions from the Controller, unless required by law.
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures (see Section 7).
  • Not engage another processor (sub-processor) without prior written authorization from the Controller (see Section 6).
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
  • Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, DPIAs).
  • Delete or return all personal data upon termination, unless retention is required by law.
  • Make available all information necessary to demonstrate compliance and allow audits.

5. Controller Obligations

The Controller shall:

  • Ensure there is a lawful basis for processing personal data collected through deployed sites.
  • Provide appropriate privacy notices to end users of deployed sites.
  • Ensure that any personal data provided to Codunk is collected and transferred in compliance with applicable data protection laws.
  • Be responsible for the content, forms, and data collection mechanisms on their deployed sites.

6. Sub-processors

Codunk uses the following sub-processors to deliver its services. By agreeing to this DPA, you authorize the use of these sub-processors:

  • Cloudflare Inc. (US/Global) — CDN, deployed site hosting, DDoS protection
  • Supabase Inc. (US) — Database, authentication, file storage
  • Vercel Inc. (US) — Platform hosting and deployment
  • Anthropic PBC (US) — AI code generation (zero-retention API)
  • Hostinger International Ltd (LT/EU) — Build infrastructure
  • Polar Software Inc. (USA) — Payment processing (Merchant of Record)
  • Resend Inc. (US) — Transactional email delivery
  • Sentry (Functional Software Inc.) (US) — Error monitoring
  • Crisp IM SARL (FR/EU) — Customer support chat

We will notify you of any intended changes to sub-processors by updating this page at least 30 days before the change takes effect. You may object to a new sub-processor by contacting us within 14 days of notification. If we cannot reasonably accommodate your objection, you may terminate the affected services.

7. Security Measures

Codunk implements the following technical and organizational measures:

  • Encryption in transit (TLS 1.2+ on all connections)
  • Encryption at rest for sensitive data (integration credentials, authentication tokens)
  • Row-Level Security (RLS) policies ensuring data isolation between users
  • Rate limiting on authentication and sensitive API endpoints
  • Regular security monitoring and error tracking
  • Access controls: principle of least privilege for all system access
  • Incident response procedures for security events

8. Data Breach Notification

In the event of a personal data breach, Codunk will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33. The notification will include:

  • The nature of the breach, including categories and approximate number of data subjects affected
  • Contact details for further information
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach

9. International Transfers

Where personal data is transferred outside the EEA, Codunk ensures appropriate safeguards are in place:

  • EU-US Data Privacy Framework certification (where applicable)
  • European Commission Standard Contractual Clauses (SCCs, Decision 2021/914)
  • Adequacy decisions where available

10. Audits

The Controller may audit Codunk's compliance with this DPA upon reasonable written notice (minimum 30 days). Audits shall be conducted during normal business hours, at the Controller's expense, and shall not unreasonably interfere with Codunk's operations. Codunk may satisfy audit requests by providing relevant certifications, audit reports, or other documentation demonstrating compliance.

11. Term and Termination

This DPA remains in effect for as long as Codunk processes personal data on behalf of the Controller. Upon termination of the Controller's account, Codunk will delete all personal data within 30 days, unless retention is required by applicable law.

12. Governing Law

This DPA is governed by the laws of the State of New Mexico, United States. For EU/EEA data subjects, mandatory provisions of GDPR and applicable member state law shall prevail where they conflict with this DPA.

13. Contact

For DPA inquiries or to request a signed copy, contact:
Yosuble AI LLC
1209 Mountain Road PL NE, STE R
Albuquerque, NM 87110, United States
Email: contact@codunk.com