Data Processing Agreement

Effective Date: 11 April 2026 | Last Updated: 11 April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Ad Astra Computing Inc. ("Processor", "we", "us") and the entity or individual accepting these terms ("Controller", "Customer", "you") for the provision of Dispatch services ("Services").

1. Definitions

  • Personal Data means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
  • Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, erasure, or destruction.
  • Data Subject means the identified or identifiable natural person to whom Personal Data relates.
  • Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Supervisory Authority means an independent public authority responsible for monitoring the application of data protection laws.

2. Scope and Roles

The Customer acts as the Controller, determining the purposes and means of processing Personal Data. Ad Astra Computing Inc. acts as the Processor, processing Personal Data solely on behalf of and under the documented instructions of the Controller for the purpose of providing the Dispatch Services.

This DPA applies to all processing of Personal Data by the Processor in connection with the Services, including the Dispatch Team plan and any cloud-based features of the Dispatch platform.

3. Categories of Data Processed

The Processor processes the following categories of Personal Data through the Services:

  • Organization metadata (organization name, member list, role assignments)
  • User account information (email address, authentication identifiers)
  • Project names and configuration metadata
  • Goal and task titles, status, and assignment data
  • Review decisions and approval records
  • Usage metrics (token counts, request counts, session durations)
  • Audit log entries (action type, timestamp, member identifier, hashed IP address)
  • Billing and subscription data

3.1 Data Not Processed in Cloud

The following categories of data are processed exclusively on the Customer's local machine and are never transmitted to or stored on the Processor's infrastructure:

  • Source code and project files
  • Agent output, tool call results, and session transcripts
  • File contents and directory structures
  • Goal descriptions, spec content, and task implementation details
  • API keys and credentials for third-party services
  • Secret scanning findings and security audit content

4. Processing Instructions

The Processor shall process Personal Data only in accordance with the Controller's documented instructions, which are set forth in this DPA, the Terms of Service, and any written instructions provided by the Controller. The Processor shall not process Personal Data for any purpose other than providing the Services unless required by applicable law, in which case the Processor shall inform the Controller of such legal requirement before processing (unless prohibited by law from doing so).

5. Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the Services.

6. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including:

  • Encryption at rest: All Personal Data stored in the Processor's infrastructure is encrypted at rest using industry-standard encryption algorithms.
  • Encryption in transit: All data transmitted between the Customer's application and the Processor's infrastructure is encrypted using TLS 1.2 or higher.
  • Access controls: Role-based access controls limit access to Personal Data to authorized personnel only. Administrative access requires multi-factor authentication.
  • Audit logging: All access to and operations on Personal Data are recorded in tamper-evident audit logs.
  • Data isolation: Customer data is logically isolated between organizations at the infrastructure level, ensuring that members of one organization cannot access data belonging to another.
  • Regular review: Security measures are reviewed and updated regularly to reflect current best practices and threat landscapes.

7. Sub-processors

The Controller grants the Processor general authorization to engage Sub-processors for the processing of Personal Data, subject to the following conditions:

  • The Processor maintains a list of current Sub-processors, categorized by function.
  • The Processor shall notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object to such changes.
  • The Processor shall impose contractual obligations on each Sub-processor that are no less protective than those set out in this DPA.
  • The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

7.1 Current Sub-processor Categories

Category Purpose Data Processed
Cloud infrastructure provider Hosting, compute, database services Organization metadata, usage metrics, audit logs
Email delivery service Transactional email (sign-in links, notifications) Email addresses
Payment processor Subscription billing and payment processing Billing information, subscription status
Content delivery network Static asset delivery and edge caching IP addresses (transient, not stored)

8. Data Retention

The Processor retains Personal Data in accordance with the following schedule:

  • Audit logs: Retained per organization settings, configurable between 90 and 365 days. Default retention is the duration of the active subscription plus 90 days after cancellation.
  • Usage metrics: Retained for the duration of the active subscription for billing and reporting purposes.
  • Account data: Retained for the duration of the active subscription.
  • Account closure: Upon account closure or subscription cancellation, all Personal Data is permanently deleted within 30 days, unless longer retention is required by applicable law.

9. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
  • Provide the Controller with sufficient information to enable the Controller to meet its obligations to report the breach to the relevant Supervisory Authority and affected Data Subjects, including:
    • The nature of the breach, including categories and approximate number of Data Subjects and records affected
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach and mitigate its effects
    • The name and contact details of the Processor's data protection point of contact
  • Cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including:

  • Right of access: Data Subjects may request a copy of their Personal Data held by the Processor.
  • Right to rectification: Data Subjects may request correction of inaccurate Personal Data.
  • Right to erasure: Data Subjects may request deletion of their Personal Data, subject to legal retention requirements.
  • Right to data portability: Data Subjects may request their Personal Data in a structured, commonly used, and machine-readable format. Organization admins may export audit logs and organizational data at any time from the Dispatch application.
  • Right to restrict processing: Data Subjects may request restriction of processing of their Personal Data in certain circumstances.
  • Right to object: Data Subjects may object to processing of their Personal Data in certain circumstances.

The Processor shall respond to any Data Subject request forwarded by the Controller within 30 days.

11. International Data Transfers

Where Personal Data is transferred outside of the European Economic Area (EEA), the United Kingdom, or Switzerland, the Processor shall ensure that such transfers are subject to appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated by reference into this DPA.
  • Adequacy decisions by the European Commission, where applicable.
  • Any other transfer mechanism approved under applicable data protection laws.

The Processor shall ensure that any Sub-processor processing Personal Data outside of the EEA is bound by equivalent safeguards.

12. Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under applicable data protection law and taking into account the nature of the processing and the information available to the Processor.

13. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller. Audits shall be conducted with reasonable notice and during normal business hours, and shall not unreasonably interfere with the Processor's business operations.

14. Termination

Upon termination or expiration of the Services agreement:

  • The Processor shall, at the Controller's election, return or delete all Personal Data within 30 days of the effective date of termination.
  • The Controller may request an export of all Personal Data in a machine-readable format prior to termination.
  • The Processor shall provide written confirmation of deletion upon request.
  • Any Personal Data retained beyond the 30-day period shall only be retained to the extent required by applicable law, and the Processor shall isolate and protect such data from any further processing.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that no limitation shall apply to either party's liability for breaches of its obligations under applicable data protection laws to the extent such limitation is prohibited by law.

16. Governing Law

This DPA is governed by the laws of the jurisdiction specified in the Terms of Service. Where the Controller is established in the EEA, the applicable provisions of the GDPR shall take precedence over conflicting provisions of this DPA.

17. Changes to This DPA

The Processor may update this DPA from time to time to reflect changes in data processing practices, legal requirements, or Sub-processors. Material changes will be communicated to affected Controllers with at least 30 days' notice. Continued use of the Services after such notice constitutes acceptance of the updated DPA.

Contact

For questions about this DPA, data processing requests, or to exercise Data Subject rights:

Ad Astra Computing Inc.
Email: privacy@withdispatch.dev
Web: withdispatch.dev