Data Processing Agreement
This Data Processing Agreement (the “DPA”) forms an integral part of the BorgMark Terms & Conditions (the “Agreement”) entered into between:
- BV CEEJAY, a Belgian private limited company with registered office at Quinten Matsijslei 12, 2018 Antwerpen, Belgium, registered under VAT number BE0865267120 (the “Processor”); and
- the customer identified in the Agreement (the “Controller”).
It governs the Processor’s processing of personal data on behalf of the Controller in connection with the BorgMark service (the “Service”), and gives effect to Article 28 of Regulation (EU) 2016/679 (“GDPR”).
In case of conflict between this DPA and the Agreement on matters of personal data protection, this DPA prevails.
1. Definitions
Terms in capitals not defined here have the meaning given in the GDPR or the Agreement. “Personal data”, “processing”, “controller”, “processor”, “data subject” and “personal data breach” have the meanings given in Article 4 GDPR.
2. Subject matter and duration
The Processor processes personal data on behalf of the Controller solely to deliver, operate, secure and support the Service.
This DPA takes effect on the effective date of the Agreement and ends when all personal data has been returned or deleted in accordance with Section 11.
3. Nature, purpose and scope of processing
A detailed description is set out in Annex I. In summary, the Processor hosts a Forgejo-based Git platform and CI/CD runners on EU infrastructure, and processes personal data that the Controller or its authorised users upload, generate or transmit through the Service.
4. Controller’s instructions
The Processor processes personal data only on documented instructions from the Controller. The Agreement, the Service’s standard configuration, and this DPA constitute the Controller’s complete and final instructions at the effective date. Further instructions must be agreed in writing and may be subject to additional fees.
The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable EU or Member State data protection law.
5. Confidentiality
The Processor ensures that persons authorised to process the personal data are bound by a contractual or statutory obligation of confidentiality and are trained on their data protection responsibilities.
6. Security measures
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex II.
7. Sub-processors
The Controller grants the Processor general authorisation to engage the sub-processors listed in Annex III.
The Processor will:
a. impose on each sub-processor data protection obligations no less protective than those in this DPA; b. remain fully liable to the Controller for each sub-processor’s performance; c. give the Controller at least 30 days’ prior notice of any intended addition or replacement of a sub-processor, by updating Annex III and notifying the Controller’s billing contact by email.
The Controller may object to a change on reasonable data protection grounds within that 30-day period. If the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service without penalty, with a pro-rata refund of any prepaid fees covering the period after termination.
8. International transfers
The Processor does not transfer personal data outside the European Economic Area. All sub-processors listed in Annex III are established in the EEA and process personal data within the EEA only. If a future change to Annex III would introduce a transfer outside the EEA, the Processor will identify the transfer mechanism (e.g. Standard Contractual Clauses) in the change notice and the Controller’s right to object under Section 7 applies.
9. Assistance to the Controller
Taking into account the nature of the processing and the information available to it, the Processor will assist the Controller — by appropriate technical and organisational measures, insofar as possible — to fulfil the Controller’s obligations to:
a. respond to requests from data subjects exercising their rights under Chapter III GDPR; b. ensure the security of processing (Article 32); c. notify and communicate personal data breaches (Articles 33–34); d. carry out data protection impact assessments and prior consultations (Articles 35–36).
Where assistance under (a) exceeds what is available through the Service’s standard features, the Processor may charge reasonable, time-and-materials fees.
10. Personal data breach
The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller’s personal data. The notice will include the information required under Article 33(3) GDPR to the extent then known, and will be supplemented as further information becomes available.
11. Return or deletion on termination
Within 30 days of termination or expiry of the Agreement, the Processor will, at the Controller’s choice:
a. make the personal data available for export by the Controller through standard Service features (Git clone, repository export, audit log export); or b. delete the personal data from production systems.
Personal data residing in routine backups is overwritten on the standard rolling cycle (currently 35 days) and is not restored or used during that period except for disaster recovery.
The Processor may retain personal data to the extent required by EU or Member State law, in which case it will keep that data confidential and protected by the measures in Annex II.
12. Audits
The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, primarily through:
a. its published security documentation and sub-processor list; b. responses to reasonable written security questionnaires (limited to once per 12 months, save in the event of a personal data breach affecting the Controller).
The Controller may, no more than once per 12 months and on at least 30 days’ written notice, conduct an on-site audit, conducted during business hours, without disruption to other customers, and subject to confidentiality. The Controller bears its own audit costs; the Processor bears its internal costs unless the audit reveals a material breach of this DPA, in which case the Processor reimburses the Controller’s reasonable external audit costs.
13. Liability and governing law
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by Belgian law. Any dispute is subject to the exclusive jurisdiction of the courts of Antwerp (Belgium).
Annex I — Description of processing
| Item | Detail |
|---|---|
| Subject matter | Operation of the BorgMark Service: hosted Forgejo Git platform and CI/CD runners. |
| Duration | The term of the Agreement, plus the deletion period in Section 11. |
| Nature and purpose | Hosting, storage, transmission, computation, logging, backup and access control for source code, CI artefacts and related metadata, to deliver and support the Service. |
| Types of personal data | (a) Account data: name, email address, hashed password or SSO/SAML identifier, role, IP address, session and access logs. (b) Git metadata: commit author name and email, commit messages, branch and tag identifiers. (c) Repository and CI content: any personal data that the Controller or its users choose to include in repositories, build artefacts, CI logs or issue trackers. (d) Support data: any personal data shared with the Processor’s support team. |
| Categories of data subjects | The Controller’s personnel, contractors, and any third parties whose personal data the Controller or its users elect to process through the Service. |
| Frequency | Continuous, for the duration of the Agreement. |
| Retention | See Section 11. |
Annex II — Technical and organisational measures
The Processor implements, and maintains at least the following measures:
Access control. Multi-factor authentication enforced for all administrative access. Role-based access on a least-privilege basis. Production access limited to a documented list of personnel.
Encryption. TLS 1.2 or higher for all data in transit. AES-256 (or equivalent) at rest for repositories, databases and backups.
Network security. Hardened operating system images. Restricted ingress; egress logging. Regular patching of system and application components.
Isolation. Per-tenant data isolation at the application layer (Walled Garden). Single-tenant dedicated VM and database (Sovereign Fortress).
Backups. Encrypted daily backups, retained on a rolling 35-day cycle. Restore tested periodically.
Logging and monitoring. Application and access logs retained for at least 12 months. Alerting on anomalous administrative actions.
Personnel. Confidentiality undertakings from all personnel with access to personal data. Periodic data protection and security awareness training.
Incident response. Documented procedure for detection, triage, containment, notification and post-incident review of personal data breaches.
Sub-processor oversight. Sub-processors selected for EU/EEA presence, contractually bound to equivalent data protection standards, and listed in Annex III.
The Processor reviews these measures at least annually and may update them, provided that the level of security is not materially reduced.
Annex III — Sub-processors
As at the effective date of this DPA:
| Sub-processor | Role | Location of processing |
|---|---|---|
| Hetzner Online GmbH | Compute and storage hosting (Forgejo, CI runners, artefacts, logs) | Germany (EU) |
| Hetzner Online GmbH | Managed database hosting | Germany (EU) |
| Combell NV | Transactional email delivery | Belgium (EU) |
| Mollie B.V. | Payment processing | Netherlands (EU) |
The current list is also published at borgmark.com/sub-processors.