Data Processing Addendum
Last updated: April 2026
1. Subject matter
This Data Processing Addendum ("DPA") forms part of the Terms of Service between LaunchSafe, Inc. ("Processor") and Customer ("Controller"). It governs Processor's processing of Personal Data on Controller's behalf in connection with the LaunchSafe Service.
2. Roles of the parties
Controller determines the purposes and means of processing. Processor processes Personal Data only on documented instructions from Controller, including with respect to international transfers, unless required to do otherwise by applicable law.
3. Nature and purpose of processing
Processor will process Personal Data to provide autonomous adversarial testing — ingesting source code, probing in-scope applications, generating findings, and surfacing those findings to Controller's authorized users.
4. Categories of data subjects and personal data
Data subjects include Controller's employees, contractors, and end users whose data is incidentally present in source code, logs, or test environments. Personal Data may include account identifiers, IP addresses, and any personal data Controller chooses to expose to the Service.
5. Sub-processors
Controller authorizes Processor to engage sub-processors to provide the Service. Processor will provide at least 30 days' notice before adding or replacing a sub-processor and will offer Controller the right to object on reasonable grounds. The current list of sub-processors is below.
| Name | Purpose | Location |
|---|---|---|
| DigitalOcean | Cloud infrastructure and hosting services | United States |
| Google (Gemini) | AI language model services | United States |
| Anthropic (Claude) | AI language model services | United States |
| Cloudflare | CDN and security services | United States |
| WorkOS | Enterprise authentication and SSO | United States |
| Slack | Team communication and notifications | United States |
| Stripe | Payment processing and billing | United States |
| Intercom | Customer support and messaging | Ireland |
6. Security measures
Processor implements appropriate technical and organizational measures, including encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, audit logging of production access, vulnerability management, and annual penetration testing. Detailed measures are available in our Security Overview.
7. Personnel and confidentiality
Processor ensures that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations and receive regular security and privacy training.
8. Data subject requests
Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller's obligations to respond to data subject requests.
9. Personal data breaches
Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach, and will provide information reasonably necessary for Controller to meet its notification obligations.
10. International transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country not covered by an adequacy decision, the parties agree to incorporate the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) by reference, with the UK Addendum or Swiss-specific terms as applicable.
11. Audit
Processor will make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by Controller or an independent auditor mandated by Controller, subject to reasonable notice and confidentiality obligations.
12. Term and deletion
This DPA remains in effect for the duration of the Terms of Service. Upon termination, Processor will delete or return all Personal Data within 30 days, unless retention is required by applicable law.
Questions? Email legal@launchsafe.com