Defang Logo
Defang Logo
FeaturesPricingDocsBlogGitHubAboutContact
Defang - Go from idea to your favorite cloud in minutes. | Product Hunt

Data Processing Addendum

DEFANG SOFTWARE LABS INC. DATA PROCESSING ADDENDUM

Updated Oct 31, 2024

This Data Processing Addendum (“DPA”) is made as of the date it is fully executed (“Effective Date”) by and between you or your Organization (collectively, the “Customer”), “you” or “your”) and Defang Software Labs Inc., doing business as Defang, (“Defang”, “we”, “our” or “us”). In this DPA, Defang and Customer may each be referred to as a “Party” and collectively referred to as the “Parties”. This DPA is incorporated by reference into our Terms of Service. Capitalized terms used but not defined in this DPA have the meanings assigned to them in our Terms of Service.

This DPA sets out the terms that apply when Customer Personal Data is Processed by Defang under our Terms of Service. The purpose of the DPA is to ensure such Processing is conducted in accordance with Applicable Laws and respects the rights of individuals whose Personal Data is Processed under our Terms of Service.

This DPA will not become binding and enforceable unless and until it has been validly executed by the Parties. To execute this DPA, please email us at support@defang.io .

  1. Definitions

In this DPA:

  1. “Affiliate” means an entity that, directly or indirectly, controls, is controlled by, or is under common control with a Party. As used in this DPA, “control” means the power to direct the management or affairs of an entity and the beneficial ownership of 50% or more of the voting equity securities or other equivalent voting interests of an entity.

  2. “Applicable Law(s)” means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Defang’s performance of its services under our Terms of Service, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), including any implementing regulations, the United Kingdom Data Protection Act 2018, and the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and the United Kingdom GDPR (“UK GDPR”). For the avoidance of doubt, if Defang’s Processing activities involving Personal Data are not within the scope of an Applicable Law, then such Applicable Law is not applicable for purposes of this DPA.

  3. “Business Contact Data” means business contact information and Defang Account log-in data of Customer’s employees and Permitted Users of the Services.

  4. “Customer Personal Data” means Customer Data, as defined in our Terms of Service, consisting of Personal Data, except for Business Contact Data.

  5. EEA” means, for purposes of this DPA, the European Economic Area (which is composed of the member states of the European Union), Norway, Iceland, Liechtenstein and Switzerland.

  6. “EU SCCs” means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 9 (International Data Transfers).

  7. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to Customer Personal Data.

  8. “Personal Data” includes “personal data,” “personal information,” and “personally identifiable information”, each as defined by Applicable Law.

  9. “Process” and “Processing” mean any operation or set of operations performed on Personal Data, or on sets of Personal Data, whether or not by automated means, such as collecting, recording, organizing, creating, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing (by transmission, dissemination or otherwise making such data available), aligning or combining, restricting, erasing or destroying such Personal Data.

  10. “Standard Contractual Clauses” means the EU SCCs or the UK SCCs, as applicable.

  11. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 9 (International Data Transfers).

  1. Relationship of the Parties

Customer is the Controller and Business as defined under Applicable Laws, and Customer determines the means and purposes for which Customer Personal Data is Processed by Defang. To the extent Defang Processes Customer Personal Data subject to Applicable Laws, Defang is a Processor and Service Provider as defined under Applicable Law, and Defang will Process the Customer Personal Data according to the instructions set out in this DPA, our Terms of Service and as required under Applicable Law. Customer and Defang are independent Controllers and Businesses, as defined under Applicable Law, with respect to Business Contact Data. Either Party may Process Business Contact Data as necessary for the purpose of (a) carrying out its obligations under the Agreement, (b) applicable legal or regulatory requirements, (c) requests and communications with the other Party, (d) administrative, business and marketing purposes and (e) to protect its respective rights in accordance with Applicable Law and, in the case of Defang, maintaining the security and integrity of the Services.

Defang hereby certifies that it understands the restrictions and obligations set out in this DPA in relation to its role as a Processor and Service Provider, and that it will comply with them.

  1. Customer’s Instructions to Defang

Purpose Limitation

Defang will not (a) sell or share (as defined by CCPA) Customer Personal Data, (b) Process Customer Personal Data for any purpose other than for the specific purposes set forth in the Agreement, and as specifically stated in Exhibit A, (c) retain, use, or disclose any such data outside of the direct business relationship between the Parties, (d) combine any Customer Personal Data with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer, except as otherwise permitted by Applicable Law, or (e) otherwise engage in any Processing of Customer Personal Data beyond that in which a Processor may engage under the Applicable Law or in which a Service Provider may engage under Applicable Law, unless obligated to do otherwise by Applicable Law. In such case, Defang will inform Customer of the applicable legal obligation before engaging in the Processing, unless legally prohibited from doing so. Further details regarding Defang’s Processing operations are set out in Exhibit A. To the extent Customer discloses or makes available deidentified data (as such term is defined under Applicable Law) within the Customer Data to Defang, Defang will not attempt to re-identify such data.

Lawful Instructions

Customer will not instruct Defang to Process Customer Personal Data in violation of Applicable Law. Defang will without undue delay inform Customer if, in Defang’s opinion, an instruction from Customer infringes Applicable Law. Our Terms of Service, including this DPA, constitutes Customer’s complete and final instructions to Defang regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses. Customer will also have the right to take reasonable and appropriate steps to stop or remediate any unauthorized Processing of Customer Personal Data by Defang.

  1. Limitations on Disclosure

Defang will not disclose Customer Personal Data to any third party without first obtaining Customer’s written consent, except as provided in Section 5 (Subcontracting), Section 7 (Data Subject Requests) or Section 9 (International Data Transfers), except as required by Applicable Law. Defang will require all employees, contractors and agents who Process Customer Personal Data on Defang’s behalf to protect the confidentiality of the Customer Personal Data and to comply with the other relevant requirements of this DPA.

  1. Subcontracting

Sub-Processors

Defang may subcontract the collection or other Processing of Customer Personal Data to external third parties only in compliance with Applicable Law and any additional conditions for such subcontracting set out in our Terms of Service. Customer acknowledges and agrees that Defang’s Affiliates and certain third parties may be retained as sub-processors to Process Customer Personal Data on Defang’s behalf (under this DPA as well as under the Standard Contractual Clauses, if they apply) in order to provide the Services. Defang’s third-party sub-processors are listed at link (the “Sub-processor List”). Prior to a sub-processor’s Processing of Customer Personal Data, Defang will impose contractual obligations on the sub-processor substantially the same as those imposed on Defang under this DPA to the extent applicable to the nature of the services provided by such sub-processor. Defang remains liable for its sub-processors’ performance under this DPA to the same extent Defang is liable for its own performance.

Notification

Defang will provide Customers with at least 10 days’ written notice of new sub-processors before authorizing such sub-processor(s) to Process Customer Personal Data in connection with the provision of the Services. Defang will notify Customer at the email address provided in the signature block of this DPA for purposes of this notification. The sub-processor agreements to be provided under Clause 5(j) of the EU SCCs may have all commercial information, or provisions unrelated to the EU SCCs, redacted prior to sharing with Customer, and Customer agrees that such copies will be provided only upon written request.

Right to Object

Customer may object to Defang’s use of a new sub-processor on reasonable grounds relating to the protection of Customer Personal Data by notifying Defang promptly in writing at info@defang.io within 10 business days after receipt of Defang’s notice in accordance with the notification mechanism set out above in this Section. In its notification, Customer will explain its reasonable grounds for objection. In the event Customer objects to a new sub-processor, Defang will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Personal Data by the objected-to new sub-processor without unreasonably burdening Customer. If Defang is unable to make available such change within a reasonable period of time, which will not exceed 30 days, either Party may terminate without penalty the Processing of Customer Personal Data and/or cease using those aspects of the Services that cannot be provided by Defang without the use of the objected-to new sub-processor by providing written notice to the other Party.

  1. Assistance & Cooperation

Security

Defang will provide reasonable assistance to Customer regarding Customer’s compliance with its security obligations under Applicable Law relevant to Defang’s role in Processing Customer Personal Data, taking into account the nature of Processing and the information available to Defang, by implementing the technical and organizational measures set out at https://defang.io/policies/data-protection-measures, without prejudice to Defang right to make future replacements or updates to the measures that do not materially lower the level of protection of Customer Personal Data. Defang will ensure that the persons it authorizes to Process the Customer Personal Data are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.

Personal Data Breach Notification & Response

Defang complies with the Personal Data Breach-related obligations directly applicable to it under Applicable Law. Taking into account the nature of Processing and the information available to Defang, Defang will inform Customer of a substantiated Personal Data Breach without undue delay or within the time period required under Applicable Law, and in any event no later than 72 hours following such substantiation. Defang will notify Customer at the email address provided in the signature block of this DPA for purposes of Personal Data Breach notifications. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Defang’s then-current assessment of the following information, to the extent available, which may be based on incomplete information:

  1. the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Personal Data records concerned;

  2. the likely consequences of the Personal Data Breach; and

  3. measures taken or proposed to be taken by Defang to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.

Defang will provide timely and periodic updates to Customer as additional information regarding the Personal Data Breach becomes available. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Defang to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.

  1. Data Subject Requests

To the extent legally permitted, Defang will without undue delay notify Customer if Defang receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a “Data Subject Request”). To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Defang will, upon Customer’s request, take commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Defang is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.

  1. DPIAs & Consultation with Supervisory Authorities or other Regulatory Authorities

Upon Customer’s written request, Defang will provide Customer with reasonable cooperation and assistance as needed and appropriate to fulfill Customer’s obligations under Applicable Law to carry out a data protection impact assessment related to Customer’s use of the Services. Defang will provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law.

  1. International Data Transfers

Customer authorizes Defang and its sub-processors to make international transfers of the Customer Personal Data in accordance with this DPA so long as Applicable Law for such transfers is respected.

With respect to Customer Personal Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the EU SCCs. For purposes of the EU SCCs, they will be deemed completed as follows:

  1. where Customer acts as a Controller and Defang acts as Customer’s Processor with respect to Customer Personal Data subject to the EU SCCs, Module 2 applies;

  2. where Customer acts as a Processor and Defang acts as Customer's sub-processor with respect to Customer Personal Data subject to the EU SCCs, Module 3 applies;

  3. Clause 7 (the optional docking clause) is not included;

  4. under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth at link. Defang will provide notice of updates to that list at least 10 business days in advance of any intended additions or replacements of sub-processors, in accordance with Section 5 of this DPA;

  5. under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable;

  6. Under Clause 17 (Governing law), the Parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland;

  7. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;

  8. Annexes I and II of the EU SCCs are set out in Exhibit A below;

  9. Annex III of the EU SCCs (List of sub-processors) is inapplicable; and

  10. by entering into this DPA, the Parties are deemed to be signing the EU SCCs.

With respect to Customer Personal Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set out in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows:

  1. Table 1 of the UK SCCs:

    1. The Parties’ details are the Parties and their Affiliates to the extent any of them is involved in such transfer, including those set out in Exhibit A.

    2. The Key Contacts are the contacts set out in Exhibit A.

  2. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 are the EU SCCs as executed by the Parties pursuant to this Addendum.

  3. Table 3 of the UK SCCs: Annex 1A, 1B, and II are set forth in Exhibit A.

  4. Table 4 of the UK SCCs: Either Party may terminate this Addendum as set out in Section 19 of the UK SCCs.

  5. By entering into this DPA, the Parties are deemed to be signing the UK SCCs and their applicable Tables and Appendix Information.

With respect to Customer Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs will apply and will be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection (“FADP”):

  1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

  2. The term “member state” in the EU SCCs will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

  3. References to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

  4. Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set out in the EU SCCs insofar as the transfer is governed by the GDPR.

  1. Audits

If you have an active paid Account with Defang and you suspect that we have failed to comply with this DPA or Applicable Laws, then (a) so long as you maintain an Account with Defang, (b) upon your prior written request, (c) to the extent required under Applicable Laws and (d) no more than once in any calendar year, we will cooperate and within a reasonable time provide you with: (i) a summary of any required audit reports demonstrating our compliance with Applicable Laws under this DPA (without any confidential or commercially sensitive information, including any Confidential Information of Defang or any data or information of other customers of Defang), and (ii) confirmation that such audit has not revealed any material vulnerability in Defang’s systems, or to the extent that any such vulnerability was detected, that Defang has fully remedied such vulnerability. If the foregoing measures are not sufficient to confirm compliance with Applicable Laws or if they reveal some material issues, then subject to the confidentiality obligations set out in our Terms of Service, you may request an audit of our data protection compliance program by external independent auditors jointly selected by you and Defang, such audit to be at your sole expense. Any such audit will be conducted in a manner that will result in minimal disruption to Defang’s business operations and will take no longer than two business days, and you and Defang will otherwise agree on the scope and start date of the audit. Defang will make available to you the result of the audit of its data protection compliance program. For clarity, the provisions of this Section do not apply to you if you do not have an active paid Account with us.

  1. Legal Process

If Defang is legally compelled by a court or other government authority to disclose Customer Personal Data, then to the extent permitted by law, Defang will promptly provide Customer with sufficient notice of all available details of the legal requirement and reasonably cooperate with the Customer’s efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action, as Defang deems appropriate.

  1. Destruction of Personal Data

Upon termination of the Agreement and written request from the Customer, Defang will delete or anonymize Customer Personal Data, unless prohibited by Applicable Law. Notwithstanding the foregoing, (a) nothing will oblige Defang to delete or anonymize Customer Personal Data from files created for security, backup and business continuity purposes sooner than required by Defang’s data retention processes and (b) it may not be possible and, in any event Defang will have no obligation, to delete or anonymize any Customer Personal Data incorporated into or included in any Input or Output included in the License granted to Defang by you pursuant to the Defang AI Terms. Any Customer Personal Data that may be retained beyond the duration of the Customer’s Account with Defang will still be protected in accordance with this DPA and Defang will not process such Customer Personal Data except as strictly permitted under Applicable Law.

  1. Applicability and Order of Precedence

This DPA replaces any existing data processing addendum the Parties may have previously entered into in connection with our Terms of Service. If there is a conflict between the terms of our Terms of Service and this DPA, then the terms of the DPA will apply. If there is a conflict between this DPA and the applicable Standard Contractual Clauses, then the Standard Contractual Clauses will apply.

EXHIBIT A Annexes I and II of the EU SCCs

Annex I

  1. List of Parties

Module Two: Transfer Controller to Processor

Module Three: Transfer Processor to Processor

Data exporter(s):

  • Name: The exporter is the Customer specified in this DPA.

  • Address: Specified in this DPA.

  • Contact person’s name, position and contact details: Specified in this DPA.

  • Activities relevant to the data transferred under these Clauses: Obtaining the Services from data importer.

  • Role (Controller/Processor): Controller

Data importer(s):

  • Name: Defang Software Labs Inc., dba Defang

  • Address: 111 W Broadway, Suite 218, Vancouver, BC V5Y 1P4, Canada

  • Contact person’s name, position and contact details: Chief Executive Officer, info@defang.io

  • Activities relevant to the data transferred under these Clauses: Providing the Services to data exporter.

  • Role (Controller/Processor): Processor

  1. Description of Transfer

Module Two: Transfer Controller to Processor

Module Three: Transfer Processor to Processor

Categories of data subjects whose personal data is transferred

Data subjects whose Personal Data is uploaded by data exporter to, or otherwise received directly or indirectly from data exporter (including from a Permitted User on data exporter’s behalf) by or through, the Services, or provided by data exporter to Defang to input into the Services.

Categories of personal data transferred

The data exporter may transfer Personal Data to Defang, the extent of which is determined and controlled by the data exporter in its sole discretion. Such Personal Data may include any category of Personal Data the data exporter or its Permitted Users may enter into the Services.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None anticipated.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuously, for so long as the Customer maintains an Account with Defang.

Nature of the processing

Customer Personal Data transferred will be processed to (a) provide the Services to the data exporter and fulfill the data importer’s obligations under the Agreement and (b) comply with applicable law.

Purpose(s) of the data transfer and further processing

Customer Personal Data transferred will be processed to (a) provide the Services to the data exporter and fulfill the data importer’s obligations under the Agreement and (b) comply with Applicable Law.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Customer Personal Data will be retained for the length of time necessary to provide Services under the Agreement and in accordance with Defang’s data retention processes and as otherwise required by Applicable Law.

For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

Defang’s sub-processors will process Customer Personal Data to assist Defang in providing the Services pursuant to our Terms of Service, for as long as needed for Defang to provide the Services.

  1. Competent Supervisory Authority

Module Two: Transfer Controller to Processor

Module Three: Transfer Processor to Processor

Identify the competent supervisory authority/ies in accordance with Clause 13.

The Parties will follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

Annex II - Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

Module Two: Transfer Controller to Processor

Module Three: Transfer Processor to Processor

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Please see link, which describes the technical and organizational measures implemented by Defang.

4885-9960-1126, v. 1

Defang Logo

Develop Anything. Deploy Anywhere.

Partners & Certifications

Google Cloud PartnerCIS AWS Foundations BenchmarkAmazon Web Services PartnerAWS Well Architected Partner

  • Product

    • Features
    • Pricing

  • Resources

    • Docs
    • Blog
    • Github

  • Use Cases

    • Docker Compose Deployment
    • Docker Compose to AWS
    • Sick of Kubernetes?

  • Company

    • About us
    • Contact Us
    • Terms of Service
    • Privacy Policy

Copyright © 2025 Defang. All rights reserved.

All Systems Operational