subforge — Data Processing Addendum (DPA)

Effective date: June 2026
Last updated: 16 June 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Hidef Software Limited ("Processor", "we") and the customer ("Controller", "you") and applies where we process personal data on your behalf in providing the subforge Service.

Where you upload repository content and related data, you act as the Controller (or processor for your own customers) and we act as your Processor.

1. Scope and roles

• Subject matter: provision of the subforge hosted SVN Service.
• Duration: for the term of your use of the Service.
• Nature and purpose: hosting, storing, transmitting, securing, and backing up your repository content and associated data so you can use the Service.
• Types of personal data: as determined by you — typically usernames, names, and email addresses of your team members and commit authors, plus any personal data you choose to store within your repositories.
• Categories of data subjects: your team members, collaborators, and any individuals whose data appears in your content.

2. Our obligations

We will:

1. Process personal data only on your documented instructions (including the Terms and your use of the Service's features), unless required by law to do otherwise.
2. Ensure people authorised to process the data are under a duty of confidentiality.
3. Implement appropriate technical and organisational security measures (see Annex A), taking into account the state of the art and the risks.
4. Engage sub-processors only under Section 4.
5. Assist you, taking into account the nature of processing, with: responding to data-subject requests; security; breach notification; and data-protection impact assessments — as reasonably required and proportionate to a service of our scale.
6. Notify you without undue delay after becoming aware of a personal-data breach affecting your data.
7. On termination, delete or return your personal data, except where storage is required by law, in line with the retention practices in the Privacy Policy.
8. Make available information reasonably necessary to demonstrate compliance with this DPA, and allow for audits, subject to reasonable confidentiality, security, frequency, and cost arrangements (typically by providing documentation rather than on-site access, given our scale).

3. Your obligations

You warrant that you have a lawful basis for the personal data you place in the Service, that your instructions comply with data-protection law, and that you will respond to data-subject requests relating to your content (we will assist).

4. Sub-processors

You grant general authorisation for us to use the sub-processors listed in sub-processors.md. We will impose data-protection obligations on each sub-processor that are no less protective than this DPA, and remain responsible for their performance. We will give reasonable notice of new sub-processors and let you object on reasonable data-protection grounds.

5. International transfers

Where personal data is transferred outside the UK, we will ensure an appropriate safeguard is in place (e.g. UK adequacy, the UK International Data Transfer Addendum, or SCCs), as set out in sub-processors.md.

6. Liability

The liability provisions of the Terms of Service apply to this DPA. In case of conflict between this DPA and the Terms on the processing of personal data, this DPA prevails.

7. Governing law

This DPA is governed by the laws of England & Wales.

Annex A — Technical and organisational measures (summary)

• Encryption of data in transit (HTTPS).
• Password hashing (bcrypt); opaque, expiring session tokens; HttpOnly cookies.
• Access controls (per-repo, per-workspace, group-based) and restricted internal/admin interfaces.
• Rate limiting on authentication endpoints.
• Operational monitoring, alerting, and logging.
• Operational backups: nightly off-box snapshots, with restore tested.