Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between Pigi ("Processor") and the customer organisation ("Controller") that has accepted Pigi's Terms of Service. It governs the processing of personal data by Pigi on behalf of the Controller, as required by the General Data Protection Regulation (EU) 2016/679 ("GDPR") Art. 28.
This DPA applies only to B2B customers who process personal data of their end-users through Pigi. Consumer accounts are covered solely by the Privacy Policy.
1. Definitions
- Controller — the customer organisation that determines the purposes and means of processing personal data.
- Processor — Pigi, which processes personal data on behalf of the Controller.
- Personal Data — any information relating to an identified or identifiable natural person.
- Processing — any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).
- Sub-processor — any third party engaged by Pigi to process personal data.
2. Scope & Subject Matter
Pigi processes personal data on behalf of the Controller solely to provide the Pigi platform services described in the Terms of Service: storing and syncing AI coding assistant configurations, managing team memberships, and generating AI-assisted content via integrated AI APIs.
3. Nature, Purpose & Duration
| Attribute | Detail |
|---|---|
| Nature of processing | Storage, retrieval, transmission, deletion of configuration and account data |
| Purpose | Provision of the Pigi SaaS platform as contracted |
| Categories of data | Name, email address, organisation name, API keys (hashed), team configuration data |
| Categories of data subjects | Controller's employees and invited team members |
| Duration | For the term of the subscription; personal data deleted within 30 days of account termination |
4. Processor Obligations
Pigi shall:
- Process personal data only on documented instructions from the Controller (i.e. to provide the Service) or as required by applicable law.
- Ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures (Art. 32 GDPR).
- Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection).
- Assist the Controller in meeting its obligations regarding security, breach notification, DPIAs, and prior consultation.
- Delete or return all personal data at the Controller's choice upon termination of the contract.
- Make available all information necessary to demonstrate compliance with this DPA and GDPR Art. 28.
5. Controller Obligations
The Controller warrants that it:
- Has a lawful basis for any personal data provided to Pigi for processing.
- Has provided any required notices to data subjects regarding the use of Pigi.
- Will not instruct Pigi to process personal data in violation of applicable law.
6. Sub-processors
Pigi engages the following sub-processors to deliver the Service. By accepting this DPA, the Controller provides general authorisation for Pigi to engage sub-processors. Pigi will notify the Controller of any intended changes to sub-processors and provide the opportunity to object.
| Sub-processor | Purpose | Location | DPA / Privacy |
|---|---|---|---|
| Stripe, Inc. | Payment processing, billing | USA (SCCs) | stripe.com/privacy |
| Anthropic, PBC | AI content generation (Claude API) | USA (SCCs) | anthropic.com/legal/privacy |
Pigi has entered into or operates under the standard contractual clauses or equivalent data transfer mechanisms with each sub-processor listed above where required for transfers outside the EEA.
7. Security Measures
Pigi maintains appropriate technical and organisational measures including, but not limited to:
- Encryption of data in transit (TLS 1.2+) and at rest.
- Per-tenant database isolation — each organisation's data is stored in a separate database.
- API keys stored as SHA-256 hashes; never stored in plaintext.
- Access control and role-based permissions within the platform.
- Regular security assessments and dependency updates.
8. Data Breach Notification
In the event of a personal data breach, Pigi shall notify the Controller without undue delay after becoming aware of the breach (and in any case within 72 hours where feasible), providing sufficient information to allow the Controller to meet its own GDPR notification obligations.
9. International Transfers
Where personal data is transferred outside the European Economic Area, Pigi ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms.
10. Governing Law
This DPA is governed by the laws applicable to the main agreement (Terms of Service). In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the subject matter of data protection.
Contact & Execution
To request a signed copy of this DPA for your records, or to raise any data protection queries, contact:
legal@pigi.dev