Data Processing Agreement
Last updated: March 14, 2026
Full DPA available on request
Koalr's full Data Processing Agreement (DPA) — compliant with Article 28 of the GDPR — is available to all Business and Enterprise customers. To request the full DPA for signature, email legal@koalr.com.
Overview
This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Koalr Terms of Service between Koalr, LLC. (“Processor”) and the customer (“Controller”). This DPA reflects the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Subject matter and scope
Koalr processes personal data on behalf of the Controller solely for the purpose of providing the Koalr engineering intelligence platform as described in the Terms of Service. The types of personal data processed include: GitHub user identifiers, engineering activity data (commits, PRs, deployments), on-call and incident attribution data, and email addresses of organization members.
Processor obligations
Koalr, as Processor, shall: (a) process personal data only on documented instructions from the Controller; (b) ensure persons authorized to process personal data are bound by confidentiality obligations; (c) implement appropriate technical and organizational security measures; (d) respect conditions for engaging sub-processors; (e) assist the Controller in fulfilling data subject rights requests; (f) delete or return all personal data upon termination; and (g) provide all information necessary to demonstrate compliance with GDPR Article 28.
Sub-processors
Koalr uses sub-processors as listed at koalr.com/legal/subprocessors. Koalr will notify Controllers of any intended changes to the sub-processor list with at least 14 days advance notice, providing the Controller the opportunity to object.
International transfers
Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to countries without an adequacy decision, Koalr relies on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism. SCCs are available as an annex to the full DPA upon request.
Security measures
Koalr implements the following technical and organizational measures: encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, multi-factor authentication for all staff access, regular security assessments, and incident response procedures. Details are available in our Security documentation upon request.
Request the full DPA
To request the full, signable DPA for your organization, email legal@koalr.com with your organization name and the email address you use to log in to Koalr. We respond within 2 business days.