Start free

SetForth Data Processing Addendum

Last updated: July 1, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written or electronic agreement (the "Agreement") between SetForth, LLC ("SetForth," "Processor") and the customer ("Customer," "Controller") for SetForth's provision of the Service. It governs the Processing of Customer Personal Data by SetForth on the Customer's behalf.

This DPA applies where and to the extent SetForth Processes Customer Personal Data that is subject to Data Protection Laws. Where SetForth determines the purposes and means of processing personal data (for example, account administration, billing, website, security, and analytics), SetForth acts as a controller and that processing is governed by the Privacy Policy, not this DPA.

By accepting the Agreement, or by signing or otherwise agreeing to this DPA, the Customer enters into this DPA on behalf of itself and, to the extent required by Data Protection Laws, in the name and on behalf of its Authorized Affiliates.

1. Definitions

1.1 Capitalized terms not defined here have the meaning in the Agreement.

1.2 In this DPA:

  • "Customer Personal Data" means Personal Data contained in Customer Content or otherwise Processed by SetForth on the Customer's behalf to provide the Service.
  • "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable, the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the UK GDPR and the UK Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and U.S. state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA").
  • "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," and "Supervisory Authority" have the meanings given in the EU GDPR, and equivalent terms in other Data Protection Laws (including "business," "service provider," "consumer," and "sale"/"share" under the CCPA) have their corresponding meanings.
  • "EU SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner (version B1.0, in force 21 March 2022).
  • "Restricted Transfer" means a transfer of Customer Personal Data to a country or recipient not recognized as providing an adequate level of protection under the applicable Data Protection Laws.
  • "Subprocessor" means any third party engaged by SetForth to Process Customer Personal Data.

2. Roles and scope

2.1 Roles. As between the parties, the Customer is the Controller (or a Processor acting on behalf of a third-party Controller) of Customer Personal Data, and SetForth is the Processor (or Subprocessor). Where the Customer is a Processor, the Customer warrants that its instructions and actions, including appointing SetForth as a Subprocessor, are authorized by the relevant Controller.

2.2 Scope. SetForth will Process Customer Personal Data only as a Processor to provide the Service in accordance with the Agreement, this DPA, and the Customer's documented instructions. The subject matter, duration, nature and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

3. Processing instructions

3.1 Documented instructions. SetForth will Process Customer Personal Data only on the Customer's documented instructions, including as set out in the Agreement and this DPA, as necessary to provide and support the Service, and as configured by the Customer and its Authorized Users through the Service. The Customer's use of the Service constitutes an instruction to Process Customer Personal Data as needed to deliver the Service, including transmitting Customer Content to SetForth's Subprocessors (such as the AI model provider) to perform the work the Customer requests.

3.2 Lawfulness of instructions. The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for having a lawful basis and all necessary rights, notices, and consents to provide it and to instruct the Processing. The Customer's instructions must comply with Data Protection Laws.

3.3 Unlawful instructions. SetForth will inform the Customer if, in its reasonable opinion, an instruction infringes Data Protection Laws, unless legally prohibited from doing so. SetForth is not obligated to perform legal research to make this determination.

4. Confidentiality

SetForth will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality and have received appropriate training, and will limit access to Customer Personal Data to personnel who need it to provide the Service.

5. Security

5.1 Measures. SetForth will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as described in Annex II.

5.2 Updates. SetForth may update its security measures from time to time provided the updates do not materially diminish the overall level of protection.

5.3 Customer responsibilities. The Customer is responsible for its own use and configuration of the Service, including access management for its Authorized Users, the scope of access it grants to connected systems and repositories, and its decisions about what Customer Personal Data to submit, and for maintaining appropriate backups of Customer Content (see Agreement Sections 3 and 14).

6. Subprocessors

6.1 General authorization. The Customer provides general written authorization for SetForth to engage Subprocessors to Process Customer Personal Data. SetForth's current Subprocessors are listed at the Subprocessor List (the "Subprocessor List"), available at setforth.app/legal/subprocessors.

6.2 New Subprocessors. SetForth will provide notice of the addition or replacement of a Subprocessor (for example, by updating the Subprocessor List and offering a mechanism to subscribe to notifications) at least thirty (30) days before authorizing the new Subprocessor to Process Customer Personal Data.

6.3 Objection. The Customer may object on reasonable, data-protection-related grounds by written notice within thirty (30) days of the notice. The parties will work in good faith to resolve the objection. If they cannot, the Customer may, as its sole remedy, terminate the affected portion of the Service by written notice, and the Refund & Billing Policy governs any refund.

6.4 Flow-down and liability. SetForth will impose on each Subprocessor data-protection obligations no less protective than those in this DPA to the extent applicable to the services the Subprocessor provides, and SetForth remains responsible for its Subprocessors' performance of those obligations.

7. Data Subject rights

Taking into account the nature of the Processing, SetForth will provide reasonable assistance, including by appropriate technical and organizational measures and the functionality of the Service, to enable the Customer to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. If SetForth receives such a request directly relating to Customer Personal Data, it will, unless legally prohibited, promptly inform the Customer and advise the Data Subject to submit the request to the Customer; SetForth will not respond except on the Customer's instruction or as legally required.

8. Personal Data Breaches

8.1 SetForth will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 The notification will include, to the extent known and as it becomes available, a description of the nature of the breach, the likely consequences, and the measures taken or proposed to address it. SetForth will take reasonable steps to mitigate and remediate the breach and will reasonably cooperate with the Customer's obligations to notify Supervisory Authorities or Data Subjects.

8.3 SetForth's notification of or response to a Personal Data Breach is not an acknowledgment of fault or liability.

9. Data protection impact assessments

Taking into account the nature of the Processing and the information available to SetForth, SetForth will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with Supervisory Authorities that the Customer is required to carry out under Data Protection Laws, in each case solely in relation to Processing by SetForth.

10. Return or deletion

10.1 Upon termination or expiration of the Agreement, SetForth will, at the Customer's choice, delete or return Customer Personal Data, and delete existing copies, except to the extent retention is required by applicable law or permitted by this DPA. The Customer is responsible for exporting Customer Content before termination (Agreement Section 13).

10.2 SetForth may retain Customer Personal Data to the extent and for the period required by applicable law and in routine backups made for disaster-recovery and business-continuity purposes, in which case SetForth will continue to protect it in accordance with this DPA and will not actively Process it other than as required for storage and deletion in the ordinary course.

11. Audits

11.1 SetForth will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the EU GDPR, which may be satisfied by providing SetForth's then-current security and compliance documentation, summaries of third-party audit reports, or completed security questionnaires (the detailed materials available on request and subject to confidentiality).

11.2 Where Data Protection Laws require an audit right that cannot be satisfied under Section 11.1, the Customer may, no more than once per twelve (12) months and on at least thirty (30) days' prior written notice, conduct an audit limited to information relevant to SetForth's Processing of the Customer's Personal Data, during business hours, without unreasonable disruption, subject to confidentiality, and at the Customer's expense, except where Data Protection Laws provide otherwise.

12. International transfers

12.1 General. SetForth may Process and transfer Customer Personal Data in the United States and in other countries where SetForth or its Subprocessors operate. For any Restricted Transfer, the parties will rely on an appropriate transfer mechanism as set out in this Section.

12.2 EU SCCs. Where Customer Personal Data subject to the EU GDPR is the subject of a Restricted Transfer, the EU SCCs are incorporated into and form part of this DPA, completed as set out in the Appendix (SCC particulars):

  • Module Two (Controller to Processor) applies where the Customer is a Controller; Module Three (Processor to Processor) applies where the Customer is a Processor.
  • Clause 7 (docking) applies; Clause 9 Option 2 (general written authorization) applies with the time period in Section 6.2; the optional language in Clause 11 does not apply; Clause 17 (governing law) and Clause 18 (forum) are completed in the Appendix.
  • Annexes I, II, and III to the EU SCCs are populated by Annex I, Annex II, and the Subprocessor List of this DPA, respectively.

12.3 UK. Where the UK GDPR applies, the UK Addendum is incorporated and amends the EU SCCs as completed in the Appendix.

12.4 Switzerland. Where the FADP applies, the EU SCCs apply with the adaptations necessary under the FADP (including that references to the GDPR are to the FADP, the competent authority is the Swiss Federal Data Protection and Information Commissioner, and the clauses also protect data of legal entities until the FADP no longer requires it).

12.5 Alternative mechanisms. SetForth may adopt an alternative lawful transfer mechanism (such as an adequacy decision or certification) in place of the above, in which case that mechanism applies.

12.6 Conflict. In the event of any conflict between this DPA and the EU SCCs or UK Addendum, the SCCs or UK Addendum prevail with respect to the relevant Restricted Transfer.

13. CCPA and U.S. state privacy laws

13.1 To the extent SetForth Processes Personal Data subject to the CCPA on the Customer's behalf, SetForth acts as a service provider (or processor) and: (a) will not sell or share such Personal Data; (b) will not retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA, including not retaining, using, or disclosing it outside the direct business relationship between the parties; (c) will not combine it with Personal Data from other sources except as permitted by the CCPA; and (d) certifies that it understands and will comply with these restrictions.

13.2 SetForth will provide reasonable assistance to enable the Customer to comply with consumer-rights requests under U.S. state privacy laws and will notify the Customer if it determines it can no longer meet its obligations under applicable U.S. state privacy law.

14. General

14.1 Liability. Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability in the Agreement (including Section 17 of the Terms), except to the extent Data Protection Laws require otherwise. For clarity, the SCCs' liability and indemnification provisions, where they apply, operate as between the parties as required by those clauses.

14.2 Order of precedence. With respect to Customer Personal Data, if there is a conflict, the order of precedence is: (1) the EU SCCs / UK Addendum (for the relevant Restricted Transfer); (2) this DPA; (3) the remainder of the Agreement.

14.3 Term. This DPA takes effect on the Effective Date and continues until SetForth has ceased Processing Customer Personal Data and deleted or returned it in accordance with Section 10. The obligations survive termination of the Agreement for as long as SetForth Processes Customer Personal Data.

14.4 Changes. SetForth may amend this DPA on reasonable notice to the extent necessary to comply with Data Protection Laws or to reflect changes to approved transfer mechanisms, provided such amendments do not materially diminish the protection of Customer Personal Data.

14.5 Governing law. Except as required by the SCCs (which are governed as stated in the Appendix), this DPA is governed by the law of the Agreement.

Annex I — Description of Processing

(This Annex populates Annex I of the EU SCCs.)

A. List of parties.

  • Data exporter (Controller / Processor): the Customer, as identified in the Agreement; contact as set out in the Customer's account; role as set out in Section 2.1.
  • Data importer (Processor / Subprocessor): SetForth, LLC, 5900 Balcones Drive, Ste 100, Austin, TX 78731; contact privacy@setforth.app; activities: provision of the Service described in the Agreement.

B. Description of the transfer / Processing.

  • Categories of Data Subjects: the Customer's Authorized Users; individuals whose Personal Data is contained in Customer Content (for example, individuals referenced in the Customer's source code repositories, documents, prompts, or configuration, which may include the Customer's personnel, contractors, and the Customer's own end users or customers).
  • Categories of Personal Data: identifiers and account data of Authorized Users (such as name, email, organization, and identity-provider identifiers); and any Personal Data the Customer or its Authorized Users include in Customer Content submitted to or generated through the Service. The specific Personal Data within Customer Content is determined and controlled by the Customer.
  • Special categories of Personal Data: not intended to be Processed; the Customer should not submit special-category data except as expressly agreed and in compliance with Data Protection Laws.
  • Frequency of the transfer: continuous, for the duration of the Agreement.
  • Nature and purpose of Processing: hosting, storage, transmission, analysis, generation, modification, and other Processing necessary to provide the Service, including running AI Agents on Customer Content and Customer Repositories and transmitting necessary content to the AI model provider for inference.
  • Duration: for the term of the Agreement and until deletion or return under Section 10.
  • Subprocessor Processing: as described in the Subprocessor List, for the duration of the Agreement.

C. Competent Supervisory Authority.

  • For EU SCCs purposes: the supervisory authority of the EEA member state in which the Customer (data exporter) is established, or, where the exporter is not established in the EEA, the Irish Data Protection Commission.

Annex II — Technical and Organizational Measures

SetForth maintains the measures described below, as further detailed in the Security Overview and in security documentation available on request. (This Annex populates Annex II of the EU SCCs.)

  • Encryption. Encryption of data in transit using current TLS; encryption of sensitive credentials and tokens at rest; hashing of secrets and use of timing-safe comparisons for secret verification.
  • Access control and authorization. Authentication through an enterprise identity provider (with support for SSO); multi-factor authentication required for SetForth administrative and production access; role-based access control and fine-grained, resource-level authorization; least-privilege access; and organization-scoped access enforced on data access.
  • Tenant isolation. Multi-tenant data is organization-scoped, and access is filtered and enforced by organization on each request.
  • Execution isolation and credential protection. Untrusted code is executed in isolated sandbox environments; AI Agents do not receive third-party provider credentials, and privileged operations (such as repository access) are mediated server-side through a credential-injecting proxy.
  • Secrets management. Secrets are stored in a managed secrets system and are not exposed to Agents or tenants.
  • Network security. Private networking between services and protective controls at the network edge for internet-facing components.
  • Logging and monitoring. Application logging, audit logging of significant actions, and error and performance monitoring.
  • Resilience and backups. Use of managed, resilient cloud infrastructure; automated backups of primary datastores; and a disaster-recovery and business-continuity plan covering restoration of the Service.
  • Secure development. Type-safe codebase, code review, dependency management, and validation of untrusted input.
  • Subprocessor management. Due diligence and contractual data-protection terms with Subprocessors.
  • Organizational measures. Confidentiality obligations for personnel, and access to production systems and Customer Personal Data limited to authorized personnel on a need-to-know basis.
  • Physical security. Provided by SetForth's hosting providers, which maintain their own physical-security and compliance programs.

Annex III — List of Subprocessors

The Customer has authorized the use of the Subprocessors listed in the Subprocessor List, as updated in accordance with Section 6.

Appendix — SCC particulars (completed selections)

For incorporation of the EU SCCs and UK Addendum under Section 12:

  • Modules: Module Two and/or Module Three, as applicable per Section 12.2.
  • Clause 7 (Docking clause): applies.
  • Clause 9 (Use of Subprocessors): Option 2 (general written authorization); notice period as in Section 6.2 ([30] days).
  • Clause 11 (Redress): the optional language does not apply.
  • Clause 17 (Governing law): the law of Ireland.
  • Clause 18 (Choice of forum and jurisdiction): the courts of Ireland.
  • Annex I.A (Parties): as in Annex I.A above.
  • Annex I.B (Description of transfer): as in Annex I.B above.
  • Annex I.C (Competent supervisory authority): as in Annex I.C above.
  • Annex II (TOMs): as in Annex II above.
  • Annex III (Subprocessors): the Subprocessor List.

UK Addendum tables:

  • Table 1 (Parties) / Table 2 (Selected SCCs) / Table 3 (Appendix information): as completed by Annex I and II above and the EU SCC selections.
  • Table 4 (Ending the Addendum when the Approved Addendum changes): neither Party may end the UK Addendum as set out in its Section 19.

Contact

Questions about this DPA: privacy@setforth.app.

SetForth, LLC · privacy@setforth.app