Data Processing Agreement
Last updated: February 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between the organization using Plugstash ("Data Controller") and the Platform operator ("Data Processor") for the processing of personal data in connection with the Platform services.
This DPA supplements our Privacy Policy and Terms of Service.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
- Data Controller: The organization that determines the purposes and means of processing personal data
- Data Processor: The Platform operator that processes personal data on behalf of the Data Controller
- Data Subject: The individual whose personal data is being processed
3. Scope and Purpose of Processing
3.1 Categories of Data Subjects
- Organization members (employees, contractors)
- Organization administrators
3.2 Types of Personal Data
- Account information: name, email address, profile picture
- Authentication data: GitHub username, OAuth tokens (encrypted)
- Content: items, articles, comments, reviews, ratings, votes
- Usage data: engagement scores, XP, badge awards
- Technical data: IP addresses (for audit logging), session tokens
3.3 Purpose of Processing
Personal data is processed solely to provide the Platform services:
- User authentication and access control
- Content management and display
- Gamification and engagement features
- Notification delivery (in-app, email, Slack)
- Security monitoring and audit logging
4. Obligations of the Data Processor
4.1 Processing Instructions
The Processor shall process personal data only on documented instructions from the Controller, unless required by applicable law.
4.2 Confidentiality
The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality.
4.3 Security Measures
The Processor implements appropriate technical and organizational measures, including:
- Encrypted database connections (TLS)
- Secure session management with token-based authentication
- Role-based access control (system roles + organization roles)
- Row-level data isolation between organizations
- Password hashing (bcrypt with 12 salt rounds)
- Audit logging of administrative actions
- Error tracking and monitoring (Sentry)
- Rate limiting on API endpoints
4.4 Sub-processors
The Processor may engage sub-processors with prior written consent of the Controller. Current sub-processors include:
| Sub-processor | Purpose | Data Processed |
|---|---|---|
| GitHub | OAuth authentication | Name, email, profile picture, org memberships |
| Resend | Transactional email delivery | Email addresses, names |
| Sentry | Error tracking and monitoring | User IDs, org IDs, error context |
| Slack (optional) | Notification delivery | Slack user IDs, item metadata |
4.5 Data Subject Rights
The Processor assists the Controller in responding to data subject requests. The Platform provides self-service tools for data subjects:
- Right of Access / Portability: Data export in JSON format (via Account Settings)
- Right to Erasure: Account anonymization or deletion (via Account Settings)
- Consent Management: Cookie preference controls (via Account Settings)
- Session Management: View and revoke active sessions
5. Data Retention
Data retention periods are configurable per organization by administrators:
- Read notifications: configurable (default 90 days)
- Expired sessions: configurable (default 30 days past expiry)
- XP transaction history: configurable (default 365 days)
- Audit logs: 2 years (fixed, for compliance)
- Data export requests: 7 days after completion
Account data is retained while the account is active. Upon account deletion, data is either anonymized (preserving content attribution to "Deleted User") or completely removed, based on the data subject's choice.
6. Data Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:
- Nature of the breach, including categories and approximate number of data subjects affected
- Contact details of the data protection point of contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
7. International Transfers
Personal data may be processed in jurisdictions where our infrastructure providers operate. Any international transfers are subject to appropriate safeguards in accordance with GDPR requirements, including standard contractual clauses where applicable.
8. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
9. Termination
Upon termination of the service agreement or upon request by the Controller, the Processor shall:
- Return all personal data to the Controller (via data export functionality)
- Delete all personal data from the Platform (via organization deletion)
- Certify the deletion upon request
10. Liability
Each party is liable for damages caused by processing that infringes GDPR provisions. The Processor is liable only for processing that does not comply with obligations specifically directed to processors, or where it has acted outside of or contrary to lawful instructions of the Controller.
11. Contact
For questions about this DPA or data processing matters, please contact the platform administrator.