CatWrangler — Data Processing Agreement (DPA)

Last updated: July 2, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CatWrangler LLC ("CatWrangler," "Processor") and the Customer ("Controller") and applies to the extent CatWrangler processes Personal Data on the Customer's behalf in providing the Service.

1. Definitions

"Personal Data," "Controller," "Processor," "Data Subject," "Processing," and "Supervisory Authority" have the meanings in the GDPR. "Data Protection Laws" means the EU GDPR, the UK GDPR and Data Protection Act 2018, the Swiss FADP, and applicable US state privacy laws (including the CCPA/CPRA), each as applicable. "Customer Personal Data" means Personal Data within Customer Data processed by CatWrangler on the Customer's behalf.

2. Roles and Scope

The Customer is the Controller (or a processor acting for its own customers) and CatWrangler is the Processor. CatWrangler will process Customer Personal Data only to provide the Service and only on the Customer's documented instructions, including as set out in the Terms and this DPA. Details of processing (subject-matter, duration, nature/purpose, types of data, categories of data subjects) are in Annex I.

3. CatWrangler Obligations

CatWrangler will:

  • process Customer Personal Data only on documented instructions, including for

international transfers, unless required by law (in which case it will inform the Customer unless legally prohibited);

  • ensure persons authorized to process are bound by confidentiality;
  • implement the technical and organizational measures in Annex II;
  • not use Customer Personal Data, including source code, to train, fine-tune,

or improve AI models, and bind its AI subprocessors to the same;

  • assist the Customer, taking into account the nature of processing, with

responding to Data Subject requests and with security, breach notification, and DPIA obligations (Articles 32–36);

  • notify the Customer without undue delay after becoming aware of a Personal Data

Breach;

  • at the Customer's choice, delete or return Customer Personal Data at the end of

the services and delete existing copies, except where retention is legally required;

  • make available information necessary to demonstrate compliance and allow for

and contribute to audits, subject to reasonable confidentiality and security conditions (see Section 6).

4. Subprocessors

The Customer provides general authorization for CatWrangler to engage subprocessors. CatWrangler will: impose data-protection obligations on each subprocessor substantially equivalent to those in this DPA; remain liable for its subprocessors' performance; maintain the current list in Annex III; and give the Customer notice of intended additions or replacements with an opportunity to object on reasonable data-protection grounds.

5. International Transfers

Where CatWrangler transfers Customer Personal Data out of the EEA, UK, or Switzerland to a country without an adequacy decision, the EU Standard Contractual Clauses (Module Two, Controller-to-Processor, or Module Three as applicable) are incorporated by reference, completed as set out in Annex IV, together with the UK International Data Transfer Addendum and any Swiss amendments. In a conflict, the SCCs prevail.

6. Audits

CatWrangler will make available evidence of compliance such as current third-party audit reports or certifications (for example, SOC 2 or ISO 27001, if and when held). If that is insufficient for a Controller's legal obligation, CatWrangler will allow an audit on reasonable prior notice, no more than once per year (or after a breach), during business hours, subject to confidentiality and without compromising other customers' security.

7. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms.


Annex I — Description of Processing

  • Subject-matter: provision of the CatWrangler hosted code-management and AI

agent Service.

  • Duration: the term of the Terms plus any post-termination retention window.
  • Nature and purpose: hosting, storage, version control, processing, and

AI-assisted transformation of Customer Data to deliver the Service.

  • Types of Personal Data: account identifiers; user names and work emails;

personal data incidentally contained in repositories such as commit author details; usage/log data. Special categories: none intended.

  • Categories of Data Subjects: the Customer's authorized users and personnel,

and individuals referenced incidentally in Customer Data.

Annex II — Technical and Organizational Measures

CatWrangler maintains: encryption in transit and at rest; tenant isolation; least-privilege access controls and multi-factor authentication; network security and logging; backup and recovery; vulnerability management; a secure software development lifecycle; personnel security training; and incident response procedures.

Annex III — Subprocessors

SubprocessorPurposeLocation
Amazon Web Services, Inc.Cloud hosting, storage, and compute; transactional email; user authenticationUnited States
Anthropic, PBCAI model inference powering CatWrangler agents (contractually bound not to train on Customer Data)United States
Supabase, Inc.Tenant persistent storage / databaseUnited States
Stripe, Inc.Payment and billing processing (billing data only)United States

We will update this list and notify Customers of additions or replacements as described in Section 4.

Annex IV — SCC Completion Details

  • Module: Two (Controller to Processor).
  • Clause 7 (docking): not used.
  • Clause 9 (subprocessors): Option 2, general authorization, with prior

notice of changes.

  • Clause 11 (redress): the optional independent dispute-resolution option is

not selected.

  • Clause 17 (governing law): the law of Ireland.
  • Clause 18 (forum): the courts of Ireland.
  • Annexes I/II of the SCCs: as set out in Annexes I–II above.