DevSecAI — Security for AI-Generated Code

DevSecAI Data Processing Agreement

Last Updated: 21 June 2026

This Data Processing Agreement (DPA) forms part of the agreement between DevSecAI Limited (company no. 16127905) (Processor, DevSecAI) and the customer organisation that uses Arko (Controller, Customer), and governs DevSecAI’s processing of personal data on the Customer’s behalf in connection with Arko. Where there is a conflict, this DPA prevails over the Terms and Conditions and any order form in respect of data protection.

1. Definitions

Terms such as personal data, processing, controller, processor, data subject, personal data breach and supervisory authority have the meanings given in the UK GDPR and the Data Protection Act 2018 (Data Protection Laws). Subprocessor means a processor engaged by DevSecAI to process personal data.

2. Roles and Scope

The Customer is the Controller and DevSecAI is the Processor in respect of the personal data processed through Arko. Each Party will comply with its obligations under Data Protection Laws. The details of processing are set out in Annex 1.

3. Processing on Documented Instructions

DevSecAI will process personal data only on the Customer’s documented instructions, including as set out in this DPA, the Terms, and the configuration of Arko, unless required to do otherwise by law, in which case DevSecAI will where lawful inform the Customer first. DevSecAI will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Confidentiality

DevSecAI will ensure that personnel authorised to process personal data are bound by confidentiality obligations and process personal data only as necessary to provide Arko.

5. Security

DevSecAI will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 3 and on the DevSecAI Trust Center at https://trust.devsecai.io. These include encryption of personal data in transit and at rest, access controls, logical tenant isolation, and ongoing monitoring. DevSecAI is completing a SOC 2 Type II examination.

6. Subprocessors

The Customer provides general authorisation for DevSecAI to engage Subprocessors to process personal data, subject to this clause. The Subprocessors at the date of this DPA are listed in Annex 2. DevSecAI will impose data-protection obligations on each Subprocessor no less protective than those in this DPA, and remains responsible for its Subprocessors performance. DevSecAI will give the Customer at least 30 days prior notice, via the Trust Center subprocessor list and email, of any intended addition or replacement of a Subprocessor, allowing the Customer to object on reasonable data-protection grounds.

7. Assistance to the Customer

Taking into account the nature of processing, DevSecAI will assist the Customer, so far as reasonably possible through Arko’s functionality, to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection), and to meet its obligations regarding security, personal-data-breach notification, and data protection impact assessments and prior consultation under Articles 32 to 36.

8. Personal Data Breach

DevSecAI will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s personal data, and will provide information reasonably available to help the Customer meet its own notification obligations.

9. Return or Deletion

On termination or expiry of the services, and at the Customer’s choice, DevSecAI will delete or return the personal data it processes on the Customer’s behalf and delete existing copies within 90 days, unless retention is required by law.

10. Audits and Information

DevSecAI will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28, including its SOC 2 report once issued and documentation via the Trust Center, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable prior notice, confidentiality, and a frequency of no more than once per year unless a supervisory authority requires otherwise.

11. International Transfers

DevSecAI will not transfer personal data outside the UK except where an appropriate safeguard is in place (UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses) or another lawful basis applies. Production data for Arko is hosted in the UK (AWS eu-west-2); AI inference runs on private EU model hosting via Amazon Bedrock and is not shared with the AI model provider.

12. Liability

The Parties’ liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms and Conditions and main agreement.

13. Governing Law

This DPA is governed by the laws of England and Wales, consistent with the Terms and Conditions.

Annex 1 - Details of Processing

Subject matter: provision of the Arko security platform (IDE plugin and Control Plane). Duration: for the term of the Customer’s use of Arko, plus any retention period in clause 9. Nature and purpose: analysing code for security risk; generating, storing and presenting findings; enabling the Control Plane; and supporting and improving the service (excluding AI model training). Types of personal data: account information (names, business email addresses, sign-in identifiers) and any personal data incidentally contained in the code submitted for analysis or in findings and metadata. In the IDE, code is analysed in transit and files are not retained; for build and repository scans, submitted code is processed within the Customer’s isolated, encrypted tenant and automatically deleted after a limited retention period (7 days; 30 for some tenants). Findings and short per-finding code excerpts are retained up to 30 days, with secrets redacted. No special-category data is intended to be processed. Categories of data subjects: the Customer’s developers, administrators and authorised users, and any individuals whose personal data may incidentally appear in code or findings.

Annex 2 - Subprocessors

Amazon Web Services (AWS): cloud hosting and AI model inference via Amazon Bedrock (Anthropic Claude models; code is not shared with the model provider), UK (London, eu-west-2). Vanta: security and compliance monitoring, UK/EU. Google Workspace: business email and productivity (no customer scan data stored), EU/US. The current list is maintained at https://trust.devsecai.io.

Annex 3 - Technical and Organisational Measures

Encryption of personal data in transit (TLS) and at rest. Data minimisation: comments and whitespace are stripped from files before analysis to minimise what is sent; in the IDE, files are analysed in transit and not retained; full source code is not persisted; customer data is not used to train AI models. Access control: role-based access, MFA on enterprise admin accounts, least privilege, and credentials kept out of source control. Tenant isolation: logical and, for enterprise tenants, per-tenant database isolation, with cross-tenant leakage testing on change. Hosting: AWS UK region (eu-west-2) with EU-only AI inference via Bedrock. Monitoring and governance: logging, monitoring, an approved information-security policy set, and a SOC 2 Type II programme (in progress) with planned independent penetration testing. Full, current detail is published on the Trust Center at https://trust.devsecai.io.

Contact

For data-protection matters: info@devsecai.io. Trust Center: https://trust.devsecai.io.