# Annotate Data Processing Addendum

Status: standard buyer draft for counsel review and signature.
Effective date: pending execution.

This DPA is intended for customers that use Annotate as a processor/service provider for bug reports, screenshots, diagnostics, and related metadata. It is based on the controller/processor contract concepts in GDPR Article 28 and must be reviewed by counsel before execution.

## Processing Scope

- Subject matter: in-app bug and feedback capture, report triage, issue creation, audit logging, and retention/deletion workflows.
- Data subjects: customer employees, contractors, testers, and end users who submit or appear in reports.
- Data categories: screenshots, page URLs, comments, reporter emails, browser/device metadata, console logs, network diagnostics, optional session replay events, integration metadata, and audit logs.
- Purpose: provide, secure, support, and improve the contracted Annotate service. Customer content is not sold.

## Processor Commitments

- Process customer personal data only on documented customer instructions and the agreement.
- Maintain administrative, technical, and organizational safeguards appropriate to the pilot environment.
- Limit personnel access to support, security, operations, and incident-response needs.
- Encrypt GitHub tokens and Slack webhooks at rest when `SECRET_ENCRYPTION_KEY` is configured.
- Provide per-project retention controls and deletion/purge APIs.
- Maintain audit logs for project, report, integration, export, screenshot, retention, and AI-triage activity.
- Notify the customer without undue delay after confirming a security incident affecting customer personal data.
- Return or delete customer personal data at termination, subject to backup and legal retention limits.

## Subprocessors

Current subprocessors are listed in `/legal/subprocessors`. New subprocessors require commercially reasonable notice before production regulated-data use.

## International Transfers and Residency

Current production is a US pilot deployment. Custom residency is not offered unless separately agreed in writing and provisioned in a dedicated environment.

References: GDPR Article 28 processor obligations, https://www.edpb.europa.eu/gdpr-articles/article-28-processor_en