Skip to main content

Data Processing Agreement

Version: 2026-04-21

Auto-incorporated by reference into the CDK Insights Terms & Conditions for all business subscriptions.

1. Parties

This Data Processing Agreement ("DPA") forms part of the subscription agreement between Instance Labs Ltd ("Processor", Company No. 17053174, registered in England & Wales, 66 Paul Street, London, EC2A 4NA) and the Customer identified on the relevant subscription ("Controller").

2. Subject matter and duration

The Processor processes personal data on behalf of the Controller in order to provide the CDK Insights SaaS service (the "Services"). This DPA applies for the term of the subscription and survives termination for as long as the Processor holds any Controller personal data.

3. Nature and purpose of the processing

Processing is limited to what is necessary to deliver the Services and includes: ingesting CDK source code and configuration submitted by the Controller; running AI and static analysis on that input; generating analysis reports and recommendations; storing usage counters and subscription metadata; sending transactional email related to the subscription; and supporting customer-initiated data-subject rights requests.

4. Categories of data subjects

  • The Controller's end users who interact with the CDK Insights service.
  • The Controller's employees and contractors who submit CDK code for analysis.
  • Third parties whose personal data may appear incidentally in CDK source or configuration (e.g. resource owner tags).

5. Categories of personal data

  • Authentication identifiers (email address, Cognito sub).
  • Payment identifiers (Stripe customer ID, subscription status โ€” full card details are never received by the Processor).
  • Technical personal data contained in CDK source code, configuration, and analysis output.
  • Error-tracking context (URL, user agent, stack traces, user ID).
  • Audit metadata (source IP and user agent of consent decisions, DSAR request identifiers).

6. Processor obligations (Article 28)

The Processor shall:

  1. Process personal data only on the Controller's documented instructions, including with regard to transfers, unless required to do so by UK or EU law.
  2. Ensure that persons authorised to process personal data are bound by confidentiality obligations or a statutory duty of confidentiality.
  3. Implement and maintain the technical and organisational measures set out in Schedule 1 to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
  4. Not engage a sub-processor without prior general written authorisation; the Processor maintains a public sub-processor list at instancelabs.dev/sub-processors and will give at least 30 days' notice of material additions or changes.
  5. Taking into account the nature of the processing, assist the Controller through appropriate technical and organisational measures, insofar as this is possible, to respond to data-subject rights requests (Articles 15โ€“22).
  6. Assist the Controller in complying with Articles 32โ€“36 (security, breach notification, DPIAs, and prior consultation) taking into account the nature of processing and the information available to the Processor.
  7. Notify the Controller without undue delay โ€” and in any event within 48 hours โ€” of becoming aware of a personal-data breach affecting the Controller's data.
  8. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of Services and delete existing copies, unless UK or EU law requires storage (see Schedule 2 โ€” Retention).
  9. Make available to the Controller all information necessary to demonstrate compliance with the obligations in UK GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (subject to reasonable notice and confidentiality undertakings).

7. Sub-processors

The current list of sub-processors is maintained at instancelabs.dev/sub-processors. Material additions or replacements will be notified to the Controller's primary account holder by email at least 30 days in advance. The Controller may object to a new sub-processor in writing during the notice period; an unresolved objection entitles the Controller to terminate the affected subscription with a pro-rata refund of any prepaid fees.

8. International transfers

Personal data is primarily processed in the AWS EU-West-2 (London) region. Where data is transferred outside the UK or EEA to a sub-processor (Stripe, Sentry, Google Analytics, AI model providers), such transfers are governed by the UK International Data Transfer Addendum to the European Commission's Standard Contractual Clauses (or, where applicable, the UK IDTA as a standalone instrument). Copies are available from the Processor on written request.

9. Liability and governing law

This DPA is governed by the laws of England and Wales. Liability arising from this DPA is subject to the liability cap set out in the Terms & Conditions of the subscription, to the extent permitted by applicable data-protection law.

10. Acceptance

Business Customers accept this DPA by clicking to accept during checkout or by continuing to use the Services after being notified of a material update. On acceptance, the Processor records the DPA version and timestamp in Stripe customer metadata (fields dpa_version and dpa_accepted_at) as evidence of acceptance.

Schedule 1 โ€” Technical and organisational measures

  • Encryption in transit (TLS 1.2+) for all Customer-facing endpoints and inter-service calls.
  • Encryption at rest (AWS-managed KMS) for all durable stores (DynamoDB, S3, Cognito).
  • Multi-factor authentication enforced for Processor administrator accounts (AWS Console, GitHub, Stripe).
  • Least-privilege IAM; DSAR audit tables carry explicit DENY statements on mutation APIs.
  • Production deployments only via GitHub Actions with OpenID Connect to AWS โ€” no standing credentials.
  • Error tracking (Sentry) scrubs request bodies, auth headers, cookies, and email/IP fields before events leave the Processor's infrastructure.
  • Incident-response runbook with a 72-hour breach-notification commitment and on-call rota.
  • Annual security review covering account hygiene, dependency scanning, and sub-processor due diligence.

Schedule 2 โ€” Retention

Retention is set out in the Privacy Policy and summarised here:

  • Account data: duration of the subscription; 7-day soft-delete grace on erasure.
  • CDK code snippets: transient in memory only; never written to durable storage.
  • Stripe payment records: 6 years (HMRC); personal details scrubbed, invoice amounts retained against a pseudonymised reference.
  • DSAR audit trail: 6 years (UK Limitation Act 1980); hashed user identifier only.
  • DynamoDB point-in-time-recovery backups: up to 35 days.
  • DSAR export bundles: 7-day encrypted S3 object behind a pre-signed URL.
  • Server logs: 30 days.

Contact

For DPA-related questions or to request signed copies of international-transfer instruments, contact privacy@cdkinsights.dev.

This document is a draft pending legal review. Business customers requiring a signed DPA should contact the address above.