Data Processing Agreement (DPA)

1. Availability

If your organization uses Crew Orbit to process personal data on its behalf, we can provide a Data Processing Agreement covering that processing relationship. The DPA is intended for business customers and applies together with our Terms of Service and Privacy Policy.

2. Roles

For customer workspace content processed on behalf of an organization, the customer organization is generally the controller and Forge Labs UG is the processor. This typically includes prompts, repository context, attachments, tasks, generated outputs, and related metadata processed to provide the service.

3. Scope of processing

• Hosting and storage on AWS infrastructure operated primarily in `eu-central-1`.
• Authentication, access control, billing, logging, and support operations necessary to run the service.
• Processing of customer instructions through configured AI and Git providers used within the workspace.
• Security, incident response, deletion, and return or export workflows described in our Privacy Policy.

4. Subprocessors and transfers

Our current subprocessor categories and named providers are listed at /subprocessors. Where personal data is transferred outside the EEA/UK/Switzerland, we rely on appropriate safeguards such as adequacy decisions or Standard Contractual Clauses where required.

5. Security commitments

• Encryption in transit via HTTPS and encryption at rest for core AWS storage services.
• Server-side protection for stored credentials, including KMS-backed encryption in production and QA.
• Authenticated access control, permission checks, service-token-protected worker callbacks, and rate limiting.

6. How to request