How we handle customer personal data as a processor.
The short version of our DPA. The full template is available on request.
Summary
For customers who need a signed DPA in place before going live: request a signed copy via the contact form. We normally turn around countersignature within five working days.
Scope
The DPA applies whenever you process EEA or UK personal data through Foundation Machines, including the Sebastion AI GitHub App and the OpenAI-compatible API gateway. It sits alongside our terms of service and forms part of the overall agreement between us.
Sub-processors
Our current sub-processors are listed in the privacy policy at /privacy#sub-processors. We will give notice of new sub-processors before they begin processing customer personal data.
Security measures
Technical and organisational measures are documented at /security, including incident response, vulnerability disclosure and ephemeral processing of source code.
International transfers
Where personal data is transferred outside the UK or EEA, the EU Standard Contractual Clauses and the UK International Data Transfer Addendum are incorporated into the DPA by reference.
Contact
Use the contact form (topic: Privacy) to request a signed copy of the DPA or to ask about specific clauses.