White Coda

Data Processing Addendum

Effective: May 21, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between White Coda Inc. ("Processor") and the customer entity identified in the applicable subscription or service agreement ("Controller"). It governs the processing of personal data that Controller submits to the White Coda platform in the course of using the Service. Terms not defined here have the meanings given in the main agreement and our Privacy Policy.

1. Definitions

  • Personal Data: any information that identifies or could identify a natural person, as defined under applicable data protection law (including GDPR, CCPA/CPRA, and TDPSA).
  • Processing: any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • Sub-processor: any third party engaged by White Coda to process Personal Data on behalf of the Controller.
  • Incident: any unplanned interruption to the Service, reduction in its quality, or security event that affects the confidentiality, integrity, or availability of Personal Data.

2. Scope and Role

White Coda processes Personal Data solely as a data processor acting on documented instructions from the Controller. The Controller determines the purposes and means of processing. If White Coda is required by applicable law to process Personal Data beyond the Controller's instructions, it will inform the Controller before doing so unless prohibited by law.

3. Controller Obligations

  • Ensure a lawful basis exists for providing Personal Data to White Coda.
  • Provide data subjects with required notices about processing by White Coda.
  • Respond to data subject rights requests; White Coda will assist as described in Section 7.
  • Keep account credentials and API tokens secure.

4. Processor Obligations

  • Process Personal Data only on documented Controller instructions, including for transfers to third countries.
  • Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures (see Section 5).
  • Notify Controller of any Sub-processor changes with at least 30 days' prior notice.
  • Assist Controller in meeting its data protection obligations, including security, breach notification, and data subject rights.
  • Delete or return Personal Data upon termination of the agreement as described in Section 9.
  • Make available all information necessary to demonstrate compliance and cooperate with audits as described in Section 10.

5. Security Measures

Technical Controls

  • TLS 1.2+ encryption in transit; AES-256 encryption at rest
  • Row-level security policies enforced at the database layer
  • Role-based access control (RBAC) limiting data access to authorized personnel
  • Multi-factor authentication required for internal administrative access
  • Continuous vulnerability scanning and periodic penetration testing
  • Automated anomaly detection and alerting on production systems

Organizational Controls

  • Security awareness training for all personnel with access to production systems
  • Documented incident response plan reviewed at least annually
  • Vendor security assessments before onboarding Sub-processors
  • Change management process requiring review before production deployments

6. Sub-processors

White Coda engages the following Sub-processors as of the effective date of this DPA. We will notify Controllers of any additions or replacements with at least 30 days' notice.

  • Supabase Inc. (United States) — database hosting, authentication, and real-time APIs
  • Vercel Inc. (United States) — application hosting and edge delivery
  • Stripe Inc. (United States) — payment processing and billing
  • Mailgun Technologies (United States) — transactional email delivery
  • Twilio Inc. (United States) — SMS and voice notifications
  • Amazon Web Services (United States) — cloud storage for media and backups

Each Sub-processor is bound by contractual terms that provide at least equivalent data protection to this DPA.

7. Data Subject Rights

White Coda will assist the Controller in fulfilling data subject rights requests received by either party within applicable legal timeframes. White Coda will:

  • Forward data subject requests received directly to the Controller within 5 business days.
  • Provide technical assistance (data exports, deletion, restriction) at Controller's documented direction.
  • Not respond to data subjects on the Controller's behalf without prior written authorization.

8. Data Retention and Deletion

Active Data

Personal Data is retained for the duration of the active subscription. Upon account deletion or subscription termination, Personal Data is marked for deletion and purged within 30 days, except as required for legal, financial, or incident-retention obligations described below.

Backup Retention

Automated database backups are retained for 30 days on a rolling basis. Backups older than 30 days are permanently deleted unless subject to a legal hold or incident-retention policy.

Billing and Financial Records

Transaction records required for tax and accounting compliance are retained for 7 years regardless of account status. These records contain the minimum Personal Data necessary for compliance.

Incident-Retention Policy

Following a service incident or security event, White Coda may retain logs, database snapshots, and diagnostic artifacts related to that incident for up to 12 months from the date the incident was first detected. This retention enables root-cause analysis, regulatory reporting, legal defensibility, and client communication. Incident-retained data is:

  • Stored in isolated, access-controlled storage separate from production systems.
  • Accessible only to authorized engineering and security personnel for incident-related purposes.
  • Not used for commercial purposes, product development, or marketing.
  • Permanently deleted at the end of the 12-month retention window unless extended by a legal hold.

This policy was reviewed and updated following the service disruption on 13 May 2026. Data retained in connection with that incident will be permanently deleted no later than 13 May 2027, absent a lawful hold requirement. Controllers with questions about the May 2026 incident may contact privacy@whitecoda.com.

9. Return and Deletion on Termination

Upon expiry or termination of the agreement, at Controller's election, White Coda will either: (a) return Personal Data in a standard machine-readable format (JSON or CSV) within 30 days; or (b) securely delete Personal Data within 30 days, with written confirmation of deletion. Deletion is subject to the incident-retention and legal-hold exceptions in Section 8.

10. Audit Rights

Controller may, upon 30 days' written notice and no more than once per calendar year, request an audit of White Coda's data-processing activities relevant to this DPA. White Coda may satisfy audit requests by providing current third-party audit reports (SOC 2 Type II, ISO 27001, or equivalent) in lieu of direct access to systems. Costs of audits exceeding the scope of available reports are borne by the Controller.

11. Breach Notification

White Coda will notify Controller of a confirmed personal data breach without undue delay, and in any event within 72 hours of becoming aware of it. Notification will include: the nature of the breach; categories and approximate number of data subjects and records affected; likely consequences; measures taken or proposed to address the breach; and a point of contact for further information. White Coda will cooperate with Controller's incident-response activities and provide updates as the investigation progresses.

12. International Data Transfers

White Coda and its Sub-processors process Personal Data in the United States. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (SCCs) published by the European Commission, incorporated by reference into this DPA. Controller and White Coda each agree to be bound by the applicable module of those SCCs.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations set out in the main service agreement. White Coda's total liability for claims under this DPA shall not exceed the amounts paid by Controller in the 12 months preceding the claim, except where liability cannot be limited by applicable law (e.g. for gross negligence or willful misconduct).

14. Governing Law

This DPA is governed by the same law and dispute-resolution provisions as the main service agreement. For Controllers in the European Economic Area, mandatory provisions of applicable EU data protection law prevail to the extent of any conflict.

15. Order of Precedence

In the event of a conflict between this DPA and the main service agreement, this DPA takes precedence with respect to the processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs take precedence with respect to international transfers.

16. Updates to This DPA

White Coda may update this DPA to reflect changes in applicable law, Sub-processor arrangements, or security practices. Material changes will be communicated to Controllers with at least 30 days' notice. Continued use of the Service after the effective date of changes constitutes acceptance.

17. Contact

Data protection and DPA inquiries: privacy@whitecoda.com

White Coda Inc.
Data Protection Officer
United States

TermsPrivacyCookiesDPA
← Back to Login
    Data Processing Addendum | White Coda