Data Processing Agreement

Codesift LLC · codesift.ai

Effective Date: May 1, 2026 · Last Updated: May 1, 2026

This Data Processing Agreement (“DPA”) is entered into by and between the Customer identified in the Codesift account (“Controller” or “Customer”) and Codesift LLC, a Washington State limited liability company (“Processor” or “Codesift”). This DPA forms part of and is subject to the Codesift Terms of Service (the “Agreement”) and applies whenever the Processor processes Personal Data on behalf of the Controller.

By accepting the Terms of Service or using the Service in a manner that involves the processing of Personal Data, the Customer agrees to the terms of this DPA.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in the Agreement or applicable Data Protection Law.

  • “Controller” means the Customer who determines the purposes and means of processing Personal Data.
  • “Data Protection Law” means all applicable laws and regulations relating to the processing of Personal Data, including without limitation the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and applicable US state privacy laws (including the CCPA).
  • “Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
  • “Personal Data” means any information relating to an identified or identifiable natural person contained within Customer Data submitted to the Service.
  • “Processing” (and “process” and “processed”) has the meaning given to it in the GDPR.
  • “Processor” means Codesift LLC, which processes Personal Data on behalf of the Controller.
  • “Security Incident” means any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data on its behalf.
  • “Supervisory Authority” means any competent data protection authority having jurisdiction over the Controller or Processor.
  • “UK GDPR” means the retained EU law version of the GDPR as it forms part of UK law pursuant to the European Union (Withdrawal) Act 2018.

2. Scope and Roles

2.1 The Processor will process Personal Data only as described in Schedule 1 (Details of Processing) and only on behalf of, and in accordance with documented instructions from, the Controller.

2.2 The Controller warrants that it has a lawful basis under applicable Data Protection Law for any Personal Data contained within Customer Data submitted to the Service.

2.3 If the Processor believes that an instruction from the Controller infringes applicable Data Protection Law, the Processor will inform the Controller promptly. The Processor is not required to follow instructions it reasonably believes violate Data Protection Law.

3. Processor Obligations

3.1 Processing Instructions

The Processor will process Personal Data only on the documented instructions of the Controller (including the Agreement and this DPA), unless required to do so by EU or Member State law, UK law, or other applicable law, in which case the Processor will inform the Controller of that legal requirement before processing (unless prohibited by law).

3.2 Confidentiality

The Processor will ensure that persons authorized to process Personal Data are bound by appropriate obligations of confidentiality.

3.3 Security

The Processor will implement and maintain the technical and organizational security measures described in Schedule 2 (Security Measures), designed to protect Personal Data against Security Incidents and to ensure a level of security appropriate to the risk.

3.4 Sub-processors

3.4.1 The Controller grants general authorization for the Processor to engage the Sub-processors listed in Schedule 3 (Approved Sub-processors).

3.4.2 The Processor will notify the Controller at least 30 days before adding or replacing a Sub-processor by publishing an updated Schedule 3 at https://codesift.ai/dpa and sending an email notification to the Controller’s registered email address. The Controller may object to a new Sub-processor within 15 days of such notice on reasonable grounds relating to Data Protection Law. If the parties cannot resolve the objection, the Controller may terminate the Agreement with 30 days’ written notice.

3.4.3 The Processor will impose data protection obligations on Sub-processors that are substantially equivalent to those in this DPA.

3.5 Data Subject Rights

The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures to fulfill the Controller’s obligations to respond to Data Subject requests exercising rights under Chapter III of the GDPR (or equivalent provisions under applicable Data Protection Law). The Processor will promptly forward any Data Subject request it receives directly from a Data Subject to the Controller and will not respond to such requests directly except on the Controller’s documented instructions.

3.6 Data Protection Impact Assessments

The Processor will provide reasonable assistance to the Controller in relation to any data protection impact assessment (DPIA) or prior consultation with a Supervisory Authority required under applicable Data Protection Law.

3.7 Deletion and Return of Personal Data

Upon termination of the Agreement or upon written request by the Controller, the Processor will, at the Controller’s choice, delete or return all Personal Data and existing copies thereof, unless applicable law requires retention of the Personal Data. The Processor will confirm completion of deletion in writing within 30 days.

3.8 Audit Rights

The Processor will, upon reasonable prior written notice (minimum 30 days), make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits or inspections conducted by the Controller or an independent third-party auditor mandated by the Controller (subject to reasonable confidentiality obligations). The Controller may not exercise this right more than once per calendar year, unless required by a Supervisory Authority. Costs of audits are borne by the Controller unless the audit reveals material non-compliance, in which case reasonable costs will be borne by the Processor.

4. Security Incidents

4.1 The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Security Incident affecting Personal Data processed on the Controller’s behalf.

4.2 Such notification will include, to the extent then known: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate volume of Personal Data records affected; (d) the likely consequences; and (e) measures taken or proposed to address the incident and mitigate its effects.

4.3 The Processor will cooperate with the Controller and provide further information as it becomes available to enable the Controller to meet its own notification obligations under applicable Data Protection Law.

5. International Transfers

5.1 Where the processing of Personal Data involves a transfer from the EEA, the UK, or Switzerland to a country not recognized as providing adequate protection under applicable Data Protection Law, such transfer will be governed by:

  • The Standard Contractual Clauses (SCCs) adopted by the European Commission in Decision 2021/914 (Module 2: Controller to Processor, or Module 3: Processor to Processor, as applicable), incorporated herein by reference and deemed executed upon acceptance of this DPA;
  • For transfers from the UK, the UK International Data Transfer Agreement (IDTA) as incorporated into this DPA;
  • For transfers from Switzerland, the relevant provisions of the FADP.

5.2 Where the SCCs apply, this DPA constitutes the instructions referred to in Clause 8 of the SCCs. The Processor shall cooperate with the Controller in completing any Appendices required by the SCCs.

5.3 The Processor will only transfer Personal Data to Sub-processors located outside the EEA, UK, or Switzerland on the basis of appropriate transfer mechanisms as required by applicable Data Protection Law.

6. Term

This DPA takes effect on the date the Customer accepts the Terms of Service and remains in force for the duration of the Agreement. The terms of this DPA that are necessary to give effect to the post-termination obligations of the parties (including Section 3.7) survive termination of the Agreement.

7. Governing Law

This DPA is governed by the laws of the State of Washington, United States, without regard to conflict of law principles, except to the extent that applicable Data Protection Law (including the GDPR or UK GDPR) requires otherwise.

8. Order of Precedence

In the event of a conflict between this DPA and the Agreement with respect to the subject matter of this DPA, this DPA will prevail. In the event of a conflict between this DPA and the SCCs, the SCCs will prevail.

Schedule 1: Details of Processing

Nature and Purpose of Processing

The Processor will process Personal Data as necessary to provide the Codesift service: ingesting Customer Data containing survey responses and other text submitted by the Controller, passing such data to AI inference services, generating coded Output categorizations, and returning those Outputs to the Controller. Processing occurs to fulfill the Agreement.

Categories of Data Subjects

Survey respondents, research participants, employees, customers, or other individuals whose responses are contained in Customer Data submitted by the Controller.

Categories of Personal Data

Any personal data contained within Customer Data, which may include: names, demographic information, opinions, preferences, workplace information, and other free-text responses. The specific categories are determined by the Controller.

Special Categories of Personal Data

The Controller must not submit special categories of personal data (as defined in Article 9 GDPR, including health, biometric, racial or ethnic origin, religious beliefs, trade union membership, sexual orientation, or criminal records data) without prior written agreement with the Processor establishing appropriate safeguards.

Retention Period

Personal Data is retained until the Controller deletes it from the Service or the Agreement is terminated, whichever is earlier, subject to the deletion schedule in Section 3.7.

Schedule 2: Technical and Organizational Security Measures

Encryption

  • All data in transit is protected by TLS 1.2 or higher;
  • All data at rest is encrypted using AES-256 via AWS Key Management Service (KMS) with customer-managed or AWS-managed keys;

Access Controls

  • Role-based access control (RBAC) enforces least-privilege access to production systems;
  • Multi-factor authentication (MFA) is required for access to production infrastructure;
  • Database and storage access is restricted to application service accounts with scoped permissions.

Infrastructure Security

  • The Service is hosted on Amazon Web Services (AWS) within isolated VPC environments;
  • Network perimeter controls include security groups and WAF rules;
  • Automated vulnerability scanning of dependencies is performed on each deployment.

Operational Measures

  • Audit logs are maintained for all access to production Personal Data;
  • Security incident response procedures are documented and tested;
  • Personnel with access to Personal Data undergo security awareness training.

Schedule 3: Approved Sub-processors

The following Sub-processors are authorized to process Personal Data on behalf of the Processor as of the Effective Date:

1. Amazon Web Services, Inc. (AWS)

  • Purpose: Cloud hosting, compute, database storage, and infrastructure
  • Processing Location: United States
  • Safeguards: AWS GDPR DPA / SCCs

2. Anthropic, PBC

  • Purpose: AI inference — processing Customer Data to generate coded Output
  • Processing Location: United States (via AWS)
  • Safeguards: Anthropic Data Processing Addendum / SCCs

3. Stripe, Inc.

  • Purpose: Payment processing and billing
  • Processing Location: United States
  • Safeguards: Stripe Data Processing Addendum / SCCs