Data Processing Agreement
Last updated: June 2026
1. Definitions
- Data Controller means the entity that determines the purposes and means of processing Personal Data. Under this agreement, the Customer is the Data Controller.
- Data Processor means the entity that processes Personal Data on behalf of the Data Controller. Ship Safe (operated by SafeShip, Inc.) acts as the Data Processor.
- Personal Data means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, IP addresses, and account identifiers.
- Processing means any operation performed on Personal Data, whether automated or manual, including collection, storage, use, disclosure, and deletion.
- Sub-processor means any third party engaged by Ship Safe to process Personal Data on behalf of the Customer.
2. Scope and Purpose
This Data Processing Agreement ("DPA") applies to all Personal Data processed by Ship Safe on behalf of the Customer in connection with the provision of the Ship Safe security audit service. Ship Safe processes data solely for the purpose of performing security scans, generating findings reports, and facilitating automated code fixes as directed by the Customer.
3. Data Processing Details
Categories of Data Processed
- Account information: name, email address, GitHub username, profile image
- Repository metadata: repository names, branch information, commit hashes
- Scan results: security findings, severity ratings, file paths, code snippets referenced in findings
- Usage data: scan timestamps, subscription tier, API key usage
Retention Period
Personal Data is retained for the duration of the Customer's active subscription plus 30 days, unless a shorter retention period is configured via the organization's data retention settings. Source code is never retained beyond the scan window. Customers may request deletion at any time.
Processing Location
Data is processed and stored within the United States. Scan infrastructure runs on Railway. Database and object storage are provisioned in the US region.
4. Security Measures
Ship Safe implements appropriate technical and organizational measures to protect Personal Data, including:
- Encryption at rest using AES-256-GCM for sensitive credentials (GitHub tokens, webhook URLs)
- Encryption in transit using TLS 1.2 or higher for all connections
- Isolated scan environments with 500 MB size caps and 5-minute timeouts
- Role-based access control with organization-level permission management
- Append-only audit logging for all security-relevant actions
- Automated deletion of cloned source code immediately after scan completion
5. Sub-processors
Ship Safe engages the following sub-processors to deliver the service:
| Provider | Purpose | Location |
|---|---|---|
| Railway | Application hosting and scan infrastructure | United States |
| Cloudflare (R2) | PDF report storage | United States |
| Stripe | Payment processing | United States |
| Anthropic | AI-powered code fix generation | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Error monitoring and performance tracking | United States |
Ship Safe will notify the Customer of any intended changes to sub-processors at least 30 days in advance. The Customer may object to any new sub-processor within that period.
6. Data Subject Rights
Ship Safe will assist the Customer in fulfilling data subject requests under applicable data protection laws, including:
- Right of access to Personal Data
- Right to rectification of inaccurate data
- Right to erasure (right to be forgotten)
- Right to restriction of processing
- Right to data portability
- Right to object to processing
Customers may initiate data subject requests via the account settings page or by contacting privacy@shipsafe.dev. Ship Safe will respond to all valid requests within 30 days.
7. Data Breach Notification
In the event of a Personal Data breach, Ship Safe will notify the Customer without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include:
- The nature of the breach, including categories of data affected
- Approximate number of data subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
8. Contact Information
For questions or concerns regarding this DPA or data processing practices, please contact:
SafeShip, Inc. — Privacy Team
Email: privacy@shipsafe.dev
Web: https://shipsafe.dev/trust