Compliance

Data Processing Addendum

Last updated: May 2026 · v1.0

In plain language

A Data Processing Addendum (DPA) is the legal document that formalises Octopus's role as a data processor and your role as a data controller under GDPR / UK GDPR / CCPA. It complements (does not replace) our Terms of Service and Privacy Policy.

Our DPA incorporates the EU Standard Contractual Clauses (SCCs) for international transfers and references the sub-processors page as the canonical list of vendors with access to your data.

What it covers

  • Subject matter, duration, nature, and purpose of processing
  • The types of personal data processed (account identifiers, repository content references, audit metadata, and — for orgs that enable Live Activity — coarse presence and activity telemetry, never content)
  • Octopus's technical and organisational security measures (see Security Overview)
  • Sub-processor authorisation and notification of changes
  • International transfer safeguards (Standard Contractual Clauses)
  • Data subject rights handling (access, deletion, portability)
  • Personal data breach notification (within 72 hours of confirmation)
  • Data return / deletion at the end of the engagement

How to execute

Self-serve (most common): our standard DPA is incorporated by reference into our Terms of Service. Accepting the Terms accepts the DPA. No separate signature required.

PDF copy: download the DPA template (PDF). For a counter-signed copy for your records, email [email protected] with your company name, the legal entity that will sign, and the signatory's name and email. We will return a counter-signed PDF within 5 business days.

Custom DPA:we can review and counter-sign your standard DPA on best-effort basis. Material redlines are reviewed by our counsel; turnaround is typically 10 business days. Some changes (e.g. removing the SCCs, accepting unlimited liability, agreeing to a jurisdiction other than England & Wales) we cannot make.

Sub-processor changes

Per the DPA, we will notify you of new sub-processors at least 30 days before granting them access, unless required for security or incident response. Notifications go via email to the org's billing email and as a CHANGELOG entry. You may object in writing within 14 days; we will work with you to find an alternative or, failing that, you may terminate the affected feature.

Self-hosted Octopus

When you self-host Octopus, no data leaves your infrastructure (unless you connect external integrations like a cloud LLM provider or Slack). In that arrangement Octopus is not your data processor — you operate the software yourself, like any self-hosted server. A DPA is not required for self-hosted unless you have an external integration that brings a third party into scope.

Questions

Legal questions: [email protected]. Security questions: [email protected].