Data Processing Addendum
Last updated: May 2026 · v1.0
In plain language
A Data Processing Addendum (DPA) is the legal document that formalises Octopus's role as a data processor and your role as a data controller under GDPR / UK GDPR / CCPA. It complements (does not replace) our Terms of Service and Privacy Policy.
Our DPA incorporates the EU Standard Contractual Clauses (SCCs) for international transfers and references the sub-processors page as the canonical list of vendors with access to your data.
What it covers
- Subject matter, duration, nature, and purpose of processing
- The types of personal data processed (account identifiers, repository content references, audit metadata, and — for orgs that enable Live Activity — coarse presence and activity telemetry, never content)
- Octopus's technical and organisational security measures (see Security Overview)
- Sub-processor authorisation and notification of changes
- International transfer safeguards (Standard Contractual Clauses)
- Data subject rights handling (access, deletion, portability)
- Personal data breach notification (within 72 hours of confirmation)
- Data return / deletion at the end of the engagement
How to execute
Self-serve (most common): our standard DPA is incorporated by reference into our Terms of Service. Accepting the Terms accepts the DPA. No separate signature required.
PDF copy: download the DPA template (PDF). For a counter-signed copy for your records, email [email protected] with your company name, the legal entity that will sign, and the signatory's name and email. We will return a counter-signed PDF within 5 business days.
Custom DPA:we can review and counter-sign your standard DPA on best-effort basis. Material redlines are reviewed by our counsel; turnaround is typically 10 business days. Some changes (e.g. removing the SCCs, accepting unlimited liability, agreeing to a jurisdiction other than England & Wales) we cannot make.
Sub-processor changes
Per the DPA, we will notify you of new sub-processors at least 30 days before granting them access, unless required for security or incident response. Notifications go via email to the org's billing email and as a CHANGELOG entry. You may object in writing within 14 days; we will work with you to find an alternative or, failing that, you may terminate the affected feature.
Self-hosted Octopus
When you self-host Octopus, no data leaves your infrastructure (unless you connect external integrations like a cloud LLM provider or Slack). In that arrangement Octopus is not your data processor — you operate the software yourself, like any self-hosted server. A DPA is not required for self-hosted unless you have an external integration that brings a third party into scope.
Questions
Legal questions: [email protected]. Security questions: [email protected].