Data Processing Agreement

Effective: April 20, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Yes! Did It ("we", "us", the "Processor") and the individual or entity using the Service ("Customer", the "Controller") and governs the processing of Personal Data by us on your behalf in the course of providing the yesdidit.com website, the ydi CLI, and the Yes! Did It MCP server (collectively, the "Service"). It is designed to meet the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent data protection laws.

1. Definitions

Terms such as "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Sub-processor" have the meanings given in the GDPR. In this DPA, "Applicable Data Protection Laws" means the GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any other data protection or privacy law applicable to our processing of Personal Data on your behalf.

2. Scope & Roles

For Personal Data processed in connection with the Service, the Customer is the Controller and Yes! Did It is the Processor. We process Personal Data solely on the Customer's documented instructions, which are set out in the Terms of Service, the Privacy Policy, this DPA, and Customer's configuration of the Service. We will promptly notify the Customer if, in our opinion, an instruction infringes Applicable Data Protection Laws.

3. Subject Matter, Duration, Nature & Purpose

  • Subject matter: the provision of the Service.
  • Duration: for the term of the Customer's use of the Service, plus any retention period described in the Privacy Policy.
  • Nature & purpose: storing, retrieving, filtering, and synchronising to-do items across the Customer's CLI, web, and MCP clients; authenticating the Customer via OAuth; and providing related account, security, and abuse-prevention functions.

4. Types of Personal Data & Categories of Data Subjects

The categories of Personal Data processed are those described in §1 of the Privacy Policy and include:

  • Account data — email address, display name, avatar URL.
  • Content data — to-do items, tags, due dates, status, timestamps, and any free-text the Customer enters.
  • Git context metadata — branch names, short commit SHAs, repository and owner names, file paths associated with todos (when enabled).
  • Credential data — SHA-256 hashes of API keys and OAuth refresh tokens.
  • Technical data — IP address, user agent, and request metadata collected in server logs.

Categories of Data Subjects are the Customer, the Customer's authorised users, and any individuals whose Personal Data the Customer chooses to include in to-do content. The Customer is solely responsible for the lawfulness of any Personal Data it chooses to store in to-do content.

5. Controller Obligations

The Customer warrants that it has a lawful basis for the processing it instructs us to perform, that it has provided all notices and obtained all consents required under Applicable Data Protection Laws, and that its instructions comply with those laws.

6. Processor Obligations

We will:

  • Process Personal Data only on documented Controller instructions, including for international transfers, unless required to do so by law (in which case we will inform the Controller before processing, unless that law prohibits such notice on important grounds of public interest).
  • Ensure that persons authorised to process Personal Data are bound by a duty of confidentiality.
  • Implement the technical and organisational security measures set out in Annex A.
  • Respect the conditions in §9 for engaging Sub-processors.
  • Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to respond to Data Subject requests.
  • Assist the Controller in ensuring compliance with its obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments, and prior consultation) taking into account the nature of the processing and the information available to us.
  • At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as set out in §15.

7. Confidentiality

We will treat Personal Data as confidential and will not disclose it except as required to provide the Service, as permitted by this DPA, or as required by law.

8. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to Data Subjects, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures are described in Annex A.

9. Sub-processors

The Customer provides general written authorisation for us to engage the Sub-processors listed in Annex B. We will impose on each Sub-processor data protection obligations that are no less protective than those in this DPA. We remain liable to the Controller for the performance of each Sub-processor's obligations. We will give the Customer at least 30 days' notice before adding or replacing a Sub-processor by updating this DPA and emailing subscribed Customers; the Customer may object on reasonable data protection grounds by contacting privacy@yesdidit.com before the change takes effect, in which case we will work in good faith to resolve the objection, and failing that the Customer may terminate the affected portion of the Service.

10. International Transfers

Personal Data may be transferred to and processed in countries other than the country in which it was collected, including the United States. Where Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision, the transfer is made under the European Commission's Standard Contractual Clauses (2021/914, Module 2 or 3 as applicable), the UK IDTA or Addendum, or an equivalent transfer mechanism required by Applicable Data Protection Laws. The Controller authorises us and our Sub-processors to rely on such mechanisms.

11. Data Subject Rights

We will, where reasonably practicable, assist the Controller by appropriate technical and organisational measures to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making). The Customer can exercise most of these rights directly through the API, CLI, and web dashboard. For requests we cannot fulfil through self-service, email privacy@yesdidit.com.

12. Personal Data Breach

We will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. Our notification will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address and mitigate it.

13. Data Protection Impact Assessments

We will provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to us.

14. Deletion & Return of Data

On termination or expiry of the Customer's use of the Service, and at the Customer's choice, we will either delete or return the Controller's Personal Data in our possession and delete existing copies, unless Applicable Data Protection Laws require continued storage. The Customer may at any time delete individual todos, API keys, OAuth sessions, or its entire account, in which case the corresponding Personal Data is removed from active systems; residual copies in backups are overwritten in accordance with our backup rotation. Server logs are retained for up to 90 days as described in the Privacy Policy.

15. Audits

We will make available to the Controller, on reasonable written request and no more than once per calendar year, information reasonably necessary to demonstrate compliance with this DPA, including responses to reasonable security and privacy questionnaires. The Controller may conduct an on-site audit only where required by a supervisory authority or where there is documented reasonable cause to believe that we are not complying with this DPA, subject to reasonable advance written notice, confidentiality obligations, and reimbursement of reasonable costs incurred by us.

16. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA excludes or limits liability to the extent such exclusion or limitation is prohibited by Applicable Data Protection Laws.

17. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service or the Privacy Policy regarding the processing of Personal Data on the Controller's behalf, this DPA controls.

18. Governing Law

This DPA is governed by the law specified in the Terms of Service, provided that where Applicable Data Protection Laws require a specific governing law or forum (for example, for claims brought by Data Subjects), that law or forum applies to the extent required.

19. Changes

We may update this DPA from time to time. Material changes will be posted on this page with an updated effective date; changes affecting Sub-processors are also notified as described in §9. Continued use of the Service after a change takes effect constitutes acceptance.

20. Contact

Questions about this DPA, or requests to countersign a signed copy for your records, should be sent to privacy@yesdidit.com.

Annex A — Technical & Organisational Security Measures

  • Encryption in transit — HTTPS/TLS is enforced for all client connections and all internal service-to-service calls.
  • Encryption at rest — Personal Data stored in our managed PostgreSQL database (Supabase) is encrypted at rest by the hosting provider.
  • Authentication — OAuth 2.0 via GitHub and Google; no user passwords are stored. Application JWTs are short-lived (1 hour) and refresh tokens are SHA-256 hashed and rotated on use.
  • API keys — stored only as SHA-256 hashes with a non-sensitive display prefix; full keys are shown once at creation.
  • Access control — application-level authorisation ensures users can only access their own data; a separate administrative role is required for support operations and is limited to named individuals.
  • Network & headers — strict security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) on all responses.
  • Rate limiting & abuse prevention — per-IP and per-credential rate limits on authentication and API endpoints.
  • Logging & monitoring — structured request and security-event logs; logs are retained for up to 90 days and do not contain full API keys, OAuth refresh tokens, or the content of AI conversations.
  • Patch management — dependencies are tracked and updated on a regular cadence; security advisories from our providers are monitored.
  • Backups — managed database backups with point-in-time recovery are provided by Supabase; backup rotation is aligned with the provider's published policy.
  • Personnel — individuals with access to production systems are subject to confidentiality obligations and use multi-factor authentication.
  • Vulnerability reporting — we operate a coordinated disclosure channel via GitHub Security Advisories, as described in the Privacy Policy.

Annex B — Sub-processors

The following Sub-processors process Personal Data on our behalf:

  • Supabase, Inc. — authentication and managed PostgreSQL database hosting.
    Data processed: account data, content data, git context metadata, credential hashes.
    Location: United States.
    Privacy policy · Supabase DPA
  • Vercel Inc. — application hosting, edge delivery, and request logging.
    Data processed: technical data (IP, user agent, request metadata), transient request/response bodies.
    Location: United States (global edge network).
    Privacy policy · Vercel DPA
  • GitHub, Inc. / Google LLC — OAuth identity providers for user sign-in.
    Data processed: OAuth profile information (email, name, avatar) during sign-in.
    Location: United States.

This list reflects the Sub-processors engaged as of the effective date above. Updates are made in accordance with §9.