Data Processing Addendum
Summary — full counsel-reviewed DPA before paid launch (G2).
Scope of this DPA
This DPA applies only to InSitue Cloud — the SaaS autopilot where end-user reports flow through our infrastructure to a verified draft PR. The local dev tool is out of scope: it runs entirely on the developer's machine, ships nothing to InSitue, and uses the developer's own Anthropic plan via their claude CLI. Sub-processors listed below do not process data from the dev tool.
Sub-processors
The current list — vendor, purpose, data processed, region, and a link to each vendor's privacy policy — is maintained at /sub-processors. That page is the canonical record and updates before any new sub-processor begins processing customer data.
Customer source residency
Customer code is cloned per-run into an ephemeral Vercel Sandbox microVMin the customer's tenant boundary. The microVM is destroyed at the end of every run; nothing about the source is persisted beyond the PR push (which lands on the customer's GitHub, not ours).
Captured-report residency
Capture bundles + agent transcripts + verify logs are stored in managed Postgres (Neon, region aws-ap-southeast-2, Sydney). Secret scrubbing happens at ingest (see Privacy); point-in-time recovery is enabled.
Data transfers
The model provider (Anthropic) may process inference requests across regions depending on capacity. The capture-bundle context we ship into prompts is the same content stored in our database: text fields are token-scrubbed before persistence (see Privacy); screenshots and DOM are passed through as captured. No customer end-user PII is shipped to the model except whatever the end-user typed into their own report note.
Pre-counsel disclaimer
This page summarises the data-processing posture. Full counsel-reviewed DPA with executable signature flow lands before paid launch. Need a redlined DPA today? Email support@insitue.com.