Data Processing Agreement

Last updated 4 June 2026

Overview

This DPA applies when you use ooda to process personal data — for example when the code you run or the sites you publish contain personal data about other people. It forms part of our Terms of Service and satisfies the written-contract requirement in Article 28 of the UK GDPR.

In it, "controller", "processor", "personal data", "processing", and "data subject" have the meanings given in the UK GDPR.

What we process

On your instructions, we store your code and content in cloud environments and object storage, build and serve your published sites, and index project metadata. When you use a coding agent, we route the prompts and code you direct to it to the AI model provider you have configured, using your own credentials.

That model provider is your own provider, engaged under your agreement with it — not our sub-processor. We don't read, analyse, or use the contents of your projects or sites for any purpose other than providing the service to you, and we don't use them to train models. The details are set out in Annex 1.

Roles and responsibilities

You are the controller and we are the processor. As controller, you're responsible for having a lawful basis for the personal data you process with ooda, for providing any required notices to data subjects, for not uploading special-category data without an appropriate assessment, and for your own agreement with any AI model provider you configure.

You instruct us to process personal data only as needed to provide the service, as described in this DPA and the Terms.

Our obligations

We will:

  • process personal data only on your documented instructions, unless required otherwise by law;
  • ensure people authorised to process the data are bound by confidentiality;
  • put in place appropriate technical and organisational security measures (see below);
  • engage sub-processors only as described here, and remain responsible for them;
  • assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your security, breach, and impact-assessment obligations;
  • notify you without undue delay, and within 72 hours of becoming aware, of a personal data breach affecting your data; and
  • delete or return personal data at the end of the service, as described below.

Security measures

We maintain the technical and organisational measures summarised in Annex 3 and described on our security page — including encryption in transit and at rest, environment isolation, access controls, encrypted secrets, and access gating on published sites.

Sub-processors

You authorise us to engage the sub-processors listed in Annex 2. If we add or replace a sub-processor, we'll give you at least 30 days' notice and you may object on reasonable data-protection grounds.

International transfers

Our database and object storage are configured for EU jurisdiction. Where personal data is transferred outside the UK to a country without a UK adequacy decision, we put in place appropriate safeguards — the UK's International Data Transfer Agreement, or the EU Standard Contractual Clauses together with the UK Addendum.

Data subject rights

You can access, correct, export, and delete personal data in your projects and sites directly through ooda. Where you need more help to respond to a data subject request, we'll provide reasonable assistance taking into account the nature of the processing.

Audits

On reasonable written request, and subject to confidentiality, we'll make available the information needed to demonstrate our compliance with this DPA, including responding to a reasonable security questionnaire no more than once a year.

Deletion and return

You can delete personal data at any time by deleting the relevant projects, sites, or your account. On termination, we delete personal data we process on your behalf within a reasonable period, unless we're required by law to keep it.

Liability and governing law

Liability under this DPA is subject to the limits in our Terms of Service. This DPA is governed by the laws of England and Wales.

Annexes

Annex 1 — Details of processing

Subject matter: providing the ooda service to you.

Duration: for as long as you use ooda, plus any short period needed to delete data.

Nature and purpose: hosting and running code, building and serving published sites, and AI-assisted development on your instructions.

Types of personal data: any personal data you choose to include in your code, content, projects, or published sites, plus the account data of your members.

Categories of data subject: determined by you — for example your team members and the people whose data appears in your projects or sites.

Annex 2 — Sub-processors

Cloudflare, Inc.

Cloud hosting and compute (Workers and Containers), database (D1), object storage (R2), and edge/CDN delivery.

Database and object storage configured for EU jurisdiction; global edge network.

Plunk

Transactional email — login codes, team invitations, and password resets.

European Union

Annex 3 — Security measures

  • Encryption in transit (TLS) and at rest for stored data and published sites.
  • Isolated environments — each project runs in its own container, separated at the infrastructure level.
  • Access controls and role-based authorisation enforced at the API layer.
  • Secrets and site passwords encrypted at rest.
  • Access gating on published sites (public, password, or team login), enforced at the edge.
  • Confidentiality obligations on personnel with access to systems.

Contact

Questions about this DPA, or to raise a data-protection matter, email [email protected].