Data Processing Agreement
Last updated: January 2026
This Data Processing Agreement (“DPA”) supplements the Terms of Service or other written agreement governing Customer's access to and use of the Paragon platform (the “Agreement”) entered into between Polarity, Inc., a Delaware C Corporation (“Polarity”), and the customer who has accepted the Agreement (“Customer”). By accepting the Agreement, Customer automatically enters into this DPA. Terms not defined herein have the meanings given in the Agreement.
In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall govern.
1. Definitions
“Agreement” means the Terms of Service or other written agreement between Polarity and Customer governing access to the Services.
“Applicable Data Protection Law” means any applicable laws and regulations relating to the processing of Personal Data, including: (a) the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5; (b) Quebec's Act respecting the protection of personal information in the private sector (Law 25); (c) the California Consumer Privacy Act (CCPA), to the extent applicable; and (d) other applicable privacy laws in Customer's jurisdiction, in each case as amended or replaced from time to time.
“Customer Account Data” means personal data relating to Customer's relationship with Polarity, including names and contact information of individuals authorized to access Customer's account and billing information.
“Customer Usage Data” means service usage data collected by Polarity in connection with the Services, including activity logs and performance data.
“Personal Data” means any information about an identifiable individual that Polarity processes on behalf of Customer in the course of providing the Services.
“Processing” means any operation performed on Personal Data, whether or not by automated means, including collection, storage, use, disclosure, or deletion.
“Security Incident” means any confirmed unauthorized access to, or unlawful disclosure, alteration, or destruction of, Personal Data processed by Polarity on behalf of Customer.
“Services” means the Paragon platform and related services provided by Polarity under the Agreement, as described at docs.paragon.run.
“Sub-Processor” means any third party engaged by Polarity to process Personal Data on behalf of Customer in connection with the Services.
2. Relationship of the Parties
2.1 Polarity as Processor
With regard to the processing of Personal Data submitted by Customer to the Services, Polarity acts as a processor and Customer acts as a controller. The nature, purpose, and duration of processing, and the categories of Personal Data and data subjects, are described in Exhibit A.
2.2 Processing on Instructions
Polarity shall process Personal Data only on documented instructions from Customer, as set out in this DPA and the Agreement. Customer shall ensure its instructions comply with Applicable Data Protection Law and is solely responsible for the accuracy, quality, and lawfulness of Personal Data submitted to the Services.
2.3 Restrictions on Use
Polarity shall not process Personal Data for purposes other than providing the Services. Polarity shall not sell, rent, or otherwise commercialize Personal Data. Polarity shall not use Personal Data to train or improve any artificial intelligence or machine learning model, or for any purpose unrelated to the Services, except as explicitly authorized in writing by Customer.
2.4 Polarity as Independent Controller
With respect to Customer Account Data and Customer Usage Data, Polarity acts as an independent controller and processes such data to manage its relationship with Customer, conduct core business operations, prevent fraud, monitor security, and comply with legal obligations.
2.5 CCPA
To the extent the CCPA applies, Polarity is a “service provider” receiving personal information from Customer solely for the business purpose of providing the Services. Polarity shall not sell such personal information or retain, use, or disclose it outside of the service provider relationship. Polarity certifies that it understands these restrictions.
2.6 Data Return and Deletion
Upon termination of the Agreement, Polarity shall, at Customer's election, return or securely delete all Customer Personal Data within sixty (60) days and provide written confirmation upon request. Polarity may retain data to the extent required by applicable law, subject to the confidentiality and security obligations of this DPA.
3. Sub-Processors
3.1 Authorization
Customer provides general written authorization for Polarity to engage Sub-Processors in connection with the Services. The current list of authorized Sub-Processors is set out in Exhibit B and is maintained at polarity.so/subprocessors.
3.2 Changes to Sub-Processors
Polarity shall provide at least fifteen (15) days' advance written notice before enabling any new Sub-Processor to process Personal Data. Customer may object on reasonable data protection grounds within ten (10) days of receipt of such notice. If Polarity is unable to provide a commercially reasonable alternative within a reasonable period, Customer may discontinue the affected Services on written notice. Discontinuation shall not relieve Customer of fees owed under the Agreement. If Customer does not object within ten (10) days, the new Sub-Processor is deemed authorized.
3.3 Sub-Processor Obligations
Polarity shall impose data protection obligations on each Sub-Processor no less protective than those in this DPA and shall remain liable to Customer for Sub-Processor compliance to the same extent as if Polarity had performed the processing directly.
4. Security
4.1 Technical and Organizational Measures
Polarity implements and maintains appropriate technical and organizational security measures to protect Personal Data, taking into account the state of the art, the nature, scope, context, and purposes of processing, and applicable risks. These measures are described in Exhibit C.
4.2 Personnel
All Polarity personnel authorized to process Personal Data are subject to confidentiality obligations and data protection training.
5. Security Incidents
5.1 Notification
In the event of a Security Incident, Polarity shall notify Customer without undue delay and in any event within seventy-two (72) hours of confirming the incident. Notification shall include, to the extent then known:
- The nature of the Security Incident and categories of affected Personal Data;
- The approximate number of affected data subjects and records;
- The likely consequences; and
- Measures taken or proposed to address the incident.
Where full information is unavailable at initial notification, Polarity shall provide it in phases as it becomes available.
5.2 Cooperation
Polarity shall cooperate reasonably with Customer to investigate and remediate a Security Incident. Polarity shall not make any public statement or regulatory notification specifically identifying Customer without Customer's prior written consent, except as required by law.
5.3 No Admission
Notification of a Security Incident does not constitute an admission of fault or liability.
6. Data Subject Rights
Polarity shall promptly forward to Customer any data subject request it receives relating to Personal Data processed on behalf of Customer and shall not respond directly without Customer's authorization. To the extent technically feasible, Polarity shall provide self-service tools to assist Customer in responding to requests for access, correction, deletion, or portability. Customer is solely responsible for responding to data subject requests.
7. Audits and Compliance Assistance
7.1 Documentation
Upon written request, no more than once per calendar year, Polarity shall provide documentation demonstrating compliance with this DPA, including its most recent SOC 2 Type II report subject to confidentiality obligations. Current certifications are available at trust.polarity.so.
7.2 Audit
Customer may commission an audit of Polarity's processing activities with at least thirty (30) days' advance written notice, during business hours, at Customer's expense, subject to a confidentiality agreement acceptable to Polarity. Audits are limited to once per calendar year except following a confirmed Security Incident.
7.3 Compliance Assistance
Polarity shall provide reasonable cooperation to assist Customer in conducting data protection impact assessments or responding to regulatory inquiries under Applicable Data Protection Law. Customer is responsible for related costs.
8. Transfers of Personal Data
Customer acknowledges that Polarity and its Sub-Processors may process Personal Data in the United States and other jurisdictions outside Canada. By accepting the Agreement, Customer consents to such transfers. Polarity shall ensure appropriate safeguards are in place for cross-border transfers, including by requiring Sub-Processors to maintain appropriate security certifications such as SOC 2 Type II or ISO 27001 where applicable.
9. General
9.1 Conflict
This DPA governs in the event of conflict with the Agreement with respect to data protection matters. Claims under this DPA are subject to the limitations on liability in the Agreement.
9.2 Term and Survival
This DPA is coterminous with the Agreement. Sections 2.6 (Data Return and Deletion), 5 (Security Incidents) as to incidents occurring prior to termination, and 9.4 (Governing Law) survive termination.
9.3 Updates
Polarity may update this DPA from time to time to reflect changes in law or Polarity's practices. Material changes will be communicated in advance. The current version is always at polarity.so/dpa.
9.4 Governing Law
This DPA is governed by the laws of the State of Delaware, without regard to conflict of laws principles, except where mandatory provisions of Applicable Data Protection Law apply. Disputes are resolved per the dispute resolution provisions of the Agreement.
9.5 Execution by Enterprise Customers
Most Customers enter into this DPA by accepting the Agreement. Enterprise Customers requiring a countersigned copy may contact support@polarity.so. Electronic signatures are valid and binding.
Exhibit A — Details of Processing
| Parameter | Description |
|---|---|
| Nature of Processing | Analysis of source code and repositories; generation of code review comments, test suites, and quality insights; platform operations including authentication, logging, and support. |
| Purpose of Processing | To provide the Services to Customer as described in the Agreement and at docs.paragon.run. |
| Duration | For as long as Customer uses the Services, and for such additional period as required by Applicable Data Protection Law. |
| Data Subjects | Customer's employees, contractors, and developers whose identifiers appear in code, commits, or repositories submitted to the Services. |
| Categories of Personal Data | Developer identifiers including names, GitHub usernames, and corporate email addresses; any personal information incidentally present in source code, commit messages, or configuration files submitted to the Services. |
| Sensitive Data | Not intentionally collected. Customer shall not submit sensitive personal data to the Services without a separate written agreement with Polarity. |
| Transfer Frequency | Continuously, as initiated by Customer during the course of the Agreement. |
Exhibit B — Authorized Sub-Processors
Current as of January 2026. An up-to-date list is maintained at polarity.so/subprocessors. Additions are notified per Section 3.2.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI language model inference (code review, test generation) | United States / Canada |
| Google LLC | AI language model inference; cloud infrastructure | United States / Canada |
| OpenAI, L.L.C. | AI language model inference | United States |
| DigitalOcean, LLC | Cloud infrastructure hosting | United States / Canada |
| Vercel, Inc. | Application delivery and frontend infrastructure | United States / Canada |
| Supabase, Inc. | Database and authentication services | United States / Canada |
Exhibit C — Technical and Organizational Security Measures
| Measure | Description |
|---|---|
| Encryption in Transit | All data outside Polarity's private network is encrypted using HTTPS/TLS 1.2 or higher. |
| Encryption at Rest | Customer data is encrypted at rest using AES-256 or equivalent. |
| Access Controls | Access to Personal Data is limited to authorized personnel on a need-to-know basis. Polarity enforces role-based access, strong passwords, and multi-factor authentication where available. |
| Data Isolation | Customer data is logically separated from other customers' data in Polarity's multi-tenant infrastructure. |
| Vulnerability Management | Polarity conducts regular vulnerability assessments and monitors infrastructure for security events. |
| Incident Response | Polarity maintains a documented incident response procedure. Security Incidents are investigated and reported per Section 5. |
| Personnel Security | Personnel with access to Personal Data are required to sign confidentiality agreements and complete data protection training. Background checks are conducted per applicable law. |
| Sub-Processor Oversight | Polarity reviews Sub-Processor security assessments annually and requires equivalent data protection measures. |
| SOC 2 Type II | Polarity maintains a SOC 2 Type II attestation available upon written request under confidentiality obligations. See trust.polarity.so. |
| Backup and Recovery | Customer data is backed up regularly with tested restore capabilities. |
| Physical Security | Polarity does not operate physical servers. Infrastructure is hosted by Sub-Processors listed in Exhibit B, each operating access-controlled data center facilities. |
| Data Minimization | Personal Data is collected and retained only as necessary to provide the Services and meet legal obligations. |
End of Agreement · polarity.so/dpa · Last Updated January 2026