Legal

Data Processing Agreement

How we process personal data on your behalf.

Last updated · April 2026

1. Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TestForge, Inc. ("TestForge", "we", "us") and the customer ("you", "Controller") and governs the processing of personal data by TestForge on your behalf.

This DPA is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Definitions

  • Personal Data means any information relating to an identified or identifiable natural person.
  • Controller means the entity that determines the purposes and means of processing personal data (you, the customer).
  • Processor means the entity that processes personal data on behalf of the Controller (TestForge).
  • Sub-Processor means a third party engaged by TestForge to process personal data on your behalf.
  • Data Subject means the individual whose personal data is being processed.

3. Scope of Processing

TestForge processes personal data solely to provide the services described in our Terms of Service. The categories of data we process include:

  • Account data: name, email address, authentication credentials.
  • Usage data: test run metadata, API usage logs, session information.
  • Repository data: source code accessed read-only via GitHub OAuth for test generation. Not stored permanently.
  • Billing data: processed by Stripe. TestForge does not store credit card numbers.

4. Our Obligations

As a data processor, TestForge commits to:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures.
  • Assist the Controller in responding to data subject requests.
  • Delete or return all personal data upon termination of services, at the Controller's choice.
  • Make available all information necessary to demonstrate compliance and allow for audits.

5. Sub-Processors

TestForge uses the following categories of sub-processors:

  • Cloud infrastructure: hosting, compute, and storage services.
  • Payment processing: Stripe for billing and subscription management.
  • AI services: Anthropic for test generation and fix proposals. Code is processed in-session and not retained for model training.
  • Email delivery: transactional email services for account notifications.

We will notify you of any changes to sub-processors and provide you the opportunity to object. A current list of sub-processors is available upon request.

6. International Data Transfers

TestForge primarily processes data in the United States. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Supplementary measures including encryption and access controls as described in our Security page.

7. Data Subject Rights

TestForge will assist you in fulfilling your obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. We provide self-service tools for account data export and deletion, and will cooperate with any additional requests within 30 days.

8. Security Measures

We implement technical and organizational measures appropriate to the risk, including those described on our Security and SOC 2 pages. These measures are designed to ensure the ongoing confidentiality, integrity, availability, and resilience of our processing systems.

9. Breach Notification

In the event of a personal data breach, TestForge will notify the Controller without undue delay and within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

10. Request DPA

If your organization requires a signed Data Processing Agreement, please contact us. We can provide a countersigned DPA that incorporates the Standard Contractual Clauses and any additional terms required by your jurisdiction.

Contact us at legal@testforge.dev.