Data Processing Agreement
Effective date: 5 March 2026 ยท Version 1.0
This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions (the “Agreement”) between Obvyr Pty Ltd (“Obvyr”, “we”, “us”, or “our”), an Australian proprietary limited company, and the entity or individual accessing the Obvyr service (“Customer”, “you”, or “Controller”).
This DPA applies where and to the extent that Obvyr processes Personal Data on behalf of the Customer in connection with the provision of the Obvyr test execution tracking service (the “Service”).
By using the Service, the Customer agrees to the terms of this DPA. Where this DPA conflicts with the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
1. Definitions
In this DPA, the following terms shall have the meanings set out below:
- “Controller” means the entity that determines the purposes and means of the processing of Personal Data. The Customer acts as the Controller.
- “Processor” means the entity that processes Personal Data on behalf of the Controller. Obvyr acts as the Processor.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on Personal Data, including collection, storage, analysis, and presentation.
- “Data Subject” means the individual to whom Personal Data relates.
- “Sub-Processor” means any third party engaged by Obvyr to process Personal Data.
- “Applicable Data Protection Law” means all applicable privacy and data protection legislation, including the Australian Privacy Act 1988 (Cth), the EU General Data Protection Regulation 2016/679 (GDPR), and the UK GDPR, as applicable to the parties.
- “EU SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914.
2. Subject Matter and Nature of Processing
Obvyr processes Personal Data for the purpose of providing the Service, which comprises test execution tracking and analytics. The nature of the processing includes:
- Collection of test execution observations submitted by the Customer via the Obvyr CLI or API
- Storage of test execution metadata and associated identifiers
- Analysis and aggregation of test execution results
- Presentation of test execution data through the Obvyr dashboard
The duration of processing corresponds to the term of the Agreement, subject to the retention periods set out in Section 8 below.
3. Categories of Data Subjects
The Personal Data processed under this DPA may relate to the following categories of Data Subjects:
- Developers and engineers who execute tests and whose identifiers appear in test execution logs
- Administrators who manage the Customer’s Obvyr account
- System users whose usernames, email addresses, or other identifiers are referenced in test execution metadata
4. Types of Personal Data
The following categories of Personal Data may be processed in connection with the Service:
- Usernames and display names associated with test execution records
- Email addresses used for account registration and administration
- Test execution metadata, including test identifiers, timestamps, duration, pass/fail status, and branch or commit references
- Authentication tokens and session identifiers used to access the Service
- IP addresses and user agent strings collected in connection with access to the Service
The Customer is responsible for ensuring that the Personal Data submitted to the Service is limited to what is necessary for the purpose of test execution tracking.
5. Obligations of Obvyr as Processor
Obvyr shall:
- Process Personal Data only on documented instructions from the Customer, including for transfers of Personal Data to a third country, unless required to do so by Applicable Data Protection Law
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement and maintain appropriate technical and organisational security measures as set out in Section 6 below
- Not engage Sub-Processors without prior written authorisation from the Customer, or general authorisation in accordance with Section 7 below
- Assist the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law
- Assist the Customer in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities
- At the Customer’s election, delete or return all Personal Data upon termination of the Agreement, subject to Section 12 below
- Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA
6. Security Measures
Obvyr has implemented and maintains the following technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage:
Encryption
- All Personal Data is encrypted at rest using AWS DynamoDB and S3 server-side encryption
- All data in transit is encrypted using TLS 1.2 or higher
Access Controls
- Multi-tenant account isolation: each Customer’s data is partitioned by account identifier at the data layer
- Authentication via AWS Cognito with JWT token validation on all API endpoints
- Role-based access controls using AWS IAM with least-privilege principles
- CLI agent tokens with configurable scopes and a maximum validity period
Monitoring and Logging
- Centralised logging and monitoring via AWS CloudWatch
- Alerting on anomalous access patterns
Infrastructure
- All infrastructure hosted on AWS with services operated in accordance with AWS’s security standards
- Container workloads run on AWS ECS with network isolation
7. Sub-Processors
The Customer provides general authorisation for Obvyr to engage the Sub-Processors listed below. Obvyr shall notify the Customer of any intended addition or replacement of Sub-Processors by updating this DPA, giving the Customer reasonable opportunity to object.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure: DynamoDB (data storage), S3 (object storage), Cognito (authentication), ECS (container compute), ElastiCache (caching), CloudWatch (monitoring), Lambda (serverless compute), EventBridge (event routing) | USA (us-east-1) |
| Stripe | Payment processing and subscription management | USA |
| Resend | Transactional email delivery | USA |
Obvyr shall ensure that Sub-Processors are bound by data protection obligations no less protective than those in this DPA.
8. Data Retention
Obvyr retains Personal Data for the following periods:
- Test execution observations: 180 days from the date of collection, after which they are automatically deleted
- Account and subscription data: retained for the duration of the Customer’s active subscription
- Post-termination: all Customer data is deleted within 30 days of the termination or expiry of the Agreement, subject to any legal obligation to retain data for a longer period
The Customer may request earlier deletion of Personal Data in accordance with Section 9 below.
9. Data Subject Rights
Obvyr shall, to the extent technically feasible, assist the Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including the rights of:
- Access: the right to obtain confirmation of whether Personal Data is being processed and to receive a copy of that data
- Rectification: the right to have inaccurate Personal Data corrected
- Erasure: the right to request deletion of Personal Data
- Portability: the right to receive Personal Data in a structured, commonly used, and machine-readable format
- Restriction: the right to request that processing be restricted in certain circumstances
- Objection: the right to object to processing in certain circumstances
Requests relating to Data Subject rights should be directed to Obvyr at privacy@obvyr.com. Obvyr will respond within a reasonable timeframe and in any event within the period required by Applicable Data Protection Law.
10. Data Breach Notification
In the event of a Personal Data breach affecting Customer data, Obvyr shall notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
The notification shall include, to the extent known at the time:
- The nature of the breach, including categories and approximate number of Data Subjects and records affected
- The name and contact details of the data protection contact at Obvyr
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
Breach notifications will be sent to the Customer’s registered email address. The Customer is responsible for making any required notifications to supervisory authorities or Data Subjects.
11. International Data Transfers
Personal Data processed under this DPA may be transferred to and stored in the United States (AWS us-east-1 region). Obvyr is an Australian entity.
For transfers of Personal Data from the European Economic Area (EEA) or the United Kingdom to countries that do not provide an adequate level of data protection, Obvyr relies on the European Commission’s Standard Contractual Clauses (EU SCCs) as the appropriate transfer mechanism.
The EU SCCs (Module Two: Controller to Processor) as adopted by European Commission Decision 2021/914 are hereby incorporated by reference into this DPA. The full text of the EU SCCs is available at the European Commission website. Customers requiring a signed copy should contact privacy@obvyr.com.
For transfers from the United Kingdom, the UK International Data Transfer Addendum (UK IDTA) to the EU SCCs applies as a supplement to the EU SCCs.
12. Return or Deletion of Data
Upon termination or expiry of the Agreement, Obvyr shall, at the Customer’s election and within 30 days of written request:
- Delete all Personal Data processed on the Customer’s behalf, and certify to the Customer that such deletion has been completed; or
- Return all Personal Data to the Customer in a structured, commonly used format, and thereafter delete all copies
Notwithstanding the above, Obvyr may retain Personal Data to the extent required by Applicable Data Protection Law or other applicable law, for the minimum period required by such law.
If no election is made within 30 days of termination, Obvyr shall delete all Customer Personal Data.
13. Audit Rights
Obvyr shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor.
Audits shall be conducted no more than once per calendar year unless required by a supervisory authority, and subject to the Customer providing at least 30 days’ prior written notice. Audits shall be conducted during normal business hours and in a manner that minimises disruption to Obvyr’s operations.
The Customer shall bear the costs of any audit unless the audit reveals a material breach of this DPA by Obvyr.
14. Governing Law
This DPA is governed by the laws of the State of New South Wales, Australia. This does not limit the application of Applicable Data Protection Law where required.
15. Contact
For questions regarding this DPA or data protection matters, please contact Obvyr at:
- Email: privacy@obvyr.com
- Address: Obvyr Pty Ltd, Australia