Bugzy AI LogoBugzy AI
Login

Data Processing Agreement (DPA)

Last updated: October 21, 2025
Effective date: October 21, 2025

GDPR Article 28 Compliance

This Data Processing Agreement complies with Article 28 of the EU General Data Protection Regulation (GDPR) and the Bulgarian Personal Data Protection Act (PDPA).

1. Parties

1.1 Data Controller

You ("Customer", "Data Controller") - The entity that has signed up for and uses the Bugzy AI service.

1.2 Data Processor

Cloud Automation Solutions ("Bugzy AI", "Data Processor", "we", "us")
Registration Number (EIK): 203094836
Address: Bulgaria, Sofia, 1797, 131-VA str. 1B
Email: privacy@bugzy.ai

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion
  • Data Subject: An identified or identifiable natural person whose Personal Data is processed
  • Sub-processor: Any third party engaged by the Data Processor to process Personal Data
  • GDPR: EU General Data Protection Regulation (EU) 2016/679
  • PDPA: Bulgarian Personal Data Protection Act

3. Scope and Purpose

3.1 Subject Matter

This DPA governs the processing of Personal Data by Bugzy AI on behalf of the Customer in connection with the provision of our autonomous QA testing services.

3.2 Nature and Purpose of Processing

Bugzy AI processes Personal Data for the following purposes:

  • Reading and analyzing Customer's documentation, issue tracking systems, and communication platforms
  • Generating AI-powered test plans and test cases
  • Executing automated tests on Customer's applications
  • Storing and displaying test results, screenshots, and execution logs
  • Providing integration with third-party tools (GitHub, Slack, etc.)

3.3 Duration of Processing

Processing will continue for the duration of the Customer's use of the Service, plus the retention periods specified in our Privacy Policy (30 days post-deletion, 90 days for backups).

4. Categories of Data and Data Subjects

4.1 Categories of Personal Data

  • Customer account information (email, name)
  • User-generated content in documentation and issue trackers (may contain names, emails)
  • Team member information (names, emails, roles)
  • Test execution metadata (IP addresses, browser information)
  • Integration credentials (encrypted)

4.2 Categories of Data Subjects

  • Customer's employees and contractors
  • Customer's customers (if their data appears in documentation or test scenarios)
  • Third parties mentioned in Customer's systems

5. Data Processor Obligations

5.1 Processing Instructions

Bugzy AI shall process Personal Data only on documented instructions from the Customer, unless required by EU or Member State law. If we believe an instruction infringes GDPR or PDPA, we will immediately inform the Customer.

5.2 Confidentiality

All personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate training on data protection.

5.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS 1.3+) and at rest
  • Role-based access control (RBAC)
  • Regular security testing and audits
  • Secure authentication (OAuth 2.0, MFA support)
  • Infrastructure isolation per customer
  • 24/7 security monitoring and logging
  • Regular security patches and updates

5.4 Data Breach Notification

In the event of a personal data breach, Bugzy AI will:

  • Notify the Customer within 24 hours of becoming aware of the breach
  • Provide all relevant information about the breach
  • Cooperate with the Customer to investigate and remedy the breach
  • Implement measures to prevent future breaches

5.5 Assistance with GDPR Compliance

Bugzy AI will assist the Customer in:

  • Responding to Data Subject requests (access, rectification, erasure, etc.)
  • Conducting Data Protection Impact Assessments (DPIAs) when required
  • Prior consultations with supervisory authorities
  • Ensuring security of processing

6. Sub-processors

6.1 Authorized Sub-processors

The Customer grants Bugzy AI general authorization to engage the following sub-processors:

Sub-processorServiceLocation
Vercel Inc.Web hosting, edge computing, analyticsEU Region
Supabase Inc.Database, authenticationEU Region
Google Cloud PlatformFile storage, compute infrastructureEU Region

6.2 Sub-processor Changes

Bugzy AI will inform the Customer of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance. The Customer may object to such changes on reasonable data protection grounds.

6.3 Sub-processor Obligations

All sub-processors are bound by written contracts imposing data protection obligations equivalent to those in this DPA.

7. Data Subject Rights

Bugzy AI will, to the extent legally permitted, promptly notify the Customer if we receive a request from a Data Subject to exercise their rights under GDPR. We will not respond to such requests directly without the Customer's prior authorization.

We will provide reasonable assistance to enable the Customer to respond to Data Subject requests within the required timeframes.

8. Data Transfers

All Personal Data is processed and stored exclusively within the European Union. Bugzy AI does not transfer Personal Data outside the EEA.

If future circumstances require international data transfers, Bugzy AI will:

  • Notify the Customer in advance
  • Implement appropriate safeguards (Standard Contractual Clauses, adequacy decisions)
  • Obtain Customer's explicit consent if required

9. Data Retention and Deletion

9.1 Retention Period

Personal Data will be retained as specified in our Privacy Policy:

  • Active account data: Duration of service use
  • Deleted account data: 30 days (recovery period)
  • Backup data: Maximum 90 days
  • Execution logs: 90 days

9.2 Data Deletion Upon Termination

Upon termination of services, Bugzy AI will:

  • Provide the Customer with a 30-day grace period to export data
  • Delete or return all Personal Data after 30 days (at Customer's choice)
  • Delete existing copies, except where storage is required by law
  • Provide written certification of deletion upon request

10. Audit Rights

The Customer has the right to audit Bugzy AI's compliance with this DPA. Audits may be conducted:

  • Upon reasonable advance notice (at least 30 days)
  • No more than once per year, unless required by supervisory authorities
  • During regular business hours
  • At Customer's expense

Bugzy AI will cooperate with audits and provide all necessary information and access to demonstrate compliance.

11. Liability and Indemnification

11.1 Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

11.2 Indemnification

Bugzy AI will indemnify the Customer against claims arising from Bugzy AI's breach of this DPA, to the extent permitted by law.

12. Term and Termination

This DPA will remain in effect for as long as Bugzy AI processes Personal Data on behalf of the Customer. The DPA will automatically terminate when all Personal Data has been deleted or returned.

13. Governing Law

This DPA is governed by the laws of the Republic of Bulgaria and the EU General Data Protection Regulation (GDPR).

14. Contact Information

For questions about this DPA or data processing practices:

Data Protection Officer:
Email: privacy@bugzy.ai
Address: Bulgaria, Sofia, 1797, 131-VA str. 1B

15. Acceptance

By using the Bugzy AI service, the Customer accepts and agrees to be bound by this Data Processing Agreement. The Customer acknowledges that they have read, understood, and agree to comply with their obligations as a Data Controller under GDPR and PDPA.