Data Processing Addendum (DPA)
Effective date: January 10, 2026
Last updated: January 10, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between the customer entity that enters into the Agreement ("Customer") and SHAZAM Analytics Limited ("SHAZAM Analytics", "Supplier", "Processor") governing Customer's use of SHAZAM Analytics products and services, including services branded as "Qualimetry" and/or "SHAZAM" (the "Services").
This DPA applies where SHAZAM Analytics processes Personal Data on behalf of Customer as a Processor (or, where applicable under US privacy laws, as a Service Provider) in connection with the Services. Customer is the Controller (or Business) of such Personal Data, unless otherwise agreed in writing.
1. Definitions
Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the UK GDPR and EU GDPR (as applicable). "UK GDPR" means the GDPR as incorporated into UK law.
"Agreement" means the written contract between the parties governing the Services, including, as applicable, SHAZAM Analytics' Terms and Conditions of Sale and/or a Master Services Agreement ("MSA") executed between the parties.
"SHAZAM Analytics" means SHAZAM Analytics Limited. "Qualimetry" and "SHAZAM" are product and service names used by SHAZAM Analytics. References to the "Services" include any service, platform, application, API, website, tool, or feature provided by SHAZAM Analytics that is branded as Qualimetry and/or SHAZAM.
"Customer Data" means data provided by or on behalf of Customer to the Services, including source code and associated files. "Subprocessor" means any Processor engaged by SHAZAM Analytics to assist in providing the Services.
2. Scope and Roles
Customer determines the purposes and means of Processing Personal Data within Customer Data. SHAZAM Analytics processes Personal Data within Customer Data only on documented instructions from Customer and as necessary to provide, secure, and support the Services, unless required by applicable law.
Where SHAZAM Analytics processes personal data as a Controller (for example, website analytics, sales contacts, billing, and account administration), that processing is governed by SHAZAM Analytics' Privacy Policy rather than this DPA.
3. Processing Details
The subject matter, duration, nature, and purpose of Processing, types of Personal Data, and categories of Data Subjects are described in Annex 1 (Description of Processing). Customer may update Processing details through configuration and use of the Services.
4. Customer Instructions
SHAZAM Analytics will process Personal Data only in accordance with Customer's documented instructions, including as set out in the Agreement, this DPA, and Customer's configuration and use of the Services. Customer instructs SHAZAM Analytics to process Personal Data to provide the Services, including to ingest, host, and analyse Customer Data for code quality, security, compliance, and related reporting as configured by Customer.
If SHAZAM Analytics believes an instruction infringes applicable law, SHAZAM Analytics will inform Customer (unless prohibited by law).
5. Confidentiality
SHAZAM Analytics ensures that persons authorised to process Personal Data are bound by confidentiality obligations. Access to Customer Data is limited to authorised personnel who require access to provide and support the Services and is governed by least privilege.
6. Security Measures
SHAZAM Analytics implements appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. A high-level description of security measures is provided in Annex 2 (Security Measures).
Customer is responsible for securely configuring the Services, managing user access, and ensuring Customer Data does not include unnecessary Personal Data or secrets.
7. Subprocessors
At the Effective date of this DPA, SHAZAM Analytics does not use Subprocessors to process Personal Data within Customer Data for provision of the Services.
Customer authorises SHAZAM Analytics to engage Subprocessors in the future to assist in providing the Services. If SHAZAM Analytics engages a Subprocessor to process Personal Data within Customer Data, SHAZAM Analytics will impose data protection obligations on that Subprocessor that are no less protective than those in this DPA for the relevant Processing.
SHAZAM Analytics will provide notice of material changes to Subprocessors via the customer contractual notice mechanism set out in the Agreement. Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice within 15 days of notice. If the parties cannot resolve the objection, the outcome will be as set out in the Agreement.
8. International Transfers
To the extent SHAZAM Analytics transfers Personal Data protected by UK GDPR or EU GDPR to a country not recognised as providing adequate protection, the parties will ensure appropriate safeguards are in place.
EU transfers: the parties incorporate the EU Standard Contractual Clauses ("EU SCCs") by reference, as completed in Annex 3 (EU SCCs), where applicable.
UK transfers: the parties incorporate the UK Addendum to the EU SCCs or the UK International Data Transfer Agreement ("UK IDTA") as completed in Annex 4 (UK Transfer Addendum or UK IDTA), where applicable.
Additional transfer safeguards: encryption in transit and at rest, access controls, and data minimisation.
9. Assistance With Data Subject Requests
Considering the nature of the Processing, SHAZAM Analytics will provide reasonable assistance to Customer to respond to Data Subject requests (access, rectification, erasure, restriction, objection, portability) relating to Personal Data processed under this DPA. Customer is responsible for responding to such requests. SHAZAM Analytics may charge reasonable fees for assistance beyond standard support, as permitted by law and the Agreement.
10. Assistance With Compliance
SHAZAM Analytics will provide reasonable assistance to Customer with Customer's obligations under applicable data protection law relating to security of processing, notifications to Supervisory Authorities and Data Subjects, data protection impact assessments, and prior consultations, to the extent applicable to the Services and the information available to SHAZAM Analytics.
11. Personal Data Breach Notification
SHAZAM Analytics will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Notification will include, to the extent available, information reasonably required by Customer to meet its breach notification obligations.
Security contact: info [at] qualimetry [dot] com
12. Audits and Information
SHAZAM Analytics will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including relevant security and compliance documentation (for example, policies, summaries of controls, and third-party attestations where available).
Customer may conduct a remote audit or document review only, no more than once per year, with 30 days prior written notice, subject to confidentiality and reasonable scope limitations to avoid disruption.
13. Return or Deletion of Customer Data
Upon termination or expiration of the Services, SHAZAM Analytics will, at Customer's choice and to the extent supported by the Services, return or delete Customer Data containing Personal Data, in accordance with the Agreement and within 30 days after termination.
SHAZAM Analytics may retain Customer Data where required by law or for limited periods in backups and logs for security and disaster recovery. Backup retention may be up to 90 days, after which the relevant backup data is overwritten or deleted in the ordinary course, subject to appropriate protections during the retention period.
14. Records of Processing
SHAZAM Analytics will maintain records of processing activities as required for Processors under applicable data protection law, to the extent the obligation applies to the Services and Processing under this DPA.
15. US Service Provider and Targeted Advertising
Where applicable under US privacy laws, SHAZAM Analytics acts as a Service Provider/Processor with respect to Customer Data and does not sell Customer Data or share Customer Data for targeted advertising. SHAZAM Analytics does not use Customer Data for targeted advertising.
For avoidance of doubt, SHAZAM Analytics does not engage in targeted advertising.
16. Liability and Order of Precedence
Liability is governed by the Agreement, unless prohibited by applicable law. If there is a conflict between this DPA and the Agreement regarding Processing of Personal Data, this DPA will control. If there is a conflict between the SCCs and this DPA, the SCCs will control for transfers covered by the SCCs.
17. Contact
For questions about this DPA or data protection matters, contact: info [at] qualimetry [dot] com
Annex 1: Description of Processing
Customer: the customer entity that enters into the Agreement
Processor: SHAZAM Analytics Limited
Services (brand names): Qualimetry and/or SHAZAM
Subject matter: provision of code quality, security, compliance, and related analysis and reporting services; operation, support, and security of the Services.
Duration: for the term of the Agreement and any additional period as described under "Return or Deletion of Customer Data".
Nature and purpose of processing: hosting, ingesting, analysing, and presenting outputs derived from Customer Data; user and tenant administration; audit logging; incident prevention and detection; support and troubleshooting as requested by Customer.
Categories of Data Subjects: Customer's authorised users; Customer employees, contractors, and other individuals whose identifiers may appear in source repositories (for example, commit authors); other individuals whose personal data may appear in Customer Data as determined by Customer.
Types of Personal Data: name; email address; username; authentication identifiers; role and access assignments; audit and usage logs; repository metadata that may identify individuals (for example, commit author name and email); free-text content included by Customer (for example, comments) to the extent it contains Personal Data.
Special categories: not intended to be processed. Customer must not upload special category data to the Services.
Annex 2: Security Measures
SHAZAM Analytics maintains a security program designed to protect Customer Data. Measures may include:
- Access control: role-based access control, least privilege, and administrative access restrictions
- Authentication: support for multi-factor authentication for privileged access where supported/required
- Logging: audit logging for administrative and security-relevant events
- Encryption: encryption in transit; encryption at rest where supported by the underlying storage and configuration
- Vulnerability management: patching processes and vulnerability scanning as appropriate
- Incident response: documented incident handling and escalation procedures
- Backups and recovery: backup and disaster recovery measures appropriate to the service tier
Security certifications or attestations: Cyber Essentials
Annex 3: EU Standard Contractual Clauses (EU SCCs)
If EU SCCs apply, the parties incorporate the SCCs by reference. The SCC module(s), annexes, and optional clauses are as follows:
- Module(s): ALLCAPS TO BE COMPLETED (typically Module Two: Controller to Processor)
- Annex I (List of Parties): Customer (as data exporter) and SHAZAM Analytics Limited (as data importer)
- Annex I (Description of Transfer): see Annex 1 of this DPA
- Annex II (Technical and Organisational Measures): see Annex 2 of this DPA
- Annex III (Subprocessors): none as at the Effective date
Annex 4: UK Transfer Addendum or UK IDTA
If UK transfers apply, the parties incorporate either the UK Addendum to the EU SCCs or the UK IDTA, as specified below:
- Mechanism used: ALLCAPS TO BE COMPLETED (UK Addendum or UK IDTA)
- Addendum/IDTA completion details: ALLCAPS TO BE COMPLETED
- UK supervisory authority: Information Commissioner's Office (ICO)