Skip to main content
Otto

Data Processing Addendum

Version 2026-03-29 | Last updated: March 29, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service and the Privacy Policy between you ("Data Controller" or "Customer") and Otto ("Data Processor" or "we"). This DPA addresses the requirements of GDPR Article 28, CCPA, and other applicable data protection regulations.

1. Subject Matter and Duration

Otto processes personal data on behalf of the Customer for the purpose of providing the Otto Service (stack assessment, security scanning, development automation, and operational monitoring). Processing begins when the Customer creates an account and continues for the duration of the subscription. Upon termination, personal data is deleted within 30 days except where retention is required by law.

2. Nature and Purpose of Processing

Otto processes personal data solely for the following purposes:

  • Account management and authentication
  • Subscription billing and payment processing
  • Service delivery (assessments, recommendations, automated outputs)
  • Customer support
  • Service improvement based on aggregated, anonymized usage metrics

Otto does not:

  • Use Customer data to train AI or machine learning models
  • Share Customer data with third parties except as listed in Section 7
  • Perform automated profiling that produces legal effects on data subjects
  • Access, store, or transmit Customer source code

3. Type of Personal Data

The following categories of personal data are processed:

  • Account data: Name, email address, authentication credentials (hashed)
  • Billing data: Billing contact details, payment method tokens (full card numbers stored by Stripe only)
  • Application metadata: Application name, repository URLs (not source code content)
  • Usage metrics: API call counts, feature usage frequency, assessment scores
  • Technical data: IP addresses, browser type, timestamps (for security and rate limiting)

4. Categories of Data Subjects

Data subjects include:

  • Individual subscribers (account holders)
  • Enterprise account holders and their designated team members
  • Billing contacts for organizational subscriptions

5. Obligations of the Data Controller

The Customer (Data Controller) is responsible for:

  • Ensuring a lawful basis for processing personal data provided to Otto
  • Responding to data subject requests within their own organization
  • Ensuring that authorized users are informed about data processing
  • Notifying Otto of any data subject requests that require Otto's assistance

6. Processor Obligations (Otto)

Otto commits to:

  • Instructions: Processing personal data only on documented instructions from the Controller, unless required by law
  • Confidentiality: Ensuring all personnel authorized to process personal data are bound by confidentiality obligations
  • Security: Implementing appropriate technical and organizational measures including encryption in transit (TLS 1.2+), encrypted database connections, password hashing (bcrypt), API key hashing (SHA-256), and regular security reviews
  • Sub-processors: Using sub-processors only as listed in Section 7, with prior notice for changes
  • Data subject rights: Assisting the Controller in responding to data subject access, rectification, erasure, and portability requests
  • Breach notification: Notifying the Controller without undue delay (and within 72 hours) upon becoming aware of a personal data breach
  • Deletion: Deleting or returning all personal data upon termination of the service, within 30 days
  • Audit: Making available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations

7. Sub-processors

Otto uses the following sub-processors:

Sub-processorPurposeLocation
StripePayment processingUnited States
ResendTransactional email deliveryUnited States
DigitalOceanCloud infrastructure hostingUnited States
SentryError monitoringUnited States
GoogleOAuth authentication, reCAPTCHAUnited States

Otto will provide the Controller with at least 30 days' advance written notice before engaging any new sub-processor. The Controller may object to a new sub-processor by contacting Otto within 14 days of the notice.

8. International Data Transfers

All sub-processors listed above are based in the United States. For transfers of personal data from the European Economic Area (EEA) to the United States, Otto relies on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as adopted by the European Commission. Copies of the applicable SCCs are available upon request.

9. Data Retention and Deletion

Personal data is retained for the duration of the subscription. Upon account deletion or subscription termination:

  • Personal data is deleted within 30 days
  • Billing records may be retained for up to 7 years as required by tax law
  • Anonymized, aggregated analytics data may be retained indefinitely (this data cannot identify individual data subjects)
  • Backups containing personal data are purged within 90 days of deletion