Third-Party Services and Data Processors

Last Updated: November 3, 2025

Diffgraph uses several third-party services to provide, operate, and improve our Service. This document provides transparency about these services, what data they process, and how to learn more about their privacy and security practices.

Overview

We carefully select service providers that maintain high standards of security and compliance. All listed services:

• Have executed Data Processing Agreements (DPAs) with us that comply with GDPR requirements
• Maintain SOC 2 Type II and ISO 27001 certifications
• Are certified under the EU-U.S. Data Privacy Framework
• Use Standard Contractual Clauses for international data transfers
• Comply with applicable data protection laws including GDPR and CCPA

1. PostHog - Product Analytics

Purpose

PostHog provides product analytics and usage tracking to help us understand how users interact with Diffgraph and improve the Service.

What Data Is Shared

• User identifiers (anonymized where possible)
• Feature usage patterns and user interactions
• Session information and user journeys
• Page views and navigation data
• Device and browser information
• IP addresses and general location data (country/region level)
• Error logs and diagnostic information

Data Location

• Primary: United States (AWS US-West) or EU (AWS Frankfurt/Germany)
• We use PostHog's EU region for EU-based users where feasible

Privacy Policy

https://posthog.com/privacy

Security and Compliance

• Certifications: SOC 2 Type II, ISO 27001:2013, ISO 27701 (PIMS)
• Frameworks: GDPR compliant, CCPA compliant, EU-U.S. Data Privacy Framework certified
• Data Controls: Extensive privacy controls available, first-party cookies only, no third-party tracking
• Self-Hosted Option: Available for customers requiring on-premises analytics

Data Processing Agreement

Available via self-service at https://posthog.com/dpa

Includes 2021 EU Standard Contractual Clauses and UK IDTA

Your Controls

• Opt-out of analytics tracking via account preferences
• Cookie consent management banner on first visit
• Do Not Track (DNT) browser signals honored

2. Stripe - Payment Processing

Purpose

Stripe processes all payment transactions, subscription billing, and payment method management for Diffgraph paid plans.

What Data Is Shared

• Account Information: Name, email address, billing address
• Payment Information: Payment card details, bank account information (processed directly by Stripe, not stored by us)
• Transaction Data: Purchase history, subscription details, invoice records
• Business Information: Business name and tax identification (if applicable)

Data Location

• Primary: United States (Stripe, Inc.)
• Data may be processed in multiple jurisdictions based on payment method and processing requirements

Privacy Policy

https://stripe.com/privacy

Security and Compliance

• Certifications: SOC 2 Type II, ISO 27001:2013, PCI-DSS Level 1 (highest level)
• Frameworks: GDPR compliant, CCPA compliant, EU-U.S. Data Privacy Framework certified
• Security: Industry-leading payment security, encryption, and fraud prevention

Data Processing Agreement

Automatically incorporated into Stripe Services Agreement for all customers

Available at https://stripe.com/legal/dpa

Includes Standard Contractual Clauses for international transfers

Additional Information

Stripe Services Agreement: By using Diffgraph's paid features, you agree to be bound by the Stripe Services Agreement, including Stripe's Terms of Service. Stripe acts as both a data controller (for fraud prevention) and data processor (for payment processing on our behalf).

Privacy Center: https://stripe.com/legal/privacy-center

3. MongoDB Atlas - Database Services

Purpose

MongoDB Atlas provides cloud database services for storing and managing all Diffgraph application data.

What Data Is Shared

• All Application Data: Repository information, code analysis results, user accounts, settings, and preferences
• Repository Data: Organization names, repository names, pull request metadata
• Generated Content: Architectural diagrams and visualizations
• Account Data: User profiles, subscription information, usage statistics

Data Location

Customer-Controlled: We select the MongoDB Atlas region based on our user base. Available options include:

• AWS Regions: Multiple global locations including EU (Frankfurt, Ireland), US, Asia-Pacific
• Azure Regions: Global coverage
• Google Cloud Regions: Global coverage

We can configure specific regional deployments for enterprise customers requiring data residency in particular jurisdictions.

Privacy Policy

https://www.mongodb.com/legal/privacy-policy

Security and Compliance

• Certifications: SOC 2 Type II, ISO 27001:2022, ISO 27017, ISO 27018, PCI-DSS, HIPAA, FedRAMP, TISAX, CSA STAR Level 2
• Frameworks: GDPR compliant, customer controls for data residency
• Encryption: Encryption at rest (default), TLS encryption in transit
• Security Features: Customer-managed encryption keys (CMEK) available, network isolation, access controls

Data Processing Agreement

Automatically incorporated into MongoDB Cloud Terms of Service

Available at https://www.mongodb.com/legal/dpa

Includes 2021 EU SCCs, UK IDTA, and Swiss Federal Act on Data Protection modifications

Data Control

• Customers maintain full control over data location through region selection
• Data can be retrieved, corrected, or deleted without MongoDB assistance
• Backups stored with global replication, retained per our data retention policy

Additional Security

• MongoDB does not access customer data except for support, security, or as required by law
• Optional Queryable Encryption available for sensitive data

Trust Center: https://www.mongodb.com/products/platform/trust

4. Vercel - Hosting and Infrastructure

Purpose

Vercel provides hosting, deployment infrastructure, and edge network services for the Diffgraph application.

What Data Is Shared

• Application Data: All data transmitted through the application
• Account Information: Developer account data, deployment configurations
• Customer Content: Pull request comments posted by Diffgraph
• Usage Data: API usage, bandwidth consumption, function executions
• Analytics: Website traffic and performance metrics (if Vercel Analytics used)

Data Location

• Infrastructure Providers: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform
• Edge Network: Global edge network for content delivery and routing
• Primary Region: Based on optimal performance for our user base

Privacy Policy

https://vercel.com/legal/privacy-policy

Security and Compliance

• Certifications: SOC 2, ISO 27001:2013, TISAX Level 2
• Frameworks: GDPR compliant, EU-U.S. Data Privacy Framework certified, HIPAA available for Enterprise
• Security: DDoS protection, TLS encryption, automated security updates

Data Processing Agreement

Available at https://vercel.com/legal/dpa

Includes Standard Contractual Clauses for international transfers

Data Residency

• Vercel.com uses Azure CosmosDB with global replication
• Backups retained for 30 days, globally replicated
• Static assets and serverless functions may be cached ephemerally on edge network
• No permanent data storage in EU regions (ephemeral edge caching only)

Additional Information

Speed Insights & Web Analytics: Privacy-compliant by design, no PII collected by default

Documentation: Detailed privacy compliance info at https://vercel.com/docs/analytics/privacy-policy

Security: https://vercel.com/security

5. GitHub - Repository Access and API

Purpose

GitHub provides the underlying platform for repository access, pull request management, and API services that enable Diffgraph's core functionality.

What Data Is Shared

• Authentication: OAuth tokens, application credentials
• Repository Access: Read access to repository code, pull requests, and metadata as authorized
• API Interactions: API calls for reading code diffs and posting comments
• Webhook Data: Pull request events, code change notifications

Data We Access from GitHub

• Organization names and repository names
• Pull request diffs and code changes
• Commit metadata (author, timestamp, message)
• File structures and dependencies
• Repository configuration and settings

Data Location

• Primary: United States and international
• GitHub processes data in multiple global locations

Privacy Policy

https://docs.github.com/privacy

Security and Compliance

• Certifications: SOC 1 Type 2, SOC 2 Type 2, ISO 27001:2013, ISO 27018:2019, ISO 27701:2019, CSA STAR Level 2, FedRAMP Tailored LiSaaS ATO
• Frameworks: GDPR compliant, EU-U.S. Data Privacy Framework certified

Data Processing Agreement

Available for Enterprise and Organization accounts

Access at https://github.com/customer-terms/github-data-protection-agreement

GitHub Permissions

Diffgraph requests the following GitHub permissions:

• Repository Contents: Read access to repository code
• Pull Requests: Read and write access to read pull requests and post comments
• Metadata: Read-only access to repository metadata (automatic)

GitHub Integration Terms

Our use of GitHub is subject to:

• GitHub's Terms of Service
• GitHub's API Terms (Section H)
• GitHub Marketplace Developer Agreement
• GitHub's Acceptable Use Policies

We comply with all GitHub policies, including:

• No spamming or abuse of commenting functionality
• No unsolicited commercial messages via comments
• Respect for API rate limits
• No scraping of personal information beyond authorized access

GitHub Security: https://github.com/security

Data Flow Summary

How Data Flows Through Our System

1. User Authorization: You install Diffgraph and authorize access to GitHub repositories
2. GitHub Access: We access pull requests and code diffs via GitHub API
3. Processing: Code is analyzed on Vercel infrastructure, with data stored in MongoDB Atlas
4. Visualization: Mermaid diagrams are generated and posted back to GitHub pull requests
5. Analytics: PostHog tracks usage patterns to improve the Service
6. Billing: Stripe processes payments for paid subscriptions

Data Storage Locations

• Primary Application Data: MongoDB Atlas (configurable region)
• Code Analysis: Processed in-memory on Vercel, results stored in MongoDB
• Analytics Data: PostHog (US or EU region based on configuration)
• Payment Data: Stripe secure servers (US)
• Application Hosting: Vercel edge network (global)

International Transfers

Data may be transferred to and processed in the United States and other countries. We protect these transfers using:

• Standard Contractual Clauses (SCCs): EU-approved 2021 SCCs with all US-based processors
• EU-U.S. Data Privacy Framework: All service providers are DPF certified
• UK IDTA: For transfers from UK
• Supplementary Measures: Encryption, access controls, Transfer Impact Assessments

Your Rights Regarding Third-Party Processing

Access and Control

You have rights regarding data processed by these third-party services on our behalf:

• Right to Know: What data is shared with which services
• Right to Object: Object to processing by specific services (may limit Service functionality)
• Right to Access: Request information about data processed by our subprocessors
• Right to Delete: Request deletion of your data, which we will instruct our processors to carry out

To exercise these rights, contact us at tijs@rodi-digital.com

Subprocessor Changes

We may add, remove, or change subprocessors from time to time. We will:

• Maintain an up-to-date list of subprocessors on this page
• Notify customers 30 days before adding new subprocessors
• Provide opportunity for reasonable objection to new subprocessors (enterprise customers)
• Update this document when subprocessors change

Data Processing Agreements

We maintain written Data Processing Agreements with all subprocessors listed on this page. These DPAs include:

• Scope and purpose of processing
• Data security requirements
• Sub-processor authorization and restrictions
• Data deletion or return obligations
• Audit rights
• Standard Contractual Clauses for international transfers

Enterprise customers may request copies of our subprocessor agreements (with confidential information redacted) by contacting tijs@rodi-digital.com

Service Provider Compliance Documentation

Compliance Resources

Each service provider maintains detailed compliance documentation:

Vendor Security Questionnaires

If you require vendor security questionnaires or additional compliance documentation for your internal procurement processes, contact tijs@rodi-digital.com. We can provide:

• Detailed security questionnaire responses
• Certification copies (SOC 2, ISO 27001)
• Data flow diagrams
• Subprocessor attestations

Changes to Third-Party Services

We may change, add, or remove third-party services from time to time as we improve and evolve the Diffgraph platform.

We will:

• Update this document when third-party services change
• Notify you via email of material changes to subprocessors
• Provide 30 days' notice before adding new subprocessors
• Maintain equivalent or higher security and compliance standards

You may:

• Object to new subprocessors if they don't meet your requirements
• Request information about why a subprocessor was added or changed
• Terminate your subscription if you cannot accept a new subprocessor

Questions About Third-Party Services

If you have questions about our use of third-party services, data flows, or compliance:

Email: tijs@rodi-digital.com
Subject: Third-Party Services Inquiry

We're happy to provide additional information about our data processing practices and subprocessor relationships.

Third-Party Services and Attributions

This application uses the following third-party services and software libraries:

AI Services

GitHub Integration

Diagram Rendering

Framework and Dependencies

Testing and Development Tools

• Jest: Testing framework (MIT)
• ESLint: Linting (MIT)
• Prettier: Code formatter (MIT)

Additional Dependencies

For a complete list of all dependencies and their licenses, see the package.json file in this repository.

All third-party software is used in accordance with their respective licenses and terms of service.