{
  "schema_version": 1,
  "kind": "change_consequence_data_processing_addendum",
  "product": "Busleyden Guard",
  "service_scope": {
    "public_repositories": "Free while the service is available.",
    "guard_pro": "$19.90/month for unlimited selected private repositories under one GitHub account while the subscription is active."
  },
  "data_roles": {
    "customer": "Controller or primary data owner for repository, pull request, reviewer, and approval data.",
    "operator": "Processor or service provider for Guard report support, subscription verification, and service operations."
  },
  "data_categories": [
    "Repository URL, pull request URL, pull request number, title, author metadata, and changed file paths.",
    "CODEOWNERS or owner-routing metadata when present.",
    "Test identifiers, scanner summaries, dependency findings, policy status, blockers, explicit unknowns, and reviewer feedback.",
    "Business contact details submitted through intake, objection, reviewer feedback, approval, scheduling, or payment handoff forms.",
    "Stripe subscription metadata needed to verify Guard Pro access."
  ],
  "default_storage_position": {
    "customer_source_code": "Customer source code should remain in the customer's repository by default.",
    "guard_reports": "Guard evidence and decision reports should remain as customer repository workflow artifacts or PR comments unless the customer explicitly configures another sink.",
    "operator_ledgers": "Lead, objection, approval, and revenue ledgers are optional and should be private operator-controlled repositories or signed internal systems.",
    "public_assets": "Public sample assets must not contain customer source code, customer secrets, customer approval evidence, or live revenue evidence."
  },
  "subprocessors_and_external_services": [
    {
      "name": "GitHub Actions",
      "purpose": "Run the Guard workflow in the customer repository.",
      "required": true
    },
    {
      "name": "Stripe",
      "purpose": "Create Checkout sessions and verify payment webhooks when card checkout is enabled.",
      "required": false
    },
    {
      "name": "GitHub Contents API",
      "purpose": "Write optional private lead, objection, approval, or revenue ledger JSON files when configured.",
      "required": false
    },
    {
      "name": "Configured operator webhooks or CRM",
      "purpose": "Receive signed lead, feedback, objection, approval, or revenue notifications when configured.",
      "required": false
    },
    {
      "name": "Semgrep, OSV, or customer-selected scanners",
      "purpose": "Attach security or dependency evidence when the customer enables scanner jobs.",
      "required": false
    }
  ],
  "retention_and_deletion": {
    "operator_ledger_retention": "Keep private operator ledger artifacts only as long as needed for service operation, accounting, fraud prevention, dispute handling, or written legal obligation.",
    "customer_deletion_request": "On written customer request, delete or redact operator-controlled lead, objection, reviewer-feedback, approval, and revenue artifacts unless retention is required for accounting, fraud prevention, dispute handling, or legal compliance.",
    "customer_repository_artifacts": "The customer controls deletion of artifacts and PR comments stored in the customer repository.",
    "token_rotation": "Revoke installation access immediately after uninstall and rotate any customer-provided tokens when service access ends."
  },
  "security_controls": [
    "Use least-privilege GitHub workflow permissions.",
    "Keep customer source code out of operator-controlled storage by default.",
    "Sign configured webhook notifications with X-Change-Consequence-Signature.",
    "Use private repositories for operator ledgers that contain buyer or approval data.",
    "Redact secret values from launch manifests, readiness reports, public artifacts, and logs."
  ],
  "customer_controls": [
    "Disable PR comments and use workflow artifacts only.",
    "Omit optional operator ledgers or webhooks.",
    "Run without scanner integrations and record missing evidence as explicit unknowns.",
    "Uninstall the workflow and revoke App access at any time.",
    "Request deletion or redaction of operator-controlled service artifacts."
  ],
  "exclusions": [
    "This addendum is not a negotiated data processing agreement.",
    "This addendum is not a SOC 2 report, penetration test, legal opinion, privacy policy, or compliance attestation.",
    "This addendum does not authorize storing customer source code outside the customer repository by default.",
    "This addendum does not prove that a real customer deployment has passed security or privacy review."
  ],
  "claim_boundary": "This is a buyer-readable data handling addendum. It clarifies default data boundaries, but it is not legal advice, a negotiated DPA, a privacy policy, a compliance attestation, or proof of customer acceptance."
}
