Data Processing Agreement

Last updated: 4 June 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Customer") and Goo Holdings Ltd (trading as Lineman), a company registered in England and Wales under company number 17141115, whose registered office is at 79 Shawclough Way, Greater Manchester, OL12 6DS, England ("Lineman", "we", "us"), under which we provide the Lineman service (the "Service").

It applies where Lineman processes personal data on behalf of a business Customer in the course of providing the Service, and reflects our obligations as a processor under Article 28 of the UK GDPR. It supplements, and forms part of, the Terms and Conditions and any enterprise subscription agreement between the parties (together, the "Agreement"). For how we handle personal data for which we are the controller (such as account, billing and usage data), see the Privacy Policy.

If you require a counter-signed copy of this DPA for your procurement records, contact us at support@lineman.io.

1. Definitions

Terms not defined here have the meaning given in the Agreement. In this DPA:

"Customer Personal Data" means any personal data contained in Customer Content that Lineman processes on the Customer's behalf in providing the Service.

"Data Protection Laws" means all laws applicable to the processing of personal data under the Agreement, including the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and — where the Customer or the relevant processing is subject to it — the EU GDPR (Regulation (EU) 2016/679).

"UK GDPR" has the meaning given in section 3(10) of the Data Protection Act 2018.

"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Special Category Data" and "Supervisory Authority" have the meanings given in the Data Protection Laws.

"Standard Contractual Clauses" or "SCCs" means, as applicable, the UK International Data Transfer Agreement, the UK Addendum to the European Commission's Standard Contractual Clauses, and/or the European Commission's Standard Contractual Clauses (2021/914), as the case requires.

"Sub-processor" means any third party engaged by Lineman to process Customer Personal Data.

2. Roles of the parties

For Customer Personal Data, the Customer is the Controller (or a processor acting on behalf of its own controller) and Lineman is the Processor. Lineman processes Customer Personal Data only as described in this DPA and the Agreement.

For account data, billing data, usage data, support correspondence and security/telemetry data, Lineman acts as an independent Controller as described in the Privacy Policy. That processing is outside the scope of this DPA.

The details of the processing — its subject matter, duration, nature, purpose, the types of personal data and the categories of data subjects — are set out in Annex A.

3. Processing instructions

3.1 Lineman shall process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case Lineman will, where legally permitted, inform the Customer of that requirement before processing).

3.2 The Customer's instructions are set out in, and given through, the Agreement, this DPA, the configuration and use of the Service by the Customer and its authorised users, and any further written instructions agreed by the parties.

3.3 Lineman shall inform the Customer if, in its opinion, an instruction infringes the Data Protection Laws. Lineman is not responsible for determining whether the Customer's instructions comply with the Customer's own legal obligations.

3.4 The Customer warrants that it has all necessary rights, consents and lawful bases to provide Customer Personal Data to Lineman for processing under the Agreement, and that its instructions comply with the Data Protection Laws. The Service is designed for processing source code and software-development artefacts; the Customer must not submit Special Category Data or other particularly sensitive personal data through the Service except as expressly agreed in writing.

4. Confidentiality

Lineman shall ensure that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality (whether contractual or statutory) and process that data only as necessary to provide the Service.

5. Security

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, Lineman shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR. A description of those measures is set out in Annex B.

5.2 The Customer is responsible for the secure use of the Service on its side, including managing its authorised users and credentials and configuring any available controls appropriately.

6. Sub-processors

6.1 The Customer grants Lineman general written authorisation to engage Sub-processors to process Customer Personal Data, subject to this Section. The current Sub-processors are listed in Annex C.

6.2 Lineman shall impose on each Sub-processor data-protection obligations that are, in substance, no less protective than those in this DPA, and remains responsible to the Customer for the performance of each Sub-processor's obligations.

6.3 Lineman shall give the Customer reasonable prior notice of the addition or replacement of any Sub-processor (including by updating Annex C or an equivalent published list). The Customer may object on reasonable, data-protection-related grounds within 30 days of notice. The parties will work together in good faith to resolve the objection; if they cannot, the Customer may terminate the affected part of the Service as its sole remedy.

7. Assistance to the Customer

7.1 Taking into account the nature of the processing, Lineman shall assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under the Data Protection Laws.

7.2 Lineman shall assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the processing and the information available to Lineman.

8. Personal Data Breach

Lineman shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and shall provide the Customer with the information reasonably available to it to assist the Customer in meeting its own breach-notification obligations. Lineman's notification is not an acknowledgement of fault or liability.

9. Return and deletion

On termination or expiry of the Agreement, Lineman shall, at the Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless the Data Protection Laws require continued storage. Customer Content is processed transiently and is not retained beyond what is needed to provide the Service, as described in the Terms and the Privacy Policy; routine backups are deleted in the ordinary course of Lineman's backup cycle.

10. Audits and information

10.1 Lineman shall make available to the Customer the information reasonably necessary to demonstrate compliance with its obligations under Article 28 of the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by it.

10.2 The Customer's audit right may, in the first instance, be satisfied by Lineman providing relevant security documentation, summaries of its technical and organisational measures, and/or any third-party audit reports or certifications it holds. Any on-site or more detailed audit shall be on reasonable prior written notice, no more than once in any 12-month period (save where required by a Supervisory Authority or following a Personal Data Breach), during business hours, subject to confidentiality, and conducted so as to minimise disruption to Lineman's business.

11. International transfers

11.1 Lineman and its Sub-processors may process Customer Personal Data in locations outside the United Kingdom and the European Economic Area, as indicated in Annex C.

11.2 Where Customer Personal Data is transferred outside the United Kingdom or, where the EU GDPR applies, the EEA, to a country not subject to an adequacy decision, Lineman shall ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement, the UK Addendum to the European Commission's Standard Contractual Clauses, or the European Commission's Standard Contractual Clauses, together with any supplementary measures required. Where the SCCs apply, they are incorporated into this DPA by reference and completed by reference to the details in the Annexes.

12. Liability and precedence

12.1 Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

12.2 This DPA forms part of, and is subject to, the Agreement. In the event of any conflict between this DPA and the rest of the Agreement on any data-protection matter, this DPA prevails. In the event of any conflict between this DPA and the SCCs, the SCCs prevail to the extent of the conflict.

13. Term and governing law

13.1 This DPA takes effect when the Customer accepts the Agreement (or first uses the Service as a business Customer) and continues for as long as Lineman processes Customer Personal Data. Provisions that by their nature should survive termination will do so.

13.2 This DPA is governed by the law of England and Wales, except where the Data Protection Laws or an applicable transfer mechanism require otherwise.

Annex A — Details of the processing

Subject matter: Lineman's processing of Customer Personal Data to provide the Service (an AI-assisted developer tool that uses a secondary AI model to perform data-intensive coding tasks).

Duration: the term of the Agreement, plus any short period during which transient processing or routine backup deletion completes.

Nature and purpose of processing: receiving Customer Content transmitted to the Service and processing it to perform tasks such as file summarisation, search-result filtering, build-output triage, error classification and code analysis, and to return the corresponding outputs to the Customer's coding environment.

Types of personal data: any personal data that happens to be contained within the Customer Content the Customer chooses to submit (for example, personal data incidentally present in source code, configuration, logs or other development artefacts). The Service is not intended for, and the Customer must not submit, Special Category Data.

Categories of data subjects: as determined by the Customer — typically the Customer's developers and personnel, and any individuals whose personal data is incidentally contained in the Customer Content submitted.

Special category data: none intended or required.

Annex B — Technical and organisational measures

Lineman maintains a security programme with measures designed in line with good industry practice and recognised standards (including ISO/IEC 27001 and ISO/IEC 27701). These measures include, as appropriate:

  • encryption of Customer Content in transit and at rest;
  • access controls based on least privilege, with authentication and role-based access to production systems;
  • network security controls and segregation of environments;
  • logical separation of Customer Content from telemetry, security and account data, so that source code and files are not contained in logs or analytics;
  • transient processing of Customer Content, minimising retention beyond what is needed to provide the Service;
  • logging, monitoring and anomaly detection for security events;
  • a documented incident-response process for security and personal-data breaches;
  • secure software-development and change-management practices;
  • confidentiality obligations and security awareness for personnel with access to Customer Personal Data;
  • vendor and sub-processor management, including data-protection due diligence; and
  • backup and resilience measures, with backups deleted on the ordinary backup cycle.

The specific measures may be updated from time to time provided the overall level of security is not reduced.

Annex C — Sub-processors

Lineman uses the following Sub-processors to process Customer Personal Data in providing the Service. This list is the authoritative current record; we will give reasonable prior notice of changes in accordance with Section 6.

  • Google Cloud Platform — cloud hosting, compute, storage and secrets management (United States).
  • Supabase — authentication and database services (European Economic Area).
  • Stripe — payment and billing processing (United States and European Economic Area).
  • IO Intelligence (io.net) — managed inference for the secondary AI model that processes Customer Content (United States).
  • IO.net Cloud — surge inference capacity for the secondary AI model (United States).
  • Anthropic — inference for the secondary AI model, where used (United States).
  • Resend — transactional email delivery (European Economic Area).
  • Sentry — error monitoring and diagnostics, with personal data minimised (European Economic Area).

Certain other vendors (for example, our source-code hosting, DNS and security-scanning providers) process our own data but do not process Customer Personal Data, and are therefore not listed as Sub-processors for the purposes of this DPA.

Contact

For any question about this DPA or our processing of personal data, or to request a counter-signed copy, contact us at support@lineman.io. Our registered details are in the page footer.