panel · v0 hosted preview · statusfree tier open · paid tiers in DP onboarding
panel/legal/data processing addendum
data processing addendum · v0

data processing addendum

last updated: 2026-05-20 · effective: TBD

v0 — pending counsel review. reflects current panel practices. wording may change after legal review. questions: privacy@goku.codes.

this addendum ("DPA") forms part of the terms of service between the operator ("controller") and panel ("processor", UltraInstinct0x). it governs processing of personal data submitted by the controller to panel and applies whenever the controller is subject to GDPR, UK-GDPR, or KVKK.

countersigned PDFs available on request for paid operators: privacy@goku.codes. v0 wording is in effect for v0 contracts; future updates trigger 30-day notice.

1 — definitions

capitalized terms (Controller, Processor, Data Subject, Personal Data, Processing, Sub-Processor, Supervisory Authority) carry their GDPR Art. 4 meaning. "Applicable Law" means GDPR, UK-GDPR, and KVKK as applicable to the operator.

2 — scope + subject matter

  • subject matter: provision of the panel service.
  • duration: term of the operator account plus the post-termination export period.
  • nature + purpose: providing captcha + preference-data labeling on operator-submitted units.
  • types of personal data: pseudonymous rater identifiers; behavioral signals; IP addresses (transient, rate-limit only); any personal data the controller submits within unit content (controller's responsibility to minimize).
  • categories of data subjects: controller's end users (raters); controller's authorized account users (admin).

3 — controller responsibilities

  • provide lawful basis for any personal data submitted in unit content.
  • obtain consents required from end users.
  • minimize personal data: do not embed PII, PHI, or secrets in unit content unless contracted under a signed BAA and using scrubber-proxy.
  • respond to data-subject requests received by the controller; route DSARs that originate via panel to privacy@goku.codes.

4 — processor obligations (Art. 28)

panel will:

  • process personal data only on documented instructions from the controller (the terms + this DPA constitute the documented instructions).
  • ensure persons authorized to process personal data are bound by confidentiality.
  • implement appropriate technical and organizational measures (see annex II below).
  • engage sub-processors only as listed at /legal/sub-processors; give 30 days' notice of additions; allow the controller to object.
  • assist the controller with DSARs, DPIAs, and supervisory-authority engagement to the extent reasonable.
  • notify the controller of a personal-data breach without undue delay (target: 72 hours of becoming aware).
  • at the controller's choice on termination: delete or return personal data, subject to retention required by law.
  • make available information necessary to demonstrate Art. 28 compliance and allow audits per section 8 below.

5 — sub-processors

list, notice mechanism, and objection process are at /legal/sub-processors. panel remains liable for sub-processor performance.

6 — international transfers

panel is hosted in Frankfurt, DE. data exports outside the EU/EEA (e.g. to US-based sub-processors such as GitHub) rely on the EU Standard Contractual Clauses (2021/914), modules 2 or 3 as applicable, and on the UK addendum for UK transfers. SCCs are incorporated by reference; countersigned copies available on request.

7 — data-subject rights

panel exposes the following to enable direct DSAR fulfillment by raters:

  • GET /api/me/export?rater_id=<id> — export
  • POST /api/me/delete?rater_id=<id> — erasure

controllers may also submit batch DSAR requests to privacy@goku.codes; response within 30 days.

8 — audits

controller may, no more than once per 12 months, request a copy of panel's most recent security documentation (annex II) and ask reasonable written questions. on-site audits are not available in v0; once SOC 2 attestation is in place, the SOC 2 report will satisfy this section. controllers in regulated verticals may negotiate additional audit rights as part of an enterprise contract.

9 — return / deletion on termination

on termination of the operator account, the controller may export judgments for 30 days. after 30 days, operator-controlled unit content is deleted within 14 days, except where retention is required by law. aggregated, anonymized signal already incorporated into panel datasets persists.

annex I — processing details

  • nature of processing: storing, structuring, retrieving, displaying, anonymizing personal data within the captcha/labeling flow.
  • purpose: bot prevention + production of labeled preference datasets.
  • data categories: pseudonymous identifiers; behavioral aggregates; transient IP; any personal data the controller submits in unit content.
  • data subjects: end users of the controller; controller's admin users.
  • retention: per the privacy policy schedule.

annex II — technical + organizational measures

  • TLS 1.2+ for data in transit.
  • host-level disk encryption at rest.
  • AES-256-GCM for reversible mappings inside scrubber-proxy.
  • pseudonymous identifiers (random opaque rater_id).
  • append-only audit logging on the operator console and ingest pipeline.
  • rate-limit and bot-detection layers on every public endpoint.
  • secret-key isolation: operator secret keys stored hashed; only publishable keys are exposed.
  • least-privilege access on host: single operator (no team), key-only SSH, no shared accounts.
  • backups: daily snapshots of the panel sqlite store, 14-day retention, encrypted.
  • incident response: 72-hour notification window to controllers + supervisory authority.
  • no certified attestation today (no SOC 2 / ISO 27001 yet); roadmap published at /legal/sub-processors as those vendors come online.

annex III — sub-processors

see /legal/sub-processors (incorporated by reference).