What makes diffray different from other AI code review tools?

diffray uses multi-agent intelligence instead of single-model AI. Multiple specialized agents work together - Security Agent, Performance Agent, Architecture Agent, and Consistency Agent - each expert in their domain. This coordinated approach reduces false positives by 87% and catches 3x more real bugs.

How long does a code review take with diffray?

diffray provides comprehensive code reviews quickly. The multi-agent system works in parallel to analyze your code efficiently while maintaining thorough analysis.

Is diffray free for open source projects?

Yes, diffray is free forever for open source projects. We support the open source community with full access to our multi-agent code review platform.

Data Processing Agreement

Last updated: December 21, 2025

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between diffray, Inc. ("Processor," "we," "us") and the customer ("Controller," "you") for the provision of AI-powered code review services (the "Service").

This DPA applies where and only to the extent that we process Personal Data on your behalf in the course of providing the Service, and such Personal Data is subject to Data Protection Laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by us on your behalf.
"Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR (EU), UK GDPR, CCPA (California), LGPD (Brazil), and other applicable regulations.
"Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
"Data Subject" means the individual to whom Personal Data relates.
"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope of Processing

2.1 Subject Matter

Processing of Personal Data in connection with AI-powered code review services for GitHub repositories.

2.2 Nature and Purpose

Providing code review and analysis services
Processing pull requests and repository data
User authentication and account management
Service analytics and improvement

2.3 Categories of Data Subjects

Your employees and contractors
Your end users who interact with code repositories
Contributors to repositories you authorize for review

2.4 Types of Personal Data

GitHub usernames and email addresses
Profile information (names, avatars)
Repository metadata and commit information
IP addresses and usage data

2.5 Duration

Processing continues for the duration of the Service agreement, plus any retention period required by law or as specified in our Privacy Policy.

3. Processor Obligations

We shall:

Process Personal Data only on your documented instructions, unless required by law
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Not engage Sub-processors without your prior authorization (general or specific)
Assist you in responding to Data Subject requests
Assist you in ensuring compliance with security, breach notification, and impact assessment obligations
Delete or return all Personal Data upon termination, unless retention is required by law
Make available information necessary to demonstrate compliance and allow for audits

4. Controller Obligations

You shall:

Ensure you have a lawful basis for processing Personal Data
Provide clear instructions for Personal Data processing
Ensure that Data Subjects have been informed about the processing
Be responsible for the accuracy of Personal Data provided to us
Comply with applicable Data Protection Laws

5. Sub-processors

You authorize us to engage the following Sub-processors:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure and hosting	USA
Anthropic	AI processing (Claude)	USA
GitHub (Microsoft)	Authentication and repository access	USA
Stripe	Payment processing	USA
Vercel	Web application hosting	USA

We will notify you of any intended changes to Sub-processors, giving you the opportunity to object. All Sub-processors are bound by data processing agreements with equivalent protections.

6. Security Measures

We implement and maintain appropriate technical and organizational measures including:

Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
Access Control: Role-based access, multi-factor authentication, least privilege principle
Infrastructure: AWS with SOC 2 Type II certification, isolated VPCs, security groups
Monitoring: 24/7 logging, intrusion detection, automated alerting
Code Security: Ephemeral processing environments destroyed after each review
Personnel: Background checks, security training, confidentiality agreements
Incident Response: Documented procedures, regular testing, defined escalation paths

7. Data Subject Rights

We will assist you in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:

Right of access
Right to rectification
Right to erasure
Right to restriction of processing
Right to data portability
Right to object

If we receive a request directly from a Data Subject, we will promptly notify you unless prohibited by law.

8. Security Incident Notification

Upon becoming aware of a Security Incident affecting your Personal Data, we will:

Notify you without undue delay (within 72 hours where feasible)
Provide information about the nature of the incident, categories of data affected, approximate number of Data Subjects, likely consequences, and measures taken
Cooperate with your investigation and mitigation efforts
Document the incident and remediation steps

9. Data Deletion and Return

Upon termination of the Service or upon your request:

We will delete or return all Personal Data within 30 days
We will provide written confirmation of deletion upon request
Retention beyond this period only where required by applicable law

Note: Source code is never stored permanently. Each review runs in an ephemeral environment that is fully destroyed after completion.

10. Audits

Upon reasonable notice and subject to confidentiality obligations:

We will make available information necessary to demonstrate compliance with this DPA
We will allow for and contribute to audits conducted by you or an independent auditor
Audits shall be conducted during normal business hours, no more than once annually
You shall bear the costs of any audit unless it reveals material non-compliance

We also maintain third-party certifications and audit reports (available upon request under NDA).

11. International Transfers

For transfers of Personal Data outside the EEA, UK, or Switzerland:

We rely on EU Standard Contractual Clauses (SCCs) as approved by the European Commission
For UK transfers, we use the UK International Data Transfer Agreement or UK Addendum to the SCCs
We implement supplementary measures where required by applicable guidance

SCCs are incorporated by reference and available upon request.

12. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service. Each party shall be liable for damages caused by processing that infringes Data Protection Laws or this DPA.

13. Term and Termination

This DPA shall remain in effect for the duration of our processing of Personal Data on your behalf. Upon termination of the Service, obligations relating to data deletion, confidentiality, and audit rights shall survive.

14. Governing Law

This DPA shall be governed by the laws specified in the Terms of Service (State of Delaware, USA), except where Data Protection Laws require otherwise.

15. Contact

For questions about this DPA or to request a signed copy:

diffray, Inc.

Delaware, USA

Email: privacy@diffray.ai

Request a Signed DPA

Enterprise customers can request a countersigned copy of this DPA for their records. Contact us at privacy@diffray.ai

We typically respond within 2 business days.