Legal
Data Processing Addendum
Last updated: 2026-06-30
Template for development. Have a qualified US privacy/SaaS lawyer review this (especially the Privacy Policy and DPA) before going live.
This DPA forms part of the Terms between you (the “Controller”) and us (the “Processor” / service provider) when we process personal data on your behalf.
Roles
You are the controller of the content and end-user data you process through the Service. We act as your processor and only process personal data per your documented instructions (the Terms and your use of the Service).
Our obligations
- Process personal data only for providing the Service.
- Maintain appropriate technical and organizational measures (encryption at rest for secrets, tenant isolation via row-level security, access controls).
- Ensure persons authorized to process data are under confidentiality.
- Assist you with data-subject requests and security/breach notification.
- Delete or return personal data at the end of the engagement.
Subprocessors
You authorize the subprocessors on our Subprocessor list. We will give notice of changes and remain responsible for their performance.
International transfers
Where data is transferred internationally, we rely on appropriate safeguards (e.g. Standard Contractual Clauses) as required.