Schreibly Features Pricing For Teams Extensions Docs About Terms Privacy Refunds

Data Processing Addendum (DPA)

Last updated: [EFFECTIVE DATE]

DRAFT — THIS IS NOT LEGAL ADVICE. This is a short summary intended for the public website. The signable DPA — including Standard Contractual Clauses, the list of sub-processors, and technical and organisational measures — must be prepared and countersigned per customer or made available as a click-through. Have this reviewed before publication.

1. When you need a DPA

If your use of Schreibly involves processing personal data of EU/EEA, UK, or Swiss data subjects on behalf of your organisation, GDPR (or the equivalent UK/Swiss law) requires a written data-processing agreement between you (the controller) and us (the processor).

2. Who acts in which capacity

  • For account, billing, and security data we collect about you as our customer, we act as the controller. See the Privacy Policy.
  • For text submitted through the Service by your end users, where you are the entity deciding why and how the data is processed, we act as your processor. This DPA governs that relationship.

3. Sub-processors

We use third-party processors to operate the Service, including AI provider(s) for text analysis, payment processing via Paddle, and hosting. A current list of sub-processors is published at /legal/subprocessors. We will notify customers of material changes to that list per the notice period stated in the signable DPA.

4. International transfers

Where personal data is transferred outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss mechanisms, together with the supplementary measures described in the signable DPA.

5. Security

We apply technical and organisational measures described in the signable DPA — covering encryption in transit, access controls, logging, vulnerability management, and incident response.

6. Personal-data breach notification

If we become aware of a personal-data breach affecting your data, we will notify you without undue delay and provide the information required for you to meet your own notification obligations.

7. Data-subject rights

We will assist you in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) as required by applicable law.

8. Term and end of processing

This DPA applies for as long as we process personal data on your behalf. On termination, we will delete or return personal data per the signable DPA, subject to retention required by law.

9. Sign the DPA

Email [DPA CONTACT EMAIL] to request the signable version of this DPA, including SCCs and the technical-and-organisational-measures schedule. The current version is available here:

Download DPA (PDF — placeholder, coming soon)

10. Contact

[COMPANY LEGAL NAME], [REGISTERED ADDRESS], [COUNTRY]
Email: [DPA CONTACT EMAIL]

See also: Privacy Policy and Subprocessors.