Version: dpa_v1_0
Last updated: [DATE]

Data Processing Addendum (DPA)

Effective Date: January 25, 2026

Parties:

(1) Customer ("Customer," "Controller" or "Business")

(2) Redactory ("Provider," "Processor" or "Service Provider")

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other agreement governing Customer's use of the Service ("Agreement"). If there is a conflict between the DPA and the Agreement regarding processing of Personal Data, this DPA controls.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable individual, as defined under applicable Data Protection Laws.
  • "Processing" has the meaning given under applicable Data Protection Laws.
  • "Data Protection Laws" means laws applicable to processing Personal Data under the Agreement (e.g., GDPR/UK GDPR, CCPA/CPRA, and other relevant privacy laws).

2. Roles of the Parties

  • Customer is the Controller (or Business) of Personal Data included in Customer Content and account data.
  • Provider is the Processor (or Service Provider) and processes Personal Data on Customer's behalf to provide the Service.

3. Scope, Purpose, and Instructions

Provider will process Personal Data only:

  • to provide and secure the Service;
  • as documented in the Agreement, this DPA, and any written instructions Customer provides consistent with the Agreement; and
  • as required by law (in which case Provider will notify Customer unless prohibited).

Provider will not "sell" or "share" Personal Data and will process Personal Data only for the limited and specified purposes set out in this DPA.

4. Details of Processing (Annex 1)

  • Subject matter: Provision of redaction verification and permanent redaction services.
  • Duration: For the term of the Agreement, plus limited retention as described in the Privacy Policy and this DPA.
  • Nature and purpose: Hosting, processing, analyzing, redacting, delivering output files, maintaining security, preventing fraud, providing support.
  • Categories of data subjects: Customer's end users and individuals whose data may appear in Customer Content.
  • Categories of Personal Data:
    • Account data (email, identifiers)
    • Usage metadata (timestamps, job states, device/browser data)
    • Security/fraud data (IP hash/partial, auth events)
    • Customer Content may contain Personal Data (potentially sensitive data depending on Customer usage)
  • Special categories: Customer Content may include sensitive data; Customer controls what is uploaded.

5. Provider Personnel and Confidentiality

Provider will ensure persons authorized to process Personal Data are bound by confidentiality obligations and receive appropriate training.

6. Security Measures

Provider will implement appropriate technical and organizational measures designed to protect Personal Data, including:

  • encryption in transit (TLS)
  • access controls and least privilege
  • logical separation of environments
  • monitoring and logging designed to avoid content exposure
  • vulnerability management and patching processes

7. Subprocessors

Customer authorizes Provider to engage subprocessors to provide the Service (e.g., hosting, storage, database, payments). Provider will:

  • maintain a list of subprocessors or make it available upon request; and
  • ensure subprocessors are bound by obligations no less protective than this DPA.

Subprocessor notice: Provider will provide reasonable notice of material changes to subprocessors, and Customer may object on reasonable grounds (e.g., documented security concerns). If the parties cannot resolve the objection, Customer may terminate the affected Service.

8. Assistance to Customer

Provider will provide reasonable assistance to Customer with:

  • responding to data subject requests (access/deletion/correction) to the extent applicable and feasible;
  • security and privacy inquiries relevant to the Service; and
  • reasonable information needed for Customer's compliance obligations relating to Provider's processing.

9. Personal Data Breach Notification

Provider will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and will provide information reasonably necessary for Customer to meet its breach reporting obligations.

10. Deletion or Return of Personal Data

Upon termination of the Service, Provider will delete Customer Personal Data in accordance with the Agreement, subject to:

  • limited retention for legal compliance, dispute resolution, and security/fraud prevention; and
  • technical constraints of backups, which will be overwritten on a rolling basis.

Customer Content is processed with non-retention by default (temporary storage only), consistent with Service settings.

11. Audits

Upon reasonable request, Provider will make available information necessary to demonstrate compliance with this DPA. If a formal audit is required:

  • it will be limited to once annually, during normal business hours, with reasonable notice;
  • conducted by an independent auditor bound by confidentiality; and
  • limited to information relevant to the Service and Customer's use.

Provider may satisfy audit requests via third-party reports, security documentation, or written responses where appropriate.

12. Cross-Border Transfers

Where Data Protection Laws require a transfer mechanism for Personal Data transferred internationally, the parties will implement appropriate safeguards (e.g., Standard Contractual Clauses (SCCs)).

Optional SCC module: [Insert if Provider processes EU/UK data and transfers outside the EEA/UK.]

13. CCPA/CPRA Service Provider Terms (If Applicable)

Where Provider acts as a "Service Provider" under CCPA/CPRA, Provider:

  • processes Personal Information only for the business purposes specified in the Agreement and this DPA;
  • will not sell or share Personal Information;
  • will not retain, use, or disclose Personal Information for any purpose other than providing the Service and related business purposes permitted by CCPA/CPRA;
  • will implement reasonable security procedures; and
  • will notify Customer if Provider determines it can no longer meet its obligations.

14. Liability

Liability under this DPA is subject to the limitations of liability set forth in the Agreement, unless prohibited by applicable law.

15. Order of Precedence

In the event of conflict, the order of precedence is:

  1. SCCs (if executed)
  2. This DPA
  3. The Agreement (including Terms of Service)

16. Signatures

This DPA applies and becomes effective upon Customer's use of the Services involving the Processing of Personal Data.

Annex 2: Processing Instructions and Security Summary

Customer instructions are limited to using the Service features as configured by Customer. Provider will process Customer Content to perform verification/redaction and deliver outputs, then delete files by default per the Service's deletion policies.

Terms of Service|Privacy Policy|Support