Skip to content

Legal

Data Processing Addendum

How Writence processes personal data on behalf of business customers under applicable data-protection law.

This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Controller”) and Writence (“Processor”) and applies where we process personal data on the customer’s behalf.

1. Definitions

Terms such as “personal data,” “processing,” “controller,” “processor,” and “data subject” have the meanings given in applicable data-protection law (for example, the GDPR). “Customer Data” means personal data we process on the Controller’s behalf.

2. Roles of the parties

The Controller determines the purposes and means of processing Customer Data. The Processor processes Customer Data only on the Controller’s documented instructions, including as set out in the agreement and this DPA.

3. Scope and purpose of processing

We process Customer Data to provide the Service: storing and editing documents, generating AI suggestions you request, and producing authorship records where the Controller’s users opt in. The subject matter is the writing software; the duration is the term of the agreement; the categories of data subjects are the Controller’s authorized users.

4. Subprocessors

The Controller authorizes us to engage subprocessors to help deliver the Service. We maintain a current list of subprocessor categories and regions at /subprocessors, impose data-protection obligations on them consistent with this DPA, and remain responsible for their performance. We’ll give notice of material changes so the Controller can object.

5. Security measures

We maintain technical and organizational measures appropriate to the risk, including:

  • Encryption of Customer Data in transit and at rest.
  • Access controls and least-privilege practices.
  • Separation and access control for cryptographic signing keys.
  • Logging, monitoring, and regular review of security practices.

6. Confidentiality

Personnel authorized to process Customer Data are bound by appropriate confidentiality obligations.

7. Data-subject requests

Taking into account the nature of the processing, we assist the Controller with appropriate measures to respond to data-subject requests (access, correction, deletion, portability, restriction, and objection), and provide self-service export and deletion tools where feasible.

8. Personal-data breaches

We notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Data, and provide information reasonably available to help the Controller meet its own notification obligations.

9. International transfers

Where we transfer Customer Data across borders, we use a lawful transfer mechanism, such as standard contractual clauses, together with supplementary measures where appropriate.

10. Return and deletion

On termination, we delete or return Customer Data in accordance with the agreement, except where retention is required by law or for the integrity of opted-in authorship records.

11. Audits

We make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits in line with the agreement, subject to reasonable confidentiality and security conditions.

12. Contact

For data-protection matters, contact privacy@writence.com.

This is a template for the marketing site; the binding DPA is executed with business customers and governed by the product app.