DAILY BRIEF · PODCAST
Sunday rest day — no new episode today. Yesterday's brief returns tomorrow.

Data Processing Addendum

Last updated: {Effective Date}

Template — replace bracketed placeholders before publishing. Not legal advice.

1. Roles

For personal data processed on your behalf, you are the Controller (or Business under CCPA) and {Company Legal Name} is the Processor (Service Provider). This DPA is incorporated into the Terms of Service.

2. Subject matter

Nature and purpose: providing the Service.
Duration: for the term of your subscription plus the retention windows below.
Categories of data subjects: your end users and personnel.
Categories of personal data: account identifiers, email, profile fields you provide, request logs.

3. Processor obligations

  • Process personal data only on documented instructions from you.
  • Ensure persons authorised to process are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see Annex).
  • Engage sub-processors only per Section 5.
  • Assist you with data subject requests and DPIAs.
  • Notify you of a personal data breach without undue delay and at most within {72} hours of awareness.
  • Delete or return personal data at end of provision, subject to legal retention.

4. International transfers

Where personal data is transferred outside the EEA/UK/Switzerland, the parties rely on the EU Standard Contractual Clauses (Module 2) and the UK IDTA / Addendum as applicable, incorporated by reference.

5. Sub-processors

You authorise the sub-processors listed at /legal/subprocessors. We will give at least {30} days' notice before adding a sub-processor; you may object on reasonable grounds.

6. Security measures (Annex II)

  • Encryption in transit (TLS 1.2+) and at rest.
  • Role-based access, least privilege, MFA for administrators.
  • Row-Level Security on all customer data tables.
  • Secret management via managed KMS; no plaintext secrets in code.
  • Logged and monitored access to production systems.
  • Regular backups; documented restore procedure.
  • Vendor security review before onboarding sub-processors.

7. Audit

Once per year, and on a personal-data-breach notification, you may request written responses to a security questionnaire and copies of third-party audit reports we hold. On-site audits by written agreement, at your cost.

8. Signing

To countersign, email {privacy@example.com} with your legal entity name and contact.