Preamble
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Master Subscription Agreement, Terms of Service, Order Form, or other written agreement (the "Agreement") between Writesonic, Inc. ("Writesonic", "Processor") and the customer identified in the Agreement ("Customer", "Controller"). Each is a "Party" and together the "Parties".
This DPA governs Writesonic's processing of Personal Data on behalf of Customer in connection with the Services. The Services are defined in the Agreement and cover all products and websites operated by Writesonic, Inc., including the Writesonic AI Search Visibility Platform and any other Writesonic products and domains.
In the event of any conflict, inconsistency, or discrepancy between this DPA and the Agreement with respect to data protection, privacy, or processing of Personal Data, the terms of this DPA will prevail to the extent of such conflict.
Customer agrees to this DPA for itself and, where applicable under Applicable Data Protection Law, as agent for and on behalf of its Authorized Affiliates that use the Services under the Agreement. A signed counterpart of this DPA is available on request to [email protected].
1. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Agreement.
(a) "Affiliate" has the meaning given in the Agreement.
(b) "Applicable Data Protection Law" means all data-protection and privacy laws applicable to a Party's processing of Personal Data under the Agreement, including:
- the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR") and EU Member-State laws supplementing it;
- the UK General Data Protection Regulation as defined in the UK Data Protection Act 2018 ("UK GDPR") and the Data Protection Act 2018;
- the Swiss Federal Act on Data Protection ("FADP");
- the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); and
- other comprehensive U.S. state privacy laws, including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, New Hampshire, Delaware, New Jersey, Minnesota, Maryland, and any other in force during the Term.
(c) "Authorized Affiliate" means an Affiliate of Customer that is permitted to use the Services under the Agreement and on whose behalf Customer enters into this DPA.
(d) "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Special Categories of Personal Data", and "Supervisory Authority" have the meanings given in the EU GDPR (or, where applicable, the UK GDPR or FADP). For the CCPA/CPRA, "Business", "Service Provider", "Sale", "Share", "Personal Information", and "Sensitive Personal Information" have the meanings given in the CCPA/CPRA. References in this DPA to "Personal Data" include "Personal Information" where the CCPA/CPRA applies, and references to "Controller" and "Processor" include "Business" and "Service Provider" respectively.
(e) "Customer Personal Data" means Personal Data contained in Customer Data that Writesonic processes on Customer's behalf in providing the Services.
(f) "Data Protection Impact Assessment" or "DPIA" has the meaning given in Article 35 EU GDPR.
(g) "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Writesonic or its Sub-processors. It does not include unsuccessful attempts that do not compromise the security of Customer Personal Data (for example, pings, port scans, denied login attempts, or malware blocked at the perimeter).
(h) "Restricted Transfer" means any of:
- a transfer of Personal Data from the EEA to a country not subject to an adequacy decision of the European Commission;
- a transfer of Personal Data from the United Kingdom to a country not subject to UK adequacy regulations under section 17A of the UK Data Protection Act 2018; or
- a transfer of Personal Data from Switzerland to a country not on the FDPIC's list of countries with an adequate level of data protection.
(i) "Standard Contractual Clauses" or "SCCs" means:
- for transfers from the EEA, the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914 ("EU SCCs");
- for transfers from the United Kingdom, the International Data Transfer Addendum to the EU SCCs issued by the UK ICO under section 119A of the UK Data Protection Act 2018 ("UK Addendum"); and
- for transfers from Switzerland, the EU SCCs as adapted in accordance with the FDPIC's guidance.
In each case, as may be amended, replaced, superseded, or updated from time to time.
(j) "Sub-processor" means any third party engaged by Writesonic (or its Affiliate) that processes Customer Personal Data in connection with the Services.
(k) "Services" has the meaning given in the Agreement.
2. Scope and Roles
2.1 Subject Matter
This DPA applies to Writesonic's processing of Customer Personal Data carried out on Customer's behalf in providing the Services. The details of the processing are set out in Schedule 1 (Details of Processing).
2.2 Roles
For Customer Personal Data, Customer acts as Controller (or, where Customer is itself a processor for an upstream controller, as Processor with Writesonic as Sub-processor), and Writesonic acts as Processor. For the CCPA/CPRA, Writesonic acts as Service Provider with respect to Customer Personal Data.
2.3 Each Party's Compliance
Each Party will comply with its respective obligations under Applicable Data Protection Law. Customer is responsible for the lawfulness of its processing instructions and the means by which it acquired Personal Data.
3. Customer Instructions and Responsibilities
3.1 Documented Instructions
The Agreement (including this DPA), Customer's use of the Services through the Services' configuration and APIs, and any further written instructions mutually agreed by the Parties constitute Customer's complete instructions. Any other instructions require prior agreement between the Parties, including agreement on additional fees.
3.2 Lawfulness of Instructions
Customer represents and warrants that (a) it has the legal basis under Applicable Data Protection Law to provide Customer Personal Data to Writesonic and to instruct Writesonic to process it as described, (b) it has provided all required notices and obtained all required consents, and (c) the instructions, if followed, do not violate Applicable Data Protection Law.
3.3 Notice of Conflict
If Writesonic believes that an instruction violates Applicable Data Protection Law, Writesonic will, to the extent permitted by law, inform Customer without undue delay.
3.4 CCPA/CPRA Service-Provider Commitments
For Customer Personal Data subject to the CCPA/CPRA, Writesonic:
(a) will not Sell or Share Customer Personal Data;
(b) will not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than the Business Purposes set out in the Agreement and this DPA, except as permitted by the CCPA/CPRA;
(c) will not combine Customer Personal Data with personal information received from or on behalf of any other person, except as permitted by §7050(b) of the CCPA/CPRA regulations;
(d) certifies its understanding of and compliance with the restrictions in this DPA; and
(e) grants Customer the rights specified in §1798.100(d), including reasonable steps to ensure Sub-processors use Personal Information consistent with these restrictions.
4. Confidentiality of Personnel
Writesonic will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations (whether by contract or statutory duty), and will limit access to Customer Personal Data to personnel who need it to perform their duties.
5. Security
Writesonic will implement and maintain the technical and organizational measures set out in Schedule 2 (Technical and Organizational Measures) to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
Customer acknowledges that the Services are designed to be configured and used in a manner that supports the security of Customer Personal Data. Customer is responsible for (a) configuring the Services in line with its security and compliance requirements, (b) protecting access credentials, and (c) the secure use of the Services.
Writesonic may update or modify the measures described in Schedule 2 from time to time to reflect changes in technology, industry practices, or the nature of the Services, provided that such changes do not materially reduce the overall security protections afforded to Customer Personal Data.
6. Personal Data Breach
6.1 Notification
Writesonic will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.
6.2 Information Provided
The notification will, to the extent then known, describe (a) the nature of the breach, including (where possible) the categories and approximate number of Data Subjects and records concerned, (b) the likely consequences, (c) the measures taken or proposed to address it and to mitigate adverse effects, and (d) the contact for further information. Writesonic will provide periodical updates as the investigation progresses.
6.3 Cooperation
Writesonic will provide Customer with reasonable assistance, taking into account the nature of the processing, the information available to Writesonic, and the costs of implementation, to help Customer comply with its notification obligations to Supervisory Authorities and Data Subjects under Applicable Data Protection Law.
6.4 Not a Concession
Notification of a Personal Data Breach under this DPA is provided for informational and compliance purposes only and will not be construed as an admission or acknowledgment by Writesonic of any fault, liability, wrongdoing, or failure to comply with Applicable Data Protection Law or its obligations under the Agreement or this DPA.
7. Assistance to Customer
7.1 Data Subject Requests
Taking into account the nature of the processing, Writesonic will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligations to respond to Data Subject requests under Applicable Data Protection Law (for example, access, rectification, erasure, restriction, portability, or objection). Where the Services include self-service mechanisms (for example, user data export and deletion), Customer's use of those mechanisms will be deemed sufficient assistance.
If Writesonic receives a Data Subject request directly, Writesonic will promptly forward it to Customer and will not respond, except to direct the Data Subject to Customer or as legally required.
7.2 DPIAs and Prior Consultation
Writesonic will, on Customer's request and at Customer's expense for non-routine assistance, provide reasonable cooperation in support of Customer's DPIAs and prior consultations with Supervisory Authorities under Articles 35 and 36 of the EU GDPR (or equivalent provisions of UK GDPR or FADP), to the extent the relevant information is available to Writesonic and is not otherwise reasonably available to Customer.
7.3 Regulatory Inquiries
Writesonic will provide reasonable assistance to Customer in responding to inquiries or investigations by Supervisory Authorities to the extent they relate to Writesonic's processing of Customer Personal Data.
8. Sub-processors
8.1 General Authorization
Customer provides general written authorization for Writesonic to engage Sub-processors to process Customer Personal Data, subject to this Section.
8.2 Current Sub-processors
The list of Sub-processors used to provide the Services as of the effective date of this DPA is set out in Schedule 3 (Sub-processors).
8.3 New or Replacement Sub-processors
Writesonic will notify Customer of any new or replacement Sub-processor at least 30 days before the new Sub-processor begins processing Customer Personal Data. Notification may be by update to Schedule 3, by email to the account owner, or by an equivalent in-product or subscription-based mechanism.
8.4 Right to Object
Customer may object to a new Sub-processor in writing within 15 days of notification, on reasonable data-protection grounds. The Parties will work in good faith to address the objection, including by Writesonic offering a commercially reasonable alternative configuration. If no resolution is reached within 30 days, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services for cause and receive a pro-rata refund of pre-paid, unused fees for that affected portion.
8.5 Sub-processor Obligations
Writesonic will impose contractual data protection obligations on its Sub-processors that are materially consistent with the applicable data protection obligations set out in this DPA, to the extent relevant to the services performed by such Sub-processors. Writesonic will remain responsible for the acts and omissions of its Sub-processors to the extent required under Applicable Data Protection Law.
9. International Transfers
9.1 Transfer Mechanism
Where Customer's use of the Services involves a Restricted Transfer of Customer Personal Data, the Parties agree that:
(a) for transfers from the EEA, the EU SCCs Module Two (Controller-to-Processor) are deemed entered into and incorporated by reference, with the elections and additional terms set out in Schedule 4 (EU SCCs);
(b) for transfers from the United Kingdom, the UK Addendum is deemed entered into and incorporated by reference, with the elections set out in Schedule 5 (UK Addendum); and
(c) for transfers from Switzerland, the EU SCCs apply as adapted in accordance with the FDPIC's guidance.
Where Customer is itself a processor on behalf of an upstream controller, the Parties will use EU SCCs Module Three (Processor-to-Sub-processor) instead of Module Two, and Schedule 4 will be read accordingly.
Any amendment, replacement, superseding version, successor framework, or officially approved equivalent of the SCCs, UK Addendum, FDPIC guidance, or related transfer mechanism issued by a competent authority shall automatically apply to this DPA from the date such mechanism becomes effective, without requiring any further action by the Parties, to the extent necessary to ensure continued lawful transfers of Personal Data under Applicable Data Protection Law.
9.2 Transfer Impact Assessment
Writesonic has performed and will maintain a Transfer Impact Assessment for transfers to the United States and other relevant jurisdictions, taking into account the Schrems II decision and EDPB guidance. A summary is available on request to enterprise customers subject to the execution of an appropriate non-disclosure agreement.
9.3 Adequacy
If a new adequacy decision applies to Customer Personal Data transferred under the Services, the transfer may rely on that adequacy decision in lieu of, or in addition to, the SCCs.
10. Return or Deletion of Customer Personal Data
On termination or expiration of the Agreement, Writesonic will, at Customer's choice (specified in writing within 30 days of termination), return or delete all Customer Personal Data, except to the extent Writesonic is required by applicable law to retain some or all of it. Where law requires retention, Writesonic will continue to protect that Customer Personal Data in accordance with this DPA.
Writesonic will complete the return or deletion within 30 days of Customer's instruction, or, if no instruction is given, within 30 days after termination. Writesonic will certify the deletion in writing on request. Backups containing Customer Personal Data are overwritten in the ordinary course of operations and are not used to restore Customer Personal Data after deletion.
If return of Customer Personal Data is not technically feasible or commercially reasonable, Writesonic may instead securely delete such Customer Personal Data in accordance with its standard deletion practices.
11. Audits
11.1 Audit Rights
Writesonic will make available to Customer the information necessary to demonstrate compliance with this DPA, including by providing:
(a) Writesonic's most recent SOC 2 Type 2 report;
(b) Writesonic's penetration-test summary; and
(c) other information from Writesonic's trust center at writesonic.trust.site.
11.2 On-site Audits
If the documents in §11.1 are not sufficient to demonstrate compliance and Customer is required by Applicable Data Protection Law (for example, as a controller subject to Article 28(3)(h) EU GDPR) to conduct further audits, Customer may, no more than once per 12 months, conduct an audit of Writesonic's compliance with this DPA, subject to the following:
(a) Customer must give at least 30 days' written notice and a proposed audit plan, and the scope, timing, duration, and manner of the audit must be mutually agreed by the Parties in advance;
(b) the audit will be conducted during normal business hours, in a manner that does not unreasonably disrupt the Services or other customers;
(c) the audit must be conducted by an independent third-party auditor reasonably acceptable to Writesonic and bound by confidentiality obligations;
(d) Customer will treat the results as Writesonic's Confidential Information; and
(e) Customer will bear the costs of the audit, except where the audit reveals a material breach of this DPA, in which case Writesonic will reimburse Customer's reasonable, documented audit costs.
A Supervisory Authority may exercise its statutory audit rights without being subject to §11.2.
12. AI Processing of Customer Personal Data
12.1 No Training on Customer Data
Writesonic does not use Customer Personal Data to train or fine-tune any general-purpose, foundation, or large-language model offered by Writesonic or by any Model Provider. This commitment applies to all Customer Personal Data submitted under the Agreement, including data submitted under any free trial or free tier.
12.2 Model Providers as Sub-processors
Writesonic uses Model Providers as Sub-processors for AI Features. The current Model Providers and the data-handling configurations Writesonic uses with each are described in our Privacy Policy §4.2 and listed in Schedule 3 of this DPA. Where commercially available, Writesonic configures Model Provider services in enterprise or zero-data-retention mode so that Customer Personal Data submitted as Inputs is not retained by the Model Provider beyond the immediate request and is not used for Model-Provider model improvement.
12.3 Aggregated and De-identified Data
Writesonic may use de-identified Inputs, Outputs, and Usage Data, that does not identify Customer or any individual and that meets the standard for de-identification under Applicable Data Protection Law, to operate, secure, debug, evaluate, and improve the Services. Writesonic will not attempt to re-identify de-identified data.
12.4 Customer's Responsibility for Inputs
Customer is responsible for ensuring that its instructions to Writesonic regarding Inputs comply with Applicable Data Protection Law, including that Customer has a lawful basis to process the Inputs (for example, consent, contract, or legitimate interest), provides any required notices to Data Subjects (for example, notice of automated decision-making where relevant), and limits Inputs to what is necessary for the Customer's purpose.
13. Term
This DPA is effective on Customer's first acceptance of the Agreement and continues until termination or expiration of the Agreement. Provisions that by their nature should survive termination, including §6, §10, §11, §12.3, and §15, survive.
14. Authorized Affiliates
Customer enters into this DPA on behalf of itself and, to the extent required by Applicable Data Protection Law, in the name and on behalf of its Authorized Affiliates. Customer is responsible for the acts and omissions of its Authorized Affiliates and is the sole point of contact for Writesonic. Authorized Affiliates do not have direct rights or causes of action against Writesonic under this DPA except as expressly provided.
15. Liability
Each Party's liability arising out of or relating to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Agreement. The aggregate liability of each Party under the Agreement and this DPA combined will not exceed the cap stated in the Agreement.
16. General
16.1 Order of Precedence
In the event of conflict on a data-protection matter, the following order of precedence applies: (1) the SCCs and UK Addendum (where they apply), (2) this DPA, (3) the rest of the Agreement.
16.2 Governing Law
This DPA is governed by the law of the Agreement, except that the SCCs and UK Addendum are governed by the law specified in Schedule 4 and Schedule 5 respectively.
16.3 Severability
If any provision of this DPA is held invalid or unenforceable, the rest remain in effect. The Parties will negotiate in good faith to replace the invalid provision with a valid provision that achieves the same intent.
16.4 Counterparts and Signature
This DPA is incorporated into the Agreement on Customer's acceptance of the Agreement. A signed counterpart is available on request from [email protected].
Schedule 1. Details of Processing
| Item | Details |
|---|---|
| Subject matter | Provision of the Writesonic AI Search Visibility Platform and other Writesonic Services to Customer |
| Duration | The Term of the Agreement, plus the period from termination or expiration until deletion of all Customer Personal Data per §10 |
| Nature and purpose | Hosting, storing, transmitting, processing, and analyzing Customer Personal Data to provide the Services, including AI Features, analytics, content generation, and integrations as configured by Customer |
| Categories of Data Subjects | (a) Customer's Authorized Users; (b) individuals identified or referenced in Inputs that Customer or its Authorized Users submit (for example, employees, customers, prospects, brand mentions, social-media authors); (c) end-users whose interactions with Customer are routed through agents Customer configures using the Services |
| Categories of Personal Data | (a) Authorized User account data, including name, email, role, IP, login activity; (b) free-text content in Inputs and Outputs that may include personal data depending on Customer's configuration (for example, prospect names, customer queries, employee names); (c) tracked URL and content metadata; (d) integration metadata and OAuth tokens |
| Special categories of Personal Data | None expected. Customer should not submit Special Categories of Personal Data through the Services unless agreed in writing with Writesonic. |
| Frequency of processing | Continuous |
| Recipients | Writesonic personnel; Sub-processors listed in Schedule 3; Customer-authorized integrations |
| Retention | While Customer's account is active, then per §10 of this DPA |
Schedule 2. Technical and Organizational Measures
Writesonic implements and maintains the technical and organizational measures described below. The current state of measures, including certifications and audit reports, is published at writesonic.trust.site and incorporated by reference.
| Domain | Measures |
|---|---|
| Hosting | Microsoft Azure (primary); Amazon Web Services for select workloads. Hosting region(s) configurable by enterprise contract. |
| Encryption in transit | TLS 1.2 or higher for all customer-facing endpoints. |
| Encryption at rest | AES-256 for data at rest in primary data stores. |
| Access control | Role-based access; least privilege; SSO and MFA for employee access to production; periodic access reviews. |
| Authentication | SSO and SAML support for enterprise customers; password and MFA for self-serve customers. |
| Network security | Segmented production network; cloud-native firewalls and security groups; DDoS protection at the cloud layer. |
| Logging and monitoring | Centralized application, security, and access logs; security-event monitoring; tamper-evident audit logs. |
| Vulnerability management | Regular vulnerability scanning of code and infrastructure; periodic third-party penetration tests; documented remediation timeframes. |
| Secure SDLC | Code review; automated security testing in CI; dependency scanning; secret-scanning. |
| Endpoint security | Managed devices; disk encryption; endpoint detection and response; centrally managed patching. |
| Personnel security | Background checks where permitted by law; security training on hire and annually; confidentiality obligations. |
| Vendor risk | Sub-processor risk reviews; contractual flow-down of data-protection obligations. |
| Business continuity | Documented incident-response plan; backup procedures; disaster-recovery testing. |
| Resilience | Multi-zone production deployment; documented RTO and RPO targets for enterprise plans. |
| Data minimization | Least-data-collected approach; field-level data classification. |
| Pseudonymization and de-identification | Applied to internal analytics and any model-improvement data. |
| Compliance certifications | SOC 2 Type 2. |
Schedule 3. Sub-processors
The following Sub-processors may process Customer Personal Data to support the Services. Writesonic notifies Customers of new or replacement Sub-processors in line with §8.3 of this DPA. Whether a particular Sub-processor processes Customer Personal Data for a given Customer depends on the Services and features that Customer uses.
Cloud hosting and infrastructure
| Vendor | Purpose | Region |
|---|---|---|
| Microsoft Azure | Primary cloud hosting, storage, networking, compute | United States |
| Amazon Web Services | Hosting for select workloads, custom-model inference, and storage | United States |
| Vercel | Frontend application hosting and edge delivery | United States |
| Porter | Backend application hosting and orchestration | United States |
| Cloudflare | DNS, CDN, edge security, and DDoS protection | United States |
| Supabase | Application database for Bansi.ai workloads | United States |
| MongoDB (via Microsoft Azure Marketplace) | Document database for Customer Data | United States |
| ClickHouse (via Microsoft Azure Marketplace) | Analytics and event-data store | United States |
AI Model Providers
The Model Providers used to deliver AI Features, the data-handling commitments of each provider, and the configurations Writesonic applies are described in our Privacy Policy §4.2.
| Vendor | Purpose | Region |
|---|---|---|
| OpenAI | Foundation-model inference (direct API) | United States |
| Anthropic | Foundation-model inference (direct API) | United States |
| Microsoft Azure OpenAI Service | Foundation-model inference | United States |
| Microsoft Azure (Microsoft Foundry) for Anthropic models | Foundation-model inference | United States |
| OpenRouter | Model-routing aggregator | United States |
| Cohere | Foundation-model inference for select workloads | United States |
| Google Cloud Platform | Foundation-model inference and select infrastructure | United States |
| Custom models hosted by Writesonic on Microsoft Azure or Amazon Web Services | Inference under tenant-isolated deployments | United States |
Specialized AI services
| Vendor | Purpose | Region |
|---|---|---|
| Stability AI | Image generation | United States |
| ElevenLabs | Voice and audio generation | United States |
Transactional email
| Vendor | Purpose | Region |
|---|---|---|
| SendGrid | Transactional email (account, billing, security, product) | United States |
| Postmark | Transactional email (account, billing, security, product) | United States |
| Brevo (Sendinblue) | Transactional email and lifecycle messaging | United States |
| Resend | Transactional email | United States |
Authentication and identity
| Vendor | Purpose | Region |
|---|---|---|
| WorkOS | SSO, SAML, and enterprise identity | United States |
Billing and payments
| Vendor | Purpose | Region |
|---|---|---|
| Stripe | Subscription billing, invoicing, and payment processing | United States |
| Chargebee | Subscription management and invoicing | United States |
| Churnkey | Subscription cancellation and retention workflows | United States |
| PayPal | Payment processing for select self-serve plans | United States |
Full card data and payment-account credentials are held by the relevant payment processor; Writesonic does not store full card numbers or PayPal account credentials.
Product analytics
| Vendor | Purpose | Region |
|---|---|---|
| Mixpanel | In-product event analytics and usage telemetry | United States |
| Google Analytics | Website traffic and marketing analytics | United States |
CRM and sales
| Vendor | Purpose | Region |
|---|---|---|
| HubSpot | Customer-record management, lifecycle marketing, support intake | United States |
| Apollo | Account-research and sales-data tooling | United States |
Customer support tooling
| Vendor | Purpose | Region |
|---|---|---|
| Pylon | Helpdesk and customer-support ticketing | United States |
| Intercom | Customer messaging and helpdesk | United States |
| HelpScout | Helpdesk and ticketing | United States |
| Linear | Support-issue ticketing and tracking | United States |
Error monitoring and observability
| Vendor | Purpose | Region |
|---|---|---|
| Sentry | Application-error and crash-report capture | United States |
| Datadog | Application performance monitoring and observability | United States |
Search and vector storage
| Vendor | Purpose | Region |
|---|---|---|
| Pinecone | Vector storage and retrieval for AI Features | United States |
| Turbopuffer | Vector storage and retrieval for AI Features | United States |
Anti-fraud and abuse prevention
| Vendor | Purpose | Region |
|---|---|---|
| FingerprintJS Pro | Device-identifier signals for fraud and abuse prevention | United States |
Code repository and developer infrastructure
| Vendor | Purpose | Region |
|---|---|---|
| GitHub | Source-code hosting and developer collaboration; may incidentally process Customer Data attached to support tickets or issue reports | United States |
Internal collaboration and operations tooling
| Vendor | Purpose | Region |
|---|---|---|
| Slack | Internal team communication and collaboration | United States |
| Google Workspace | Business email and internal team collaboration | United States |
| Retool | Internal operations and support tooling | United States |
Schedule 4. EU Standard Contractual Clauses (Module 2 and Module 3)
Where the EU SCCs apply under §9 of this DPA, the Parties agree as follows.
| SCC reference | Election |
|---|---|
| Module | Module Two (Controller-to-Processor) where Customer is Controller. Module Three (Processor-to-Sub-processor) where Customer is itself a Processor for an upstream Controller. |
| Clause 7 (Docking) | Optional. Not used. |
| Clause 9(a) (Sub-processor authorization) | Option 2 (general written authorization), with notification period of 30 days as set out in §8.3 of this DPA. |
| Clause 11(a) (Optional language) | Not included. |
| Clause 17 (Governing law) | The law of the EU Member State in which the data exporter is established. Where that law does not allow for third-party beneficiary rights, the law of the Netherlands. |
| Clause 18 (Forum and jurisdiction) | The courts of the EU Member State referenced in Clause 17. |
| Annex I.A (Parties) | Customer is "Data Exporter"; Writesonic is "Data Importer". Contact details from the Agreement. |
| Annex I.B (Description of transfer) | As set out in Schedule 1 (Details of Processing). |
| Annex I.C (Competent Supervisory Authority) | Determined per Clause 13 (the supervisory authority of the EEA Member State in which Customer is established or has appointed its EU representative; otherwise the supervisory authority of the Member State in which the Data Subjects are located). |
| Annex II (Technical and organizational measures) | As set out in Schedule 2. |
| Annex III (Sub-processors) | As set out in Schedule 3. |
Schedule 5. UK International Data Transfer Addendum
Where the UK Addendum applies under §9, the Parties agree as follows. Capitalized terms have the meanings given in the UK Addendum.
| Reference | Election |
|---|---|
| Table 1 (Parties) | Customer (Exporter) and Writesonic (Importer) per Schedule 4 Annex I.A. |
| Table 2 (Selected SCCs, modules, and clauses) | The EU SCCs as elected in Schedule 4. |
| Table 3 (Appendix Information) | As set out in Schedule 1 (Annex I.B), Schedule 2 (Annex II), and Schedule 3 (Annex III). |
| Table 4 (Ending the Addendum when the Approved Addendum changes) | Neither Party may end the Addendum on this basis. |
Schedule 6. CCPA/CPRA Service Provider Addendum
For Customer Personal Data subject to the CCPA/CPRA, Writesonic acts as Service Provider under §1798.140(ag) and complies with §1798.100(d).
(a) Writesonic will (i) process Customer Personal Data only for the Business Purposes specified in the Agreement and this DPA, (ii) not Sell or Share Customer Personal Data, (iii) not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than the Business Purposes, except as permitted by the CCPA/CPRA, and (iv) not combine Customer Personal Data with personal information from any other source, except as permitted by §7050(b) of the CCPA regulations.
(b) Writesonic will provide the same level of privacy protection as required of a Business under the CCPA/CPRA.
(c) Customer may take reasonable and appropriate steps under §1798.100(d)(3) to ensure that Writesonic uses Customer Personal Data in a manner consistent with the CCPA/CPRA. Writesonic will, on reasonable written notice, make available the information described in §11.1 of this DPA for that purpose.
(d) Writesonic will notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA/CPRA. Customer may take reasonable and appropriate steps to stop and remediate Writesonic's unauthorized use of Customer Personal Data.
(e) On Customer's instruction, Writesonic will assist Customer in responding to Verifiable Consumer Requests as set out in §7 of this DPA.
(f) Writesonic certifies its understanding of and compliance with the restrictions in this Schedule.
Contact
For questions about this DPA or to request a signed counterpart, contact [email protected].
