Skip to main content
Deep AI Detector
Log in Sign up free

Data Processing Addendum (DPA)

Last updated: 2026-06-07 — Version 1.0

Who this is for. This DPA is for business customers ("Controllers") who use the Service to process personal data subject to GDPR, UK GDPR, LGPD, or similar laws. Free-tier and individual users do not need to execute this DPA — your usage is governed by the Terms and Privacy Policy.

How to execute. This DPA is automatically incorporated into your Master Services Agreement / Terms when you click-accept on a Business or Enterprise tier. For a counter-signed copy on your company letterhead, email [email protected].

1. Parties & definitions

This Data Processing Addendum ("DPA") is entered into between you ("Customer" or "Controller") and the operator of deepaidetector.com ("Processor", "we") and forms part of the Customer's agreement for the Service (the "Agreement"). Terms used here have the meaning given in the GDPR / UK GDPR unless otherwise defined.

  • "Personal Data" — any information relating to an identified or identifiable natural person submitted to the Service by Customer or its end users.
  • "Customer Data" — all data, including Personal Data, that Customer submits to the Service.
  • "Sub-processor" — any third party engaged by Processor to process Personal Data on Customer's behalf.
  • "SCCs" — EU Standard Contractual Clauses adopted in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Addendum" — the UK International Data Transfer Addendum to the EU SCCs (B.1.0, in force 21 March 2022).

2. Scope, roles & relationship to the Agreement

  • Customer is the Controller of Customer Data and Processor processes Customer Data on Customer's documented instructions.
  • Where Customer acts as a Processor for another controller (eg, Customer's own client), Processor acts as a Sub-processor; the SCCs Module 3 applies for transfers in that chain.
  • This DPA applies for as long as Processor processes Customer Personal Data under the Agreement.
  • In case of conflict, this DPA controls over other provisions of the Agreement to the extent of the inconsistency on data-protection matters.

3. Processing details — Annex I

The following details satisfy Article 28(3) GDPR and the Annex I requirement of the SCCs.

Subject matterProvision of the AI-text-detection service, including ML inference, result caching, reporting, and account management.
DurationFor the term of the Agreement plus any post-termination retention period set out in §12.
Nature & purposeStoring, transmitting, analysing, hashing, and otherwise processing text submitted by Customer to produce AI-likelihood verdicts and adjacent reports.
Types of Personal DataAccount identifiers (email, hashed password, display name); submitted text (which may contain Personal Data chosen by Customer); detection metadata; usage logs; billing identifiers (Stripe ID).
Categories of data subjectsCustomer's employees, agents, end users, and any person whose text Customer submits.
Special categoriesNot intentionally processed. Customer must not submit special-category data (GDPR Art. 9) without prior written consent from Processor and a documented Art. 9 legal basis.
FrequencyContinuous for as long as Customer uses the Service.
RetentionPer Customer's plan settings (24h cache for anonymous; 7 days for free; unlimited for paid until deletion). See Privacy Policy §10.

4. Processor obligations

Processor will:

  • Process Personal Data only on Customer's documented instructions (which include the Agreement, this DPA, and Customer's dashboard configuration). If Processor is required by EU/UK/Member-State law to process Personal Data otherwise, Processor will inform Customer unless that law prohibits notice on important public-interest grounds (Art. 28(3)(a)).
  • Ensure persons authorised to process Personal Data are bound by confidentiality (Art. 28(3)(b)).
  • Implement appropriate technical and organisational measures per Annex II (Art. 32 / Art. 28(3)(c)).
  • Engage Sub-processors only per §6 (Art. 28(2) and (4)).
  • Assist Customer in responding to data-subject requests (Art. 28(3)(e)).
  • Assist Customer with Art. 32–36 obligations (security, breach, DPIA, prior consultation) taking into account the nature of processing and information available (Art. 28(3)(f)).
  • Delete or return all Personal Data at the end of the provision of services per §12 (Art. 28(3)(g)).
  • Make available all information necessary to demonstrate compliance and allow audits per §11 (Art. 28(3)(h)).
  • Notify Customer immediately if any instruction would, in Processor's opinion, infringe GDPR, UK GDPR, or other data-protection law (Art. 28(3) final paragraph).

5. Controller obligations

Customer will:

  • Establish and maintain a valid legal basis for the processing it instructs.
  • Provide notices and obtain consents required of a controller (eg, informing data subjects whose text is being analysed).
  • Not submit special-category data (Art. 9) or law-enforcement data (LED 2016/680) without prior written agreement.
  • Use the Service in accordance with the AUP and the AI-tool disclaimer in Terms §6.
  • Promptly respond to data-subject requests received by Processor and routed to Customer.

6. Sub-processors

Customer provides general authorisation for Processor to engage Sub-processors. Current Sub-processors are listed in the Privacy Policy §8:

  • Cloudflare, Inc. — hosting, edge, CDN, database, storage, KV, Workers AI
  • Modal Labs, Inc. — ML inference
  • Stripe, Inc. / Stripe Payments Europe — payment processing
  • Resend, Inc. — transactional email

Processor will (a) notify Customer of any intended addition or replacement of Sub-processors at least 30 days in advance, via email to the account billing contact and an updated list at /legal/privacy#processors, and (b) impose obligations on Sub-processors that are no less protective than this DPA. Customer may object on reasonable data-protection grounds within 15 days; if the parties cannot resolve the objection, Customer may terminate the affected Service with a pro-rata refund of pre-paid fees.

7. International transfers

To the extent any processing of Personal Data subject to GDPR is performed outside the EEA in a country without an adequacy decision, the parties incorporate the SCCs as follows, completed by Annex I (§3) and Annex II (§8):

  • Module 2 (Controller-to-Processor) applies where Customer is a controller and Processor exports Personal Data.
  • Module 3 (Processor-to-Sub-processor) applies where Customer is itself a processor.
  • Clause 7 (docking) — not used.
  • Clause 9 (sub-processors) — Option 2 (general authorisation), 30-day notice, per §6.
  • Clause 11 (redress) — independent-dispute-resolution option not selected; data subjects retain rights under Clause 11(a).
  • Clause 17 (governing law) — law of the Republic of Ireland.
  • Clause 18 (forum) — courts of Ireland.

For UK transfers, the parties incorporate the UK Addendum (B.1.0). Table 1 parties = Customer (exporter) and Processor (importer); Table 2 = SCCs above; Table 3 = Annex I and II of this DPA; Table 4 = either party may end the addendum if the Approved Addendum changes.

For Swiss transfers, references to "GDPR" in the SCCs are read to include the Swiss FADP, and references to the EU Court of Justice are read to include the Swiss Federal Supreme Court.

8. Technical & organisational measures — Annex II

Processor implements measures appropriate to the risk, including:

  • Encryption in transit: TLS 1.3 with HSTS preload; HTTP→HTTPS automatic upgrades.
  • Encryption at rest: AES-256 (Cloudflare D1, R2, KV) and provider-managed envelope keys.
  • Pseudonymisation: SHA-256 hashing of IPs and result cache keys; passwords hashed with Argon2id.
  • Access control: single sign-on with MFA for administrative access; least-privilege IAM; signed-URL access for storage; quarterly access reviews.
  • Inter-service authentication: HMAC-signed bodies on Modal calls; rotating API keys.
  • Bot defence: Cloudflare Turnstile + edge rate limiting + IP-hash quota tracking.
  • Network: Workers run on Cloudflare's edge with WAF rules; no public-internet origin.
  • Application security: Zod validation of all external input; CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy security headers.
  • Vulnerability management: automated dependency scanning; quarterly review; high-severity patches within 7 days.
  • Logging: request logs 24h; admin audit logs 1 year; tamper-evident.
  • Backups: point-in-time recovery on D1; daily R2 snapshots; restore tested quarterly.
  • Business continuity: documented runbooks; on-call rotation; status page.
  • Personnel: background checks where lawful; confidentiality agreements; mandatory annual privacy + security training.
  • Sub-processor management: documented selection criteria; written agreements with equivalent obligations; periodic review.
  • Data minimisation: default 24h retention for submitted text; hashed IPs; no plaintext IPs.
  • Resilience: Cloudflare global edge; automatic failover; idempotent webhook handlers.
  • Incident response: defined playbook; 72-hour notification target.
  • Compliance roadmap: SOC 2 Type II planned within 12 months of GA; ISO 27001 thereafter.

9. Personal data breach

Processor will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 72 hours of becoming aware. Notification will include, to the extent then known: nature of the breach, categories and approximate number of data subjects and records, likely consequences, measures taken or proposed, and contact point. Processor will cooperate with Customer in fulfilling any Art. 33–34 obligations Customer owes.

10. Data subject requests

Processor will (a) promptly forward to Customer any data-subject request Processor receives concerning Customer's data, (b) not respond to such requests directly except on Customer's instruction or as required by law, and (c) provide Customer with reasonable assistance — including self-service dashboard tools and a documented data-export API — to enable Customer to fulfil access, rectification, deletion, restriction, portability, and objection rights within statutory time limits.

11. Audits

Customer may verify compliance with this DPA via (a) Processor's then-current security questionnaire responses, (b) third-party audit reports (eg, SOC 2 once available), and (c) on reasonable prior written notice (not less than 30 days, not more than once per 12 months absent a specific breach), an on-site or remote audit conducted by an independent auditor bound by confidentiality, during business hours, in a manner that does not unreasonably disrupt the Service. The parties will share audit costs as agreed in advance.

12. Return & deletion

On termination of the Agreement, Processor will, at Customer's election: (a) delete all Customer Personal Data within 30 days, or (b) return the data via a documented export and then delete it. Backups containing Personal Data are overwritten on the next backup cycle (≤30 days). Processor may retain Personal Data to the extent required by law (eg, tax records), and any such retained data remains subject to this DPA.

13. Liability

Liability under this DPA is governed by the limitation-of-liability provisions of the Agreement (Terms §13), except where applicable law requires otherwise. Nothing in this DPA limits a data subject's third-party-beneficiary rights under the SCCs.

14. Term & termination

This DPA enters into force on the same date as the Agreement and continues until the Agreement terminates or expires. Termination of this DPA does not, on its own, terminate the Agreement.

15. Changes

We may update this DPA to reflect changes in law, sub-processors, or security measures. Material changes will be announced 30 days in advance via email to the billing contact and a banner in the dashboard. If a Customer reasonably objects on data-protection grounds, the parties will negotiate in good faith; failing agreement, Customer may terminate the affected Service with a pro-rata refund.

Contact

For DPA execution, escalations, or audits: [email protected].