Data Processing Agreement

0. Parties

This Data Processing Agreement ("DPA") forms part of the Subscription Agreement, Terms of Service, or other written or electronic agreement (the "Agreement") between Talking Paper ("Processor") and the Customer identified in the Agreement ("Controller").

1. Definitions

Capitalised terms used but not defined have the meanings given in Article 4 GDPR (Regulation (EU) 2016/679) and, where applicable, the UK Data Protection Act 2018 ("UK GDPR"). "Standard Contractual Clauses" or "SCCs" means the clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller to Processor).

2. Scope, roles, and duration

2.1 Roles. The Controller is the data controller and the Processor is the data processor under Art. 4(7)–(8) GDPR.

2.2 Subject matter. Processor Processes Personal Data solely to provide the Talking Paper service to the Controller, as described in Annex I.

2.3 Duration. Effective for the term of the Agreement plus any retention period (see §10).

2.4 Governing law. The law specified in the Agreement; absent such, Polish law. EU GDPR applies regardless of governing-law choice.

3. Processor obligations (Art. 28(3) flowdown)

The Processor will: (a) Process Personal Data only on documented Controller instructions; (b) ensure persons authorised to Process have confidentiality obligations; (c) take all measures required pursuant to Art. 32 GDPR (see Annex II); (d) respect §4 conditions on Subprocessors; (e) assist the Controller with Data Subject rights requests; (f) assist with Arts. 32–36 GDPR obligations; (g) return or delete Personal Data per §10; and (h) make available all information necessary to demonstrate compliance and allow for audits per §8.

4. Subprocessors

4.1 Authorisation. Controller authorises the Subprocessors listed in /legal/subprocessors/ (Annex III).

4.2 Change notice. Processor notifies Controller at least 30 days in advance of Subprocessor changes.

4.3 Objection. Controller may object on reasonable data-protection grounds; if unresolved, either Party may terminate the affected portion of the Agreement.

4.4 Flowdown. Processor imposes no-less-protective data-protection obligations on each Subprocessor.

5. International transfers

5.1 SCCs. For EEA / UK / Swiss → third-country transfers without an adequacy decision, the Parties incorporate the EU SCCs Module 2 with the choices in Annex IV.

5.2 UK IDTA. The UK International Data Transfer Addendum is incorporated for UK-subject data with the population set out in Annex IV.

5.3 TIA. Processor maintains a Transfer Impact Assessment per EDPB Recommendations 01/2020; current copy available on request.

5.4 Supplementary measures. Encryption-in-transit and at-rest, observability scrubbing, scoped IAM, and audit logging apply to all international transfers (see Annex II).

6. Data Subject rights assistance

Processor assists the Controller with Data Subject requests under Arts. 15–22 GDPR. Where a Data Subject contacts the Processor directly, the Processor acknowledges, forwards to the Controller without responding substantively, and logs the forwarding. Self-service mechanisms (data export, account deletion) are exposed at /legal/data-export/ and /legal/request-account-deletion/.

7. Personal Data Breach

Processor notifies Controller of a Personal Data Breach without undue delay and in any event within 72 hours of becoming aware. The notice includes the nature, categories and approximate number of Data Subjects and records, likely consequences, and mitigation measures, to the extent known.

8. Audit

Processor makes available on reasonable notice the information necessary to demonstrate compliance, including third-party audit reports, SCC / IDTA evidence vault index, and Records of Processing Activities. On-site inspections are permitted not more than once per twelve-month period, subject to scheduling, confidentiality, and operational-safety constraints. Controller bears the cost unless the audit reveals material non-compliance.

9. Confidentiality

Each Party treats Personal Data and Confidential Information of the other Party in accordance with the confidentiality terms of the Agreement. The obligation survives termination.

10. Deletion and return

On termination, at Controller's election, Processor either returns the Personal Data in a structured machine-readable format or deletes it including backup copies within the documented retention cycle. Written certification of deletion is available on request. Statutory retention requirements are flagged to the Controller.

11. Liability and indemnity

Liability under this DPA is subject to the limitations and exclusions in the Agreement. Nothing limits Data Subjects' third-party-beneficiary rights under Clause 3 SCCs. Specific indemnification arrangements are set out in the Agreement.

12. General

12.1 Conflict. In case of conflict between this DPA and the Agreement, this DPA prevails on data-protection matters.

12.2 Severability. Invalid provisions do not affect the remainder.

12.3 Amendment. Material changes are published at this URL with at least 30 days' notice.

12.4 Notices. To the Processor: the DPO email at /legal/privacy-policy/. To the Controller: the Customer-administrator email of record.

Annex I — Description of the Processing

• Subject matter: Provision of the Talking Paper service — journaling, memory extraction, character-model inference, AI reflection.
• Duration: Term of the Agreement plus retention period in §10.
• Nature and purpose: Storing journal entries; embeddings; memory and trait extraction; AI replies; billing; support.
• Data subjects: Customer's authorised end-users.
• Personal Data: Account data; journal content (potentially including special-category data under Art. 9 such as mental-health reflections); inferred characteristics (memories, traits, mood scores); usage telemetry; payment data (handled by Paddle).
• Special-category data: Possible. Controller is responsible for the Art. 9 lawful basis (typically Art. 9(2)(a) explicit consent).
• Frequency: Continuous for the term of the Agreement.

Annex II — Technical and Organisational Measures (Art. 32 GDPR)

Full TOM details are maintained in business-docs/compliance/tia.md §3 and in the source DPA at business-docs/legal/dpa-template.md. Summary:

• MFA-enforced admin access; staff actions logged with tamper-evident hash-chain.
• TLS ≥ 1.2 with HSTS preload eligibility.
• Fernet field-level encryption on payment identifiers and on journal / extracted-memory text; Postgres disk encryption.
• Sentry PII scrubbing; Langfuse off by default with PII redaction + 4000-char truncation when enabled.
• Tri-state prompt-injection and crisis-resource gates; per-user monthly LLM token budget with soft- and hard-caps; Redis-backed bot-detection on public endpoints; trial-abuse fingerprinting.
• HTML sanitisation via bleach allowlist; Permissions-Policy and CSP without 'unsafe-inline'.
• Daily backups with documented restore drill; tamper-evident audit-log verification cron.
• Documented secret-rotation runbook (90 / 180-day cadence); workforce confidentiality obligations.

Annex III — Authorised Subprocessors

The authoritative list is published at /legal/subprocessors/. Controller's §4.1 authorisation covers each Subprocessor present at the effective date of the Agreement plus any added under the §4.2 notice procedure to which the Controller has not objected.

Annex IV — SCC / IDTA Population

• Clause 7 (Docking): not invoked.
• Clause 9(a) (Subprocessor authorisation): Option 2 — general written authorisation with §4.2 notice.
• Clause 17 (Governing law): Poland.
• Clause 18 (Forum and jurisdiction): Courts of Poland; without prejudice to Data Subjects' rights under Clause 18(c).
• Annex I.A: Parties as in §0.
• Annex I.B: Description as in Annex I above.
• Annex II: TOMs as in Annex II above.
• Annex III: Subprocessors as in Annex III above.
• UK IDTA: incorporated for UK-subject data, mirroring the same module and version.