Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Terms of Service ("Agreement") between you (the "Customer") and Writegarden ("Provider", "we", "us"), governing the Writegarden platform ("Service"). By accepting the Agreement and using the Service, you agree to this DPA. No signature is required; it applies on a self-serve basis to all Customers.
1. Scope and Role of the Parties
This DPA applies where, and to the extent that, we process personal data on your behalf in the course of providing the Service ("Customer Personal Data"). With respect to Customer Personal Data:
- You act as the controller (or processor on behalf of a third-party controller); and
- We act as the processor (or sub-processor).
Separately, we act as an independent controller for the account, authentication, and billing data we process to operate our business, as described in our Privacy Policy. That processing is not governed by this DPA.
2. Definitions
"GDPR" means Regulation (EU) 2016/679. The terms "controller", "processor", "data subject", "personal data", "processing", "personal data breach", and "supervisory authority" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by us to process Customer Personal Data. "Data Protection Law" means the GDPR and all applicable EU and Portuguese data protection legislation.
3. Processing on Documented Instructions
We will process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law (in which case we will inform you of that legal requirement before processing, unless the law prohibits such notice). The Agreement, this DPA, and your configuration and use of the Service constitute your complete and documented instructions. We will inform you if, in our opinion, an instruction infringes Data Protection Law.
4. Confidentiality
We ensure that persons authorized to process Customer Personal Data are bound by an appropriate obligation of confidentiality and process the data only as necessary to provide the Service.
5. Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. A description of these measures is set out in Annex II. We may update these measures over time provided that the level of protection is not materially reduced.
6. Sub-processors
You provide general authorization for us to engage the Sub-processors listed in Annex III to process Customer Personal Data. We will:
- Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, by written contract;
- Remain fully liable to you for each Sub-processor's performance of its data protection obligations;
- Notify you of any intended addition or replacement of a Sub-processor by email and/or by updating Annex III, giving you a reasonable opportunity (at least 30 days) to object on reasonable data-protection grounds before the new Sub-processor begins processing.
If you reasonably object and we cannot accommodate the objection, you may terminate the affected Service. Where Sub-processors provide AI model functionality, we use providers that are contractually restricted from using Customer Personal Data to train or improve their foundation models.
7. Assistance with Data Subject Rights
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts us directly regarding Customer Personal Data, we will refer them to you.
8. Personal Data Breach Notification
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide you with information reasonably available to us to assist you in meeting your obligations under Articles 33 and 34 of the GDPR.
9. Data Protection Impact Assessments
Taking into account the nature of processing and the information available to us, we will provide reasonable assistance to you with any data protection impact assessments and prior consultations with supervisory authorities required under Articles 35 and 36 of the GDPR.
10. Deletion or Return of Data
Upon termination of the Service, we will, at your choice, delete or return Customer Personal Data and delete existing copies, unless EU or Member State law requires storage. In the absence of an instruction, data is deleted in accordance with the retention periods set out in our Privacy Policy.
11. Audits and Demonstration of Compliance
We will make available to you information reasonably necessary to demonstrate compliance with Article 28 of the GDPR. To minimize disruption, audits will ordinarily be satisfied by our providing relevant documentation and any third-party audit reports or certifications we hold. Where a further audit is required by Data Protection Law, it will be conducted no more than once per year, on reasonable prior notice, during business hours, subject to confidentiality, and at your cost.
12. International Data Transfers
Where we or a Sub-processor process Customer Personal Data outside the EU/EEA, we ensure an appropriate transfer mechanism under Chapter V of the GDPR, namely an adequacy decision (including the EU-US Data Privacy Framework, where the recipient is certified) and/or the European Commission's Standard Contractual Clauses supplemented by a transfer impact assessment. A copy of the applicable safeguards is available on request at privacy@writegarden.com.
13. Restrictions on Special Category Data
The Service is not intended for the processing of special categories of personal data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR). You must not submit such data to the Service, and you are solely responsible if you do so contrary to this DPA.
14. Liability and Order of Precedence
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA prevails. This DPA remains in effect for as long as we process Customer Personal Data.
Annex I — Details of Processing
| Subject matter | Provision of the Writegarden AI SEO content platform. |
| Duration | The term of the Customer's subscription, plus the retention periods in the Privacy Policy. |
| Nature & purpose | Hosting and storage; AI content and image generation; keyword and SEO research; AI Visibility analysis; publishing to Customer-connected platforms; team and account management. |
| Types of personal data | Contact and account data of the Customer's authorized users and invited team members (name, email); and any personal data the Customer chooses to include in business profiles, prompts, generated content, uploaded media, or connected-account data (e.g. Google Search Console). |
| Categories of data subjects | The Customer's authorized users and team members, and any individuals the Customer chooses to reference in its inputs or content. |
Annex II — Technical and Organizational Measures
- Encryption in transit (TLS/HTTPS) and encryption at rest for stored data
- AES-256-GCM encryption of third-party integration (OAuth) tokens
- Row-Level Security (RLS) ensuring data isolation between organizations
- Server-side credential management; API keys and secrets are never exposed to browsers
- Hashed and salted passwords (managed by the authentication provider)
- Access controls limiting personnel access to Customer Personal Data on a need-to-know basis
- Regular security reviews and updates
Annex III — Approved Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage, serverless functions | EU (AWS) |
| Vercel | Marketing-site hosting and delivery | EU edge / US |
| Cloudflare | Bot/abuse mitigation on web forms (Turnstile) | Global |
| Stripe | Subscription billing and payment processing | US / Ireland |
| OpenRouter | AI model gateway (article, keyword, image generation) | US |
| Anthropic | Claude models (AI Visibility analysis) | US |
| Search Console data; AI Overview analysis | US | |
| DataForSEO | Keyword, SERP, and on-page SEO metrics | EU |
| N8N Cloud | Workflow orchestration for content generation | EU |
| ScreenshotOne | Website screenshot capture | Outside EEA (SCCs) |
Publishing platforms that you connect via OAuth (Webflow, Shopify, WordPress, Wix, Framer) are third parties to whom you direct content; they act under their own terms and are not our Sub-processors.