Legal

Data processing addendum

Last updated: 2026-05-23. Effective date: 2026-05-22.

This Data Processing Addendum (“DPA”) supplements our Terms of Serviceand applies whenever Safe to Publish processes personal data on behalf of a customer (“you,” “Controller,” or, where applicable, “Business”) in the course of providing the service. The Processor / Service Provider is Zackary Trenholme, an Ontario sole proprietor operating as Safe to Publish.

1. Definitions

Capitalized terms used in this DPA have the meanings set out below. Terms not defined here have the meanings given to them in our Terms of Service.

  • “Personal Data” means any information that identifies, relates to, or could reasonably be linked with an identified or identifiable individual, that you submit to or generate through the service.
  • “Processing” means any operation performed on Personal Data, whether or not by automated means.
  • “Data Subject” means the individual to whom Personal Data relates.
  • “Sub-processor” means a third party engaged by us to Process Personal Data on our behalf in connection with the service.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by us on your behalf.
  • “Business,” “Service Provider,” “Contractor,” “Sell,” “Share,” “Personal Information,” and “Sensitive Personal Information”have the meanings given to them in the California Consumer Privacy Act, as amended (the “CCPA”). References to “Personal Information” in §9 of this DPA mean Personal Data of California residents that we Process on your behalf in our capacity as a Service Provider.
  • “Controller,” “Processor,” “Standard Contractual Clauses,” “Supervisory Authority,” and “Data Protection Impact Assessment”have the meanings given to them in the EU General Data Protection Regulation (the “GDPR”).

2. Roles

For Personal Data you submit to the service (including draft text that may identify clients, employees, or third parties), you act as the Controller (and, where applicable, the Business under the CCPA), and we act as the Processor (and, where applicable, the Service Provider under the CCPA). We Process such Personal Data only on your documented instructions, which the Terms of Service and this DPA constitute. Your instructions include any transfers of Personal Data to third countries that we are required to perform in order to deliver the service, consistent with §6.

You represent and warrant that, prior to submitting any content that includes Personal Data of an individual who is not your direct user (for example, a client, prospect, employee, or other third party named in marketing copy), you have provided any notice, obtained any consent, and complied with any other obligation required of you under applicable law with respect to processing that Personal Data through the service. You further represent that you have all rights necessary to submit Your Content to the service, including any necessary intellectual-property licenses, and that your instructions to us are lawful and within the scope of your authority as Controller or Business.

3. Categories of data

  • Subject matter: SEC Marketing Rule pre-publication review.
  • Duration: for the term of the subscription plus the audit-log retention window of your plan.
  • Nature and purpose: reviewing draft marketing material against the rule corpus and producing an audit trail.
  • Categories of data subjects: your firm's clients, employees, and any third parties named in submitted drafts.
  • Categories of personal data: names, quotes, contact details, and any other personal data you choose to include in submitted drafts.

4. Sub-processors

You authorize the use of the Sub-processors listed at /legal/sub-processors. We will notify you at least thirty (30) days before adding a new Sub-processor, and you may object on reasonable privacy or security grounds. If you object to a proposed Sub-processor and we cannot accommodate the objection within thirty (30) days, you may terminate the affected portion of the service and receive a pro-rata refund of pre-paid fees for the unused subscription period.

We will impose on each Sub-processor data-protection obligations substantially the same as those set forth in this DPA, and we remain liable to you for the acts and omissions of our Sub-processors to the same extent we would be liable for our own acts and omissions.

Independent controllers. Certain third parties listed on the sub-processors page (for example, Stripe for payment processing and Clerk for authentication) act as independent controllers of Personal Data they Process for their own regulatory and operational purposes (such as fraud prevention or compliance with their own legal obligations). Their Processing for those purposes is governed by their own privacy notices, not by this DPA.

5. Security

We will implement and maintain appropriate technical and organizational measures designed to protect Personal Data, including:

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3).
  • Access controls limiting Personal Data to personnel with a need to know.
  • Regular review of security practices and incident-response procedures.
  • Audit logging of personnel access to production systems.
  • Confidentiality obligations binding all personnel authorized to Process Personal Data.

Specifics are described in our security overview at /legal/security.

6. International transfers

Where you transfer Personal Data subject to the EEA GDPR, the UK GDPR, or the Swiss FADP to Safe to Publish, the Standard Contractual Clauses (Module Two — controller to processor) are incorporated by reference and apply between the parties, with the following docking-clause selections: clause 7 (docking) is included; clause 9 option 2 (general written authorization) is selected; clause 11(a) is included without the optional language; clause 17 option 1 is selected and the law of Ireland applies; clause 18(b) selects the courts of Ireland. Annexes are completed by reference to this DPA and the Privacy Policy.

7. Personal data breach

We will notify you without undue delay (and in any event within seventy-two (72) hours of confirming) a Personal Data Breach affecting your Personal Data. Information we are reasonably able to provide at the time of notice — including the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed — will be supplied at that time; additional information will be supplied as it becomes known.

8. Data subject requests

We will assist you in responding to requests from Data Subjects (including requests to access, correct, delete, restrict, or transfer Personal Data) within the scope of our obligations as Processor / Service Provider. Specifically:

  • If we receive a request directly from a Data Subject relating to your Personal Data, we will not respond on your behalf except as you direct, and will forward the request to you without undue delay.
  • Where reasonable, we will provide self-service tools to access, export, or delete Personal Data held in your account.
  • We will provide reasonable cooperation, taking into account the nature of the Processing and the information available to us, to enable you to respond to the request within the applicable statutory timeline.

9. CCPA service provider commitments

To the extent we Process Personal Information of California residents on your behalf as a Service Provider under the CCPA, we represent and commit as follows:

  • We will not Sell or Share Personal Information.
  • We will not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Terms of Service and this DPA, or as otherwise permitted by the CCPA.
  • We will not retain, use, or disclose Personal Information outside the direct business relationship with you.
  • We will not combine Personal Information we receive from you, or that we Process on your behalf, with Personal Information we receive from any other source, except as permitted by the CCPA.
  • We will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required of you as the Business.
  • You retain the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by us.
  • We will notify you if we determine that we can no longer meet our obligations under the CCPA.

Where this section conflicts with any other provision of this DPA or the Terms of Service, this section prevails with respect to Personal Information of California residents.

10. Audit

On reasonable prior notice and no more than once per twelve (12) month period (except in connection with a Personal Data Breach or as required by a Supervisory Authority), we will make available to you the information necessary to demonstrate compliance with our obligations under this DPA, including a current description of our technical and organizational measures.

Where we have obtained a SOC 2, ISO 27001, or substantially similar third-party audit or attestation, you agree that providing the summary of that audit or attestation, together with any reasonable written follow-up questions and answers, satisfies our audit obligations under this DPA and under Article 28(3)(h) of the GDPR where applicable. You will not have a right to physical or on-site inspection of our facilities or systems. Any audit assistance beyond delivery of third-party audit summaries will be performed at your reasonable expense, subject to a mutually acceptable non-disclosure agreement, and during regular business hours so as not to disrupt our operations.

11. DPIA and prior consultation assistance

Upon your reasonable request and at your reasonable expense, we will assist you with data protection impact assessments and prior consultations with Supervisory Authorities (where applicable), to the extent the information required is within our possession as Processor / Service Provider.

12. Return or deletion

Within thirty (30) days of termination of the subscription, we will, at your election:

  • return the Personal Data we Process on your behalf in a commonly used format (CSV or JSON), or
  • delete the Personal Data we Process on your behalf,

except where retention is required by applicable law (such as the Books and Records Rule 204-2 for the plan's retention window, or the audit-event chain referenced in our Privacy Policy §6). For records subject to mandatory retention, the records are kept in our systems for the plan's retention window and then permanently purged. You should export your audit log and content from the Audit page before closing your account; once your firm is closed via Settings → Data handling, account holders cannot sign back in to access the data.

13. General provisions

Liability. Our liability under this DPA is subject to, and counts toward, the limitations and exclusions set forth in the Terms of Service. Nothing in this DPA creates a separate or additional cap on our aggregate liability.

Precedence. In case of conflict between this DPA and the Terms of Service or any other agreement between us, this DPA prevails solely with respect to the Processing of Personal Data.

Survival. The following obligations survive termination of this DPA and the Terms of Service: confidentiality; the security commitments in §5 relating to Personal Data we continue to hold; the return-or-deletion obligation in §12; and our audit-information obligations in §10 for as long as we hold the relevant Personal Data.

14. Counter-signature

Customers requiring a counter-signed copy of this DPA may email support@safetopublish.com with the legal entity name and signatory details.