Legal

Data processing addendum

Last updated: 2026-04-24.

This Data Processing Addendum (“DPA”) supplements our Terms of Service and applies whenever Safe to Publish processes personal data on behalf of a customer (“you” or “Controller”) in the course of providing the service.

1. Roles

For any personal data you submit to the service (including draft text that may identify clients, employees, or third parties), you act as the Controller and we act as the Processor. We will process such personal data only on your documented instructions, which the Terms of Service and this DPA constitute.

2. Categories of data

  • Subject matter: SEC Marketing Rule pre-publication review.
  • Duration: for the term of the subscription plus the audit-log retention window of your plan.
  • Nature and purpose: reviewing draft marketing material against the rule corpus and producing an audit trail.
  • Categories of data subjects: your firm's clients, employees, and any third parties named in submitted drafts.
  • Categories of personal data: names, quotes, contact details, and any other personal data you choose to include in submitted drafts.

3. Sub-processors

You authorize the use of the sub-processors listed in our Privacy Policy at Section 5. We will notify you at least thirty (30) days before adding a new sub-processor, and you may object on reasonable privacy or security grounds.

4. Security

We will implement and maintain appropriate technical and organizational measures designed to protect personal data, including:

  • Encryption of personal data at rest (AES-256) and in transit (TLS 1.3).
  • Access controls limiting personal data to personnel with a need to know.
  • Regular review of security practices and incident-response procedures.
  • Audit logging of personnel access to production systems.

Specifics are described in our security overview at /legal/security.

5. International transfers

Where you transfer personal data subject to the EEA GDPR, the UK GDPR, or the Swiss FADP to Safe to Publish, the Standard Contractual Clauses (Module Two — controller to processor) are incorporated by reference and apply between the parties, with the following docking-clause selections: clause 7 (docking) is included; clause 9 option 2 (general written authorization) is selected; clause 11(a) is included without the optional language; clause 17 option 1 is selected and the law of [insert EEA member state] applies; clause 18(b) selects the courts of [insert venue]. Annexes are completed by reference to this DPA and the Privacy Policy.

6. Personal data breach

We will notify you without undue delay (and in any event within seventy-two (72) hours of becoming aware of a confirmed personal data breach affecting your personal data), with the information required by Article 33(3) GDPR to the extent then known.

7. Data subject requests

We will assist you in responding to data-subject requests within the scope of our processor obligations. Where appropriate, we provide self-service tools to access, export, or delete personal data held in your account.

8. Audit

On reasonable prior notice, we will make available to you the information necessary to demonstrate compliance with our obligations under Article 28 GDPR, including a current description of our technical and organizational measures and (where available) summaries of any third-party security audits we have completed.

9. Return or deletion

On termination of the subscription, we will, at your election, return or delete the personal data we process on your behalf, except where retention is required by applicable law (such as Books and Records Rule 204-2). Audit-log records are retained in read-only mode for the retention window of your terminating plan.

10. Counter-signature

Customers requiring a counter-signed copy of this DPA may email [insert privacy contact email] with the legal entity name, signatory, and any required modifications.