Acta acta.ink ← Back to home

Data Processing Agreement

Last updated: April 16, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between [Acta Legal Entity] ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by the Processor on behalf of the Controller when using the Acta platform ("Service").

This DPA is entered into pursuant to Art. 28 GDPR and supplements the Terms of Service.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
  • "Processing" means any operation performed on Personal Data, as defined in Art. 4(2) GDPR.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Supervisory Authority" means the competent data protection authority under GDPR.

2. Scope of processing

2.1 Subject matter

The Processor processes Personal Data on behalf of the Controller to provide the Acta compliance platform, including usage monitoring, audit logging, billing, and compliance reporting.

2.2 Categories of data subjects

  • Controller's employees and authorised users of the Service
  • Individuals whose personal data may appear in usage metadata (as detection type and count only — not the actual data)

2.3 Types of personal data processed

  • Account information: name, work email, company name, hashed password
  • Usage metadata: timestamps, AI tool identifiers, policy outcomes, detection types and counts, hashed user identifiers
  • Billing data: subscription status, token usage counts (card details processed by Stripe, not stored by us)
  • Audit log entries: policy events, decision records, integrity hashes

2.4 Data NOT processed by the Processor

The Processor does not receive, store, or process:

  • The content of AI prompts or conversations
  • The actual personal data detected by the PII scanner (names, health records, etc.)
  • Any GDPR Art. 9 special category data

All prompt scanning occurs locally in the User's browser. Only detection outcomes (entity type and count) are transmitted to the Processor.

2.5 Duration

Processing continues for the duration of the Terms of Service, plus the data retention periods specified in our Privacy Policy.

3. Processor obligations

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law. If such a legal obligation arises, the Processor will inform the Controller before processing (unless prohibited by law).
  2. Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR (see Section 5).
  4. Not engage another processor without prior written authorisation of the Controller (see Section 6).
  5. Assist the Controller, taking into account the nature of processing, in responding to requests for exercising Data Subject rights under Chapter III GDPR.
  6. Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.
  7. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

4. Controller obligations

The Controller shall:

  1. Ensure that it has a valid legal basis for the processing of Personal Data through the Service.
  2. Provide documented instructions to the Processor regarding the processing of Personal Data.
  3. Ensure that Data Subjects have been informed about the processing in accordance with Articles 13 and 14 GDPR.
  4. Carry out any required Data Protection Impact Assessments (DPIA) in relation to its use of the Service.
  5. Comply with its obligations as a data controller under applicable data protection law.

5. Security measures

The Processor implements the following technical and organisational measures:

5.1 Technical measures

  • Encryption in transit: TLS 1.2+ for all data transmissions
  • Encryption at rest: AES-256 for stored data
  • Access control: Role-based access, multi-factor authentication for production systems
  • Network security: Firewall rules, DDoS protection (Cloudflare), intrusion detection
  • Audit logging: Tamper-evident hash chain (SHA-256 HMAC) for all audit events
  • Data minimisation: Only metadata collected; prompt content never leaves the browser
  • Pseudonymisation: User identifiers are hashed before transmission from the extension

5.2 Organisational measures

  • Personnel: All staff with access to Personal Data are bound by confidentiality obligations
  • Incident response: Documented incident response procedure with defined escalation paths
  • Vendor management: Sub-processors are assessed for GDPR compliance before engagement
  • Training: Data protection training for all personnel with access to Personal Data

6. Sub-processors

6.1 Authorised sub-processors

The Controller provides general authorisation for the Processor to engage the following sub-processors:

Sub-processorPurposeLocationSafeguards
Stripe, Inc.Payment processing, subscriptionsUS / EUEU SCCs, PCI DSS Level 1
Google Cloud (Firebase)Authentication, databaseEU (europe-west)EU data residency, ISO 27001
Resend, Inc.Transactional emailEUDPA in place
Functional Software (Sentry)Error monitoringEUEU data residency, DPA
Cloudflare, Inc.DNS, CDN, securityGlobalEU SCCs, ISO 27001
Plausible Insights OÜWebsite analyticsEU (Estonia)No personal data processed

6.2 Changes to sub-processors

The Processor will notify the Controller of any intended changes to sub-processors at least 30 days before the change takes effect. The Controller may object to the change within 14 days. If the Controller objects and no resolution is reached, the Controller may terminate the agreement.

6.3 Sub-processor obligations

The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA, in accordance with Art. 28(4) GDPR.

7. Data subject rights

The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).

If the Processor receives a request directly from a Data Subject, it will promptly redirect the request to the Controller, unless legally required to respond directly.

The Service provides the following self-service capabilities for the Controller:

  • Data export: JSON export of all audit logs, usage data, and account data via the dashboard
  • Data deletion: Account deletion triggers removal of all associated data within 30 days
  • Data rectification: Account settings can be updated by the Controller at any time

8. Data breach notification

In the event of a Personal Data breach, the Processor will:

  1. Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.
  2. Provide the Controller with the following information:
    • Nature of the breach, including categories and approximate number of Data Subjects and records affected
    • Name and contact details of the Processor's contact point
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach and mitigate its effects
  3. Cooperate with the Controller in investigating and remediating the breach.
  4. Document all breaches, including facts, effects, and remedial actions taken.

9. International transfers

The Processor stores all Personal Data within the European Economic Area (EEA). Where a sub-processor transfers Personal Data outside the EEA, the Processor ensures that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
  • Supplementary measures where required by the transfer impact assessment

10. Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and Art. 28 GDPR.

The Controller (or a mandated third-party auditor bound by confidentiality) may conduct audits of the Processor's data processing activities, subject to:

  • Reasonable advance notice (at least 30 days)
  • Audits conducted during normal business hours
  • The auditor's obligation to maintain confidentiality
  • A maximum of one audit per 12-month period, unless required by a Supervisory Authority

11. Term and termination

This DPA remains in effect for the duration of the Terms of Service. Upon termination:

  • The Processor will cease processing Personal Data on behalf of the Controller.
  • At the Controller's choice (communicated within 30 days of termination), the Processor will either return or delete all Personal Data.
  • If no choice is communicated, the Processor will delete all Personal Data within 30 days of termination.
  • The Processor may retain Personal Data to the extent required by applicable law, with continued confidentiality obligations.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

13. Governing law

This DPA is governed by the same law that governs the Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

14. Contact

For questions about this DPA or data processing matters:
Email: dpo@acta.ink
Post: [Acta Legal Entity], [Registered address]