Scribegrove

Data Processing Addendum (DPA)

Last updated: 2026-05-13. Draft — pending legal review before public launch.

This DPA forms part of the Terms of Service between Scribegrove ("Processor") and the Customer ("Controller") and applies to processing of personal data in the European Economic Area, United Kingdom, and Switzerland.

1. Definitions

"Personal Data", "Data Subject", "Processing", "Controller", "Processor" have the meanings given in the GDPR.

2. Scope of processing

Scribegrove processes Customer Personal Data only as needed to provide the Service, on documented instructions from the Customer, and in accordance with our Privacy Policy.

3. Sub-processors

Current sub-processors:

  • Supabase (US) — database, auth, edge functions
  • Stripe (US/EU) — payment processing
  • Anthropic (US) — AI inference (Online tiers, on user request)
  • OpenAI (US) — AI inference (Online tiers, on user request)
  • Google Cloud (US/EU) — Gemini AI inference (Online tiers, on user request)
  • Replicate (US) — image generation (Publishing add-on)
  • fal.ai (US) — image generation (Publishing add-on)
  • Resend (US) — transactional email
  • Backblaze (US) — installer + encrypted backup storage
  • Vercel (US) — marketing site + portal hosting
  • Railway (US) — backend services hosting

We'll notify Controllers 30 days before adding new sub-processors. Controllers have a right to object; if we can't resolve, you can terminate the relevant Service.

4. Security

  • Encryption at rest for all Customer Data in storage
  • Encryption in transit (TLS 1.2+) for all data transmission
  • Client-side encryption for cloud sync payloads (we never hold the decryption key)
  • Row-level security on multi-tenant tables
  • Per-user QPS / concurrency limits to prevent abuse
  • Daily cost ceilings to prevent runaway cost loops
  • Audit logging of admin actions; auto-expiring 90-day retention

5. International transfers

For EU/UK Personal Data transferred outside the EEA/UK, transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission. We sign SCCs on request.

6. Data subject rights

We'll assist Controllers in responding to data subject access, rectification, erasure, restriction, and portability requests within reasonable timeframes (typically 30 days).

7. Breach notification

We'll notify Controllers within 72 hours of becoming aware of a Personal Data breach that is likely to result in risk to data subjects.

8. Audit rights

Controllers may audit our compliance with this DPA once per 12-month period with 30 days' notice. We'll provide our SOC 2 report (once obtained) in lieu of on-site audits where reasonable.

9. Return / deletion of data

On Service termination or Controller request, we'll return or delete Customer Personal Data within 60 days. Backups are purged on the rolling 90-day cycle.

10. Contact

DPA inquiries: dpa@scribegrove.com