This is placeholder copy. A counsel-reviewed DPA will replace this before any contract with personal-data processing is signed.
1. Scope
This DPA covers processing of personal data by BuiltByGo Ltd ("Processor") on behalf of Customer ("Controller") in connection with the Paragraphs service. Where processing involves transfers outside the UK/EEA, the relevant Standard Contractual Clauses (SCCs) are incorporated by reference.
2. Roles
For account, billing, and operational telemetry: Processor is data controller. For content the Customer uploads to translate: Processor is data processor; Customer is data controller.
3. Subject matter, duration, nature, purpose
- Subject matter: provision of the Service.
- Duration: term of the subscription + 30-day retention + backup retention per /security.
- Nature: storage, transmission, translation processing via documented APIs.
- Purpose: provide the Service to Controller; bill accurately; meet legal obligations.
4. Categories of data and data subjects
Categories of data: text content uploaded by Controller, which may include personal data of Controller's customers / users / employees depending on the content. Categories of data subjects: anyone referenced in Controller's content.
5. Security measures
See /security for the full technical and organisational measures. Highlights: TLS 1.3, AES-256 at rest, RLS-enforced tenant isolation, audit logging, encrypted backups with 90-day Object Lock, MFA available for all users (required for Enterprise admin actions).
6. Sub-processors
Listed at /legal/sub-processors. 30-day prior notice of additions or replacements to subscribers via email + in-app banner. Controller may object to a new sub-processor; we'll discuss in good faith, and Controller may terminate without penalty if no resolution is reached.
7. International transfers
Controller picks EU (Frankfurt) or US (Virginia) data residency at signup. Where Controller is in the EU/UK and chooses US residency, EU SCCs Module 2 (Controller-to-Processor) apply. Where Controller chooses EU residency, transfers are kept inside the EU; sub-processors in the US are bound by Module 3 SCCs where applicable, plus supplementary measures (encryption at rest, transit, application-level tenant isolation).
8. Breach notification
We notify Controller without undue delay (target: within 24 hours of becoming aware) of any personal-data breach affecting Controller's data. Notification includes nature, categories and approximate volume affected, likely consequences, and measures taken.
9. Audit rights
Controller may audit our compliance with this DPA once per year at Controller's expense, with reasonable advance notice. We meet most audit needs by providing SOC 2 and ISO 27001 reports (once issued); on-site audits are reserved for material concerns.
10. Deletion and return
On termination, Controller's data is accessible for 30 days, then deleted from production stores. Backups follow the 90-day Object Lock policy. Certified deletion confirmation is available on request.
11. Assistance
We assist Controller with DPIAs, data subject access requests, and supervisory authority consultations. Standard assistance is included; extensive assistance billed at our then-standard professional services rate.
12. Liability
Liability under this DPA is subject to the limit of liability in the master agreement. GDPR statutory liabilities are unaffected.
13. Custom DPA
If you need a custom DPA, custom SCC modules, or sector-specific clauses (HIPAA BAA, FINRA, etc.), contact legal@paragraphs.co.uk. Available on Business tier and above.