Legal
Data Processing Agreement
Last updated: 2026-05-17 · DRAFT — counsel review pending
§1 Request a signed DPA
Email dpa@etymolt.com with:
- Your legal entity name and signing address
- Your role: controller (standard B2B API customer) or processor (you process EU/UK personal data on behalf of your own end-customer and need to sub-process through Etymolt)
- Which regulatory regimes apply: GDPR / UK GDPR / Swiss FADP / CCPA-as-controller / other
- Any redlines or carve-outs against our standard template (we negotiate at Platform / Enterprise tier — at lower tiers our template is sign-as-is)
We turn around signed DPAs within 5 business days at Platform / Enterprise tier, and 10 business days at lower tiers.
§2 What our DPA covers
- Roles. Customer = controller; Etymolt = processor. For free-tier and unauthenticated traffic, we act as controller of our own infrastructure data (rate-limit hashes, error logs) and do not have a processor relationship with the caller.
- Subject matter + duration. Provision of the Etymolt API, MCP server, and web app for the duration of the customer's subscription or paid balance.
- Nature + purpose of processing. Brand-name verdict computation, rate-limit enforcement, billing.
- Types of personal data. Customer email + billing identifier, candidate brand names (treated as opaque strings), IP + user-agent for the anonymous-quota hash. See /privacy for the full table.
- Categories of data subjects. Customer representatives + end-users of the customer's integration.
- Sub-processors. The list in /privacy §How we share is the authoritative roster. We give 30 days' notice before adding or replacing a sub-processor.
- Security measures. TLS 1.3, AES-256 at rest, SHA-256 API key hashing, append-only verdict logs, SOC2 Type I in progress.
- Audit rights. Annual SOC2 report (when certified); written questionnaires; on-site audit at Enterprise tier with reasonable notice.
- Breach notification. 72 hours from confirmed breach, per GDPR Art. 33 timing.
- Deletion + return. On contract end, customer data deleted within 30 days (or returned in JSON on request).
§3 International transfers — SCCs + DPF
The DPA incorporates by reference:
- EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Modules 2 (controller-to-processor) and 3 (processor-to-processor) as applicable.
- UK International Data Transfer Addendum (IDTA) issued by the UK ICO.
- Swiss FADP supplement for transfers from Switzerland.
- The EU-US Data Privacy Framework + UK Extension + Swiss-US DPF, where applicable to the relevant sub-processor. Self-certification status verifiable on dataprivacyframework.gov.
§4 CCPA / state privacy laws
Where the customer is a CCPA / CPRA business subject to Cal. Civ. Code §1798.140(j), the DPA includes a CCPA addendum confirming Etymolt acts as a service provider / contractor and does not sell or share personal information for cross-context behavioral advertising. Parallel addenda for VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), and UCPA (Utah) are available on request.
§5 Template + signature
Until the executed template is posted here, request a copy by emailing dpa@etymolt.com. We will send the current counsel-reviewed draft (PDF or DocuSign envelope) within 2 business days. A direct-download link to the signed template will replace this notice once counsel sign-off lands.
Customers who have already signed a custom DPA: that signed instrument controls over this page.
§6 Contact
dpa@etymolt.com · privacy@etymolt.com · legal@etymolt.com
See also: Privacy Policy · Terms of Service · Acceptable Use Policy