Legal

Data Processing Agreement

Last updated: 2026-05-17 · DRAFT — counsel review pending

Draft notice. The signing-grade DPA is in counsel review. The summary below describes the posture we will sign on; the executed PDF is available on request before the formal version is published.

§1 Request a signed DPA

Email dpa@etymolt.com with:

Your legal entity name and signing address
Your role: controller (standard B2B API customer) or processor (you process EU/UK personal data on behalf of your own end-customer and need to sub-process through Etymolt)
Which regulatory regimes apply: GDPR / UK GDPR / Swiss FADP / CCPA-as-controller / other
Any redlines or carve-outs against our standard template (we negotiate at Platform / Enterprise tier — at lower tiers our template is sign-as-is)

We turn around signed DPAs within 5 business days at Platform / Enterprise tier, and 10 business days at lower tiers.

§2 What our DPA covers

Roles. Customer = controller; Etymolt = processor. For free-tier and unauthenticated traffic, we act as controller of our own infrastructure data (rate-limit hashes, error logs) and do not have a processor relationship with the caller.
Subject matter + duration. Provision of the Etymolt API, MCP server, and web app for the duration of the customer's subscription or paid balance.
Nature + purpose of processing. Brand-name verdict computation, rate-limit enforcement, billing.
Types of personal data. Customer email + billing identifier, candidate brand names (treated as opaque strings), IP + user-agent for the anonymous-quota hash. See /privacy for the full table.
Categories of data subjects. Customer representatives + end-users of the customer's integration.
Sub-processors. The list in /privacy §How we share is the authoritative roster. We give 30 days' notice before adding or replacing a sub-processor.
Security measures. TLS 1.3, AES-256 at rest, SHA-256 API key hashing, append-only verdict logs, SOC2 Type I in progress.
Audit rights. Annual SOC2 report (when certified); written questionnaires; on-site audit at Enterprise tier with reasonable notice.
Breach notification. 72 hours from confirmed breach, per GDPR Art. 33 timing.
Deletion + return. On contract end, customer data deleted within 30 days (or returned in JSON on request).

§3 International transfers — SCCs + DPF

The DPA incorporates by reference:

EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Modules 2 (controller-to-processor) and 3 (processor-to-processor) as applicable.
UK International Data Transfer Addendum (IDTA) issued by the UK ICO.
Swiss FADP supplement for transfers from Switzerland.
The EU-US Data Privacy Framework + UK Extension + Swiss-US DPF, where applicable to the relevant sub-processor. Self-certification status verifiable on dataprivacyframework.gov.

§4 CCPA / state privacy laws

Where the customer is a CCPA / CPRA business subject to Cal. Civ. Code §1798.140(j), the DPA includes a CCPA addendum confirming Etymolt acts as a service provider / contractor and does not sell or share personal information for cross-context behavioral advertising. Parallel addenda for VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), and UCPA (Utah) are available on request.

§5 Template + signature

Until the executed template is posted here, request a copy by emailing dpa@etymolt.com. We will send the current counsel-reviewed draft (PDF or DocuSign envelope) within 2 business days. A direct-download link to the signed template will replace this notice once counsel sign-off lands.

Customers who have already signed a custom DPA: that signed instrument controls over this page.

§6 Contact

dpa@etymolt.com · privacy@etymolt.com · legal@etymolt.com