Legal · Data Processing Agreement
Data Processing Agreement
v1.0 · last updated 28 May 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Customer”, the controller) and the operator of ArticleProof (the processor). It governs the processing of disclosure-event personal data under GDPR Article 28 and applies automatically when you use the service to capture disclosure events from your end-users. No signature is required; if you require a countersigned copy for your records, email hello@articleproof.app.
1. Parties and roles
The Customeris the controller of the disclosure-event personal data captured by the ArticleProof widget on the Customer’s properties. The processor is ArticleProof, 5307 Victoria Drive, Vancouver, BC V5P 3V6, Canada. The processor processes that data only on the Customer’s behalf and on its documented instructions.
2. Subject matter and duration
Subject matter: processing of disclosure-event data to provide the AI-transparency logging and audit-pack service. Duration:for the term of the Customer’s subscription and any retention or wind-down period set out in the Privacy Policy.
3. Nature and purpose of processing
Collection, storage, organisation, hashing, retrieval, and export (in the audit-pack PDF) of disclosure-event records, solely to provide and support the service and to secure it against abuse. The processor does not process the data for its own purposes and does not sell it.
4. Types of personal data
Disclosure-event records may include: event type; a random browser-localStorage session identifier (~30 days); page URL; AI model/provider strings; content hashes of prompt and output (never the content itself); user-agent string; salted/truncated derivations of IP address (the raw IP is never stored); and a UTC timestamp. No special-category data is intended to be processed.
5. Categories of data subjects
The Customer’s end-users who interact with the Customer’s AI surfaces on which the ArticleProof widget is installed.
6. Processor obligations (Article 28(3))
The processor will:
- process the personal data only on the Customer’s documented instructions, including for international transfers, unless required by law (in which case it will inform the Customer unless legally prohibited);
- ensure persons authorised to process the data are bound by confidentiality;
- implement the technical and organisational measures in Annex 2 (Article 32);
- respect the subprocessor conditions in section 7;
- assist the Customer, by appropriate measures, in responding to data-subject requests under GDPR Chapter III;
- assist the Customer with security, breach notification, data-protection impact assessments, and prior consultation (Articles 32–36);
- at the Customer’s choice, delete or return all personal data on termination and delete existing copies unless law requires retention;
- make available the information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the Customer or its mandated auditor (see section 9).
7. Subprocessors
The Customer gives general authorisation for the processor to engage the subprocessors listed in the Privacy Policy (with their locations, the data they handle, and links to their own DPAs). The processor imposes data-protection obligations on each subprocessor that are no less protective than this DPA and remains fully liable for their performance. The processor will give at least 30 days’ notice by email of any intended addition or replacement, during which the Customer may object on reasonable data-protection grounds.
8. International transfers
Personal data may be processed in Canada and the United States. Where personal data of EU/EEA or UK data subjects is transferred to a country without an adequacy decision, the transfer is made under the European Commission’s Standard Contractual Clauses (Module Two, controller-to-processor; the UK Addendum where UK data is in scope), which are incorporated into this DPA by reference, together with the supplementary measures in Annex 2. Several subprocessors operate under their own SCCs, on which the processor also relies.
9. Audit rights
The processor will respond to the Customer’s reasonable requests for information needed to assess compliance with this DPA, and will make available relevant third-party audit reports of its subprocessors where it holds them. The Customer may, on reasonable prior notice and no more than once a year (or following a personal-data breach), conduct an audit of the processing, subject to confidentiality and minimal disruption to the service.
10. Personal-data breach
The processor will notify the Customer without undue delay, and in any event within 48 hoursof becoming aware of a personal-data breach affecting the Customer’s data, with the information the Customer reasonably needs to meet its own 72-hour notification duty under GDPR Article 33.
11. Deletion and return
On termination, the processor will, at the Customer’s choice, delete or return the personal data and delete existing copies within 30 days, except where law requires retention (for example, billing records). Retained salts used only to keep historical audit packs reproducible are not combined with raw IP addresses and do not reconstitute personal data.
12. Liability and precedence
Liability under this DPA is subject to the limitations in the Terms of Service. If there is a conflict between this DPA and the Terms on the subject of data protection, this DPA prevails. Where the SCCs apply and conflict with this DPA, the SCCs prevail.
Annex 1 — Processing details
Subject matter, nature, purpose, data types, and data subjects are as described in sections 2–5 above. Frequency: continuous, for the duration of the subscription. Subprocessors: as listed in the Privacy Policy.
Annex 2 — Technical and organisational measures (Article 32)
- Tenant isolation via database row-level security (RLS).
- Encryption in transit (TLS); authentication credentials stored only in hashed form.
- Prompt/output stored only as content hashes, never as raw content.
- Raw IP addresses never stored; salted SHA-256 + coarse truncation, weekly salt rotation.
- Audit-pack files scoped by RLS to the owning account, served via short-lived signed URLs.
- Application error monitoring with PII scrubbing enabled.
- Rate limiting and abuse prevention on the ingest endpoint.
- Least-privilege access to production systems; access limited to authorised personnel under confidentiality.
ArticleProof organizes AI transparency records and disclosure events. It is not legal advice.