Data Processing Agreement
This Data Processing Agreement ("DPA") supplements the Newspilot Terms of Service and governs how DataCrab AI ("Processor") processes personal data on behalf of the Customer ("Controller") under the EU and UK GDPR. By accepting our Terms, Controllers with personal data processing needs are deemed to accept this DPA.
1. Subject matter, scope, duration
The Processor processes personal data on the Controller's behalf solely to provide the Newspilot service as defined in the Terms. This DPA remains in force for as long as the underlying subscription is active.
2. Nature and purpose of processing
The Processor performs the following operations on the Controller's behalf:
- Hosting Controller account and dashboard configuration data
- Processing user authentication, session, and access events
- Routing AI-generated briefings and alerts to designated recipients
- Generating aggregated usage analytics
- Providing technical support
3. Categories of data subjects & data
| Data subjects | Categories of personal data |
|---|---|
| Controller's employees, contractors, or other authorised users | Name, work email, role, IP address, access logs, dashboard configurations submitted by the user |
| Recipients designated by Controller for briefings/alerts | Name, contact channel (email address, Slack user, Teams user, phone number where applicable) |
4. Processor obligations
- Process personal data only on documented Controller instructions, including those given when configuring the service. Unauthorised processing is prohibited.
- Ensure personnel authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational measures per Article 32 GDPR. Current measures are described in Annex II.
- Respect conditions for engaging sub-processors (Article 5).
- Assist the Controller in fulfilling its obligations under Articles 32–36 GDPR (security, breach notification, DPIA).
- Assist the Controller in responding to data-subject rights requests.
- At the Controller's choice, delete or return all personal data after end of services.
- Make available all information necessary to demonstrate compliance and allow for audits.
5. Sub-processors
The Controller authorises the Processor to use the sub-processors listed in our Privacy Policy. We notify Controllers by email and on the Trust page at least 30 days before adding or replacing a sub-processor; Controllers may object on reasonable grounds. Lists are maintained at /legal/privacy.html#sharing.
6. International transfers
Where personal data is transferred outside the EEA, the Processor uses the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and supplementary measures as appropriate. The current Module 2 SCCs are incorporated by reference and applicable to transfers under this DPA. UK addendum applies to UK-originating data.
7. Security (Annex II summary)
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Data isolation: per-tenant database isolation; row-level security where applicable
- Access control: principle of least privilege; mandatory MFA for staff; quarterly access reviews
- Network: dedicated VPCs, WAF, intrusion detection
- Logging: centralised audit logs retained 12 months; integrity-protected
- Resilience: automated backups; recovery objectives RTO 4h / RPO 1h
- Vulnerability management: continuous scanning; annual external penetration test
- Incident response: documented playbook; 72-hour breach notification
8. Data breach notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. Notifications are sent to the technical contact on the Controller's account.
9. Data subject rights
The Processor will assist the Controller — taking into account the nature of processing and the information available — to respond to requests from data subjects exercising their rights under Chapter III GDPR. Tooling is available within the Newspilot admin console for self-serve export and deletion.
10. Audits
The Processor will make available the following on request, subject to confidentiality terms:
- SOC 2 Type II report (where in force)
- ISO 27001 certification (where in force)
- Penetration-test summary letter
- Sub-processor list
Controllers may, no more than once per 12-month period and on 30 days' notice, request an audit of Processor's compliance — to be conducted by a mutually agreed independent third-party auditor under appropriate NDAs, at Controller's expense unless material non-compliance is found.
11. Return or deletion
On termination of services or Controller request, the Processor will, at the Controller's election: (a) return all personal data; or (b) delete all personal data within 30 days, except as required to comply with law (e.g. tax records retained 7 years).
12. Order of precedence
If any conflict arises between this DPA and the Terms of Service, this DPA prevails for matters relating to personal data processing.
13. Contact
DPA, privacy & data-subject requests: privacy@newspilot.io
Security incidents: security@newspilot.io