This DPA is available to qualifying Enterprise customers. To request a signed DPA, contact support@writerzroom.com.
Agreement Overview
Roles
Controller and Processor responsibilities.
Security
Technical and organizational safeguards.
Sub-processors
Service categories used to deliver the Service.
Enterprise Use
Signed DPA available for qualifying Enterprise customers.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person processed by WriterzRoom on behalf of the Controller.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- “Sub-processor” means any third party engaged by WriterzRoom to process Personal Data on behalf of the Controller.
- “Data Subject” means the individual to whom Personal Data relates.
- “Applicable Law” means GDPR, UK GDPR, CCPA, and any other data protection legislation applicable to the Controller’s jurisdiction.
2. Scope and Role of Parties
The Controller determines the purposes and means of processing Personal Data. WriterzRoom processes Personal Data solely on documented instructions from the Controller, specifically to deliver the AI content generation Service described in the Terms of Service. WriterzRoom does not sell Personal Data or use Personal Data to train AI models. WriterzRoom processes Personal Data only as needed to provide, secure, support, and improve the Service in accordance with the Terms of Service and this DPA.3. Controller Obligations
The Controller warrants that:- It has a lawful basis for processing Personal Data and for instructing WriterzRoom to process it
- It has provided all required notices and obtained all required consents from Data Subjects
- Its instructions to WriterzRoom comply with Applicable Law
- It will promptly notify WriterzRoom of any changes to its instructions that may affect WriterzRoom’s compliance obligations
4. Processor Obligations
WriterzRoom agrees to:- Process Personal Data only on documented instructions from the Controller, unless required to do so by law
- Ensure personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
- Implement and maintain the technical and organizational security measures described in Section 6
- Assist the Controller in responding to Data Subject rights requests to the extent technically feasible
- Notify the Controller without undue delay after becoming aware of a Personal Data breach affecting Controller data, in accordance with applicable law and the signed DPA
- Delete or return all Personal Data upon termination of the Service, at the Controller’s election, within 30 days
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA
5. Sub-processors
The Controller grants WriterzRoom general authorization to engage sub-processors. Current sub-processor categories are:| Sub-processor Category | Purpose | Location |
|---|---|---|
| AI generation providers | Content generation and editing workflows | United States |
| Cloud infrastructure providers | Hosting, database, storage, and availability services | United States |
| Payment processors | Subscription billing and payment processing | United States |
| Research and source providers | Research enrichment and source discovery | United States |
| Email providers | Transactional email delivery | United States |
| Monitoring providers | Reliability monitoring, diagnostics, and operational tracing | United States |
6. Security Measures
WriterzRoom maintains the following technical and organizational measures.Encryption
TLS 1.2+ for data in transit, managed encryption for data at rest, and encrypted handling of secrets, credentials, and API keys.
Access Controls
Role-based access control, least-privilege practices, restricted administrative access, and MFA for administrative access.
Monitoring and Incident Response
Platform monitoring, operational alerting, documented incident response, and breach notification procedures aligned with applicable legal and contractual obligations.
Availability
Managed production hosting with scaling controls, database backups, and recovery procedures.
7. Data Subject Rights
WriterzRoom will assist the Controller in fulfilling Data Subject rights requests, including access, rectification, erasure, restriction, and portability, to the extent technically feasible given the nature of the processing. The Controller remains responsible for responding to Data Subjects directly.8. International Transfers
WriterzRoom processes and stores production data in the United States. For Controllers subject to GDPR or UK GDPR transferring Personal Data from the EEA or UK, such transfers are made on the basis of Standard Contractual Clauses, or SCCs, as adopted by the European Commission and incorporated into this DPA by reference. Applicable transfer terms can be addressed through the Enterprise contracting process. Contact support@writerzroom.com for details.9. HIPAA Considerations
WriterzRoom is not currently intended for processing Protected Health Information, or PHI, under HIPAA unless a separate written agreement expressly permits that use.10. Audit Rights
The Controller may request an audit of WriterzRoom’s data processing activities relevant to this DPA with reasonable prior notice of at least 30 days and no more than once per calendar year. WriterzRoom may satisfy audit requests by providing current third-party audit reports, certifications, or written responses to reasonable audit questionnaires instead of on-site audits.11. Term and Termination
This DPA remains in effect for the duration of the Controller’s subscription to the Service. Upon termination, WriterzRoom will delete or return all Personal Data within 30 days unless retention is required by law.12. Governing Law
This DPA is governed by the laws of the State of Missouri, consistent with the governing law of the Terms of Service.13. Execution
To request a countersigned DPA for your organization, contact support@writerzroom.com with the subject line:DPA Request: [Company Name]
WriterzRoom will review DPA requests and respond with next steps.
Enterprise customers with regulated-domain requirements should contact WriterzRoom before submitting regulated or highly sensitive data to the Service.