Stub — counsel review pending

Data Processing Addendum (DPA)

The Data Processing Addendum incorporated by reference into the Terms of Service for customers acting as controllers under GDPR / UK GDPR. Establishes Showly as a processor, defines instructions, and ties to Standard Contractual Clauses for cross-border transfers.

Authoritative source: legal/dpa.md in the platform repository. Each section flagged [REVIEW] in the source awaits external counsel input before going live.

Counsel review in progress

Showly is finalizing this document with counsel. For the binding version applicable to your account, contact legal@showly.ai.

Parties + scope

Customer is the controller; Showly is the processor. The DPA covers personal data processed on the customer's behalf in the course of operating the Showly Platform — namely the user accounts of the customer's team members, end-user analytics data the customer collects via the Showly pixel, and any other personal data the customer chooses to store using Showly's primitives.

Processor obligations

documented instructions Showly only processes personal data per the customer's documented instructions, as embodied in the Terms of Service and the platform's stated functionality
confidentiality Showly personnel with access are bound by confidentiality obligations
security measures as detailed in Annex II — encryption at rest (CMEK), encryption in transit (TLS 1.2+), least-privilege IAM, audit logging, MFA for privileged operations
sub-processor controls Showly maintains a list at legal/sub-processors.md and notifies customers 30 days before adding a new one
incident notification within 72 hours of confirmed personal data breach affecting the customer's data
data subject requests Showly assists the customer in responding to GDPR Articles 15–22 requests, primarily by surfacing the relevant data via the admin APIs
audit rights annual third-party audits (SOC 2 Type I in progress, Type II thereafter); raw audit logs available to Enterprise customers via SIEM export

Cross-border transfers

Where personal data is transferred from the EEA / UK to a third country lacking an adequacy decision, the transfer relies on the Standard Contractual Clauses (Commission Decision 2021/914). The SCC text is incorporated into this DPA by reference and is published at legal/scc.md.

Enterprise customers can request EU data residency. When enabled, personal data of EEA / UK users stays in the europe-west1 region; cross-region traffic is limited to aggregated, deidentified platform metrics.

Termination

On termination of the underlying agreement, Showly will at the customer's choice either return or delete the personal data within 30 days, save where retention is required by applicable law (e.g. tax recordkeeping, audit log retention). The customer can confirm completion via the audit export API.

Signing

DPA execution is automated for paid plans — by accepting the Terms of Service the customer accepts this DPA. Signed PDF countersigned by Showly is available on request via legal@showly.ai. Enterprise contracts negotiate the DPA terms directly with counsel.

This page summarises the current draft. The repository holds the full structural document — see the legal/dpa.md referenced above. Substantive language is intentionally conservative until counsel review concludes.