Skip to content

Legal

Data Processing Agreement

Last updated: 2026-05-04

Preamble

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between the customer ("Controller") and Etradewind ("Processor"). It applies where Etradewind processes Personal Data on behalf of the Controller subject to the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), or other applicable data protection laws.

This DPA is forked from and adapted from the publicly-available Vercel and Stripe Data Processing Agreement templates and customized to the Etradewind processing context. By executing the Agreement or accepting these Terms, the Controller and Processor enter into this DPA.

1. Definitions

Capitalized terms used but not defined herein have the meanings given in the GDPR. "Personal Data," "Data Subject," "Processing," "Controller," and "Processor" have the meanings in GDPR Article 4.

2. Subject matter and duration

The subject matter of the Processing is the provision of the Services described in the Agreement. The duration is the term of the Agreement plus any post-termination retention period required by law (typically up to 90 days for AI input/output logs and 7 years for billing records).

3. Nature and purpose of Processing

The Processor processes Personal Data to provide the SaaS marketing platform and done-for-you services, including content generation, multi-channel publishing, email delivery, lead capture, audit logging, and customer support.

4. Categories of Data Subjects and Personal Data

Data Subjects: the Controller's customers, prospects, employees, and end users.

Categories of Personal Data: identity data (name, email), contact data (phone, address), account data, usage data, content data (briefs, prompts, drafts), marketing data (consent records).

5. Processor obligations

The Processor will:

  • Process Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required by law.
  • Ensure that personnel authorized to Process Personal Data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures (TOMs) per Article 32 of the GDPR (see Annex II).
  • Assist the Controller in fulfilling its obligations to respond to Data Subject Rights requests.
  • Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities under Articles 35-36.
  • At the choice of the Controller, delete or return all Personal Data after the end of the Services and delete existing copies, unless storage is required by law.
  • Make available to the Controller information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

6. Sub-processors

The Controller authorizes the Processor to engage Sub-processors. Current Sub-processors and their processing locations:

  • Linode (Akamai) — infrastructure hosting — United States
  • Anthropic — AI inference (Claude) — United States
  • Resend — transactional email — United States
  • Stripe — payment processing — United States
  • Cloudflare — CDN, DNS, DDoS protection — United States

The Processor will notify the Controller of any intended changes to Sub-processors at least 30 days before the change takes effect, giving the Controller the opportunity to object. The Processor will impose substantially the same data protection obligations on Sub-processors as set out in this DPA.

7. International data transfers

For transfers of Personal Data from the EEA, UK, or Switzerland to a third country, the parties agree that the EU Commission's Standard Contractual Clauses (SCCs) Module Two (Controller-to-Processor) are incorporated by reference and apply, with the following details:

  • Module: Module Two (Controller-to-Processor).
  • Clause 7 (docking): not applicable.
  • Clause 9 (sub-processors): general written authorization, 30-day prior notice (Option 2).
  • Clause 11 (redress): independent dispute resolution body unselected.
  • Clause 17 (governing law): the law of Ireland.
  • Clause 18 (forum): the courts of Ireland.

8. Data Subject Rights

The Processor will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights under Articles 15-22 of the GDPR.

9. Personal Data breach notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's data. The notice will describe: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Audits

The Controller may, at its expense and on at least 30 days' written notice, conduct an audit of the Processor's compliance with this DPA, no more than once per 12-month period (or more frequently if required by a supervisory authority). The Processor will use reasonable efforts to accommodate audit requests.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement (Terms of Service Section 10).

12. Term and termination

This DPA takes effect on the effective date of the Agreement and remains in force as long as the Processor processes Personal Data on behalf of the Controller. Termination of the Agreement automatically terminates this DPA, subject to the post-termination obligations regarding return or deletion of Personal Data.

Annex I — Description of Processing

Categories of Data Subjects: as described in Section 4.
Categories of Personal Data: as described in Section 4.
Sensitive Data (if any): none processed by default.
Frequency of Processing: continuous, for the duration of the Agreement.
Nature of Processing: hosting, storage, retrieval, transmission, AI inference, analytics, audit logging, email delivery, payment processing.
Purpose of Processing: provision of the Services.
Period of retention: term of the Agreement plus statutory retention periods (typically up to 90 days for AI logs, 7 years for billing).

Annex II — Technical and Organizational Measures

The Processor implements the following measures:

  • Encryption: TLS 1.2+ in transit; AES-256 at rest for databases and backups.
  • Access controls: principle of least privilege; role-based access; multi-factor authentication for administrative access.
  • Authentication: argon2 password hashing; HttpOnly Secure SameSite=Strict session cookies; explicit JWT algorithm enforcement.
  • Audit logging: comprehensive audit trail of all consequential agent actions and administrative changes; SAGA-pattern rollback capability.
  • Network security: firewall (UFW), fail2ban, SSH key-only access on production servers, regular security patching.
  • Backup and disaster recovery: encrypted daily backups; tested restore procedures; documented RTO/RPO.
  • Personnel: background-checked, confidentiality-bound personnel; security training.
  • Incident response: documented incident response plan with 72-hour breach notification commitment.

Contact

For DPA inquiries, contact hello@etradewind.com. To execute a counter-signed DPA for enterprise procurement, request via the same email and we will respond within 5 business days.