Data Processing Agreement
Effective 15 June 2026.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Customer", "Controller") and the business operating Disclosed ("Disclosed", "Processor"). It applies where, in providing the Service, Disclosed processes personal data on the Customer's behalf — principally the disclosure-event data generated by the Customer's website visitors through the embedded widget or SDK. Capitalised terms not defined here have the meaning in the GDPR.
By accepting the Terms of Service, the Customer enters into this DPA. If you require a signed copy or your own form, contact privacy@disclosed.sh.
1. Roles and scope
The Customer is the Controller and Disclosed is the Processor for the personal data described in Annex A. Each party complies with the data-protection law applicable to it (including the GDPR and UK GDPR). For Disclosed's own account, billing, and website data, Disclosed is the controller and the Privacy Policy applies — that processing is not governed by this DPA. Our payment provider (Polar, Merchant of Record) acts as an independent controller for billing and is not a sub-processor under this DPA.
2. Processing on documented instructions
Disclosed processes the personal data only on the Customer's documented instructions, including as to international transfers, unless required to do otherwise by Union or Member State law — in which case Disclosed will inform the Customer of that requirement before processing, unless the law prohibits it. The Terms of Service, this DPA, and the Customer's use and configuration of the Service constitute the Customer's complete documented instructions. Disclosed will immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.
3. Confidentiality
Disclosed ensures that persons authorised to process the personal data are bound by an appropriate duty of confidentiality.
4. Security (Article 32)
Disclosed implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex B, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
5. Sub-processors
The Customer provides general authorisation for Disclosed to engage sub-processors. The current sub-processors are listed in Annex C. Disclosed will: (a) impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, by written contract; (b) remain fully liable to the Customer for a sub-processor's performance; and (c) give the Customer advance notice of any intended addition or replacement of a sub-processor (for example, by updating Annex C and notifying registered account contacts), so the Customer has a reasonable opportunity to object on reasonable data-protection grounds. If the Customer reasonably objects and the parties cannot resolve it, the Customer may terminate the affected part of the Service.
6. Assistance with data-subject rights
Taking into account the nature of the processing, Disclosed assists the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests to exercise data-subject rights under Chapter III of the GDPR. If a data subject contacts Disclosed directly about data processed for the Customer, Disclosed will refer them to the Customer.
7. Assistance with security, breaches, and impact assessments
Disclosed assists the Customer in ensuring compliance with Articles 32 to 36 of the GDPR (security, personal-data-breach notification, data-protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Disclosed. Disclosed will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's data, with the information reasonably available to help the Customer meet its own notification obligations.
8. Deletion or return
At the Customer's choice, on termination of the Service Disclosed will delete or return all personal data processed on the Customer's behalf and delete existing copies, unless Union or Member State law requires continued storage. Where deletion is requested, it will be carried out within a reasonable period.
9. Audits and information
Disclosed makes available to the Customer all information reasonably necessary to demonstrate compliance with Article 28, and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates. Audits are on reasonable prior notice, no more than once per year (except following a breach or where required by a supervisory authority), during business hours, subject to confidentiality, and conducted so as not to disrupt Disclosed's operations. Disclosed may satisfy audit requests by providing relevant documentation or third-party reports where available.
10. International transfers
Where processing under this DPA involves a transfer of personal data outside the EEA or the UK, the parties rely on an appropriate Chapter V transfer mechanism: the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), including Module Two (controller-to-processor) between the Customer and Disclosed and Module Three (processor-to-processor) for onward transfers to sub-processors; the EU-US Data Privacy Framework where the recipient is certified; or an applicable adequacy decision. The applicable SCCs are incorporated into this DPA by reference and completed by the details in the Annexes; in case of conflict, the SCCs prevail for the transfer they govern.
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service, except to the extent those limitations are not permitted by applicable data-protection law. Nothing in this DPA limits a data subject's rights under Article 82 GDPR.
12. Order of precedence and term
This DPA forms part of and is subject to the Terms of Service. In case of conflict on the processing of personal data, this DPA prevails over the body of the Terms; for an international transfer, the SCCs prevail over this DPA. This DPA remains in effect for as long as Disclosed processes personal data on the Customer's behalf.
Annex A — Details of processing
- Subject matter: provision of the Disclosed Service (AI-disclosure widget, SDK, evidence records, and related features).
- Duration: for the term of the Customer's use of the Service, plus any retention period under the Terms or required by law.
- Nature and purpose: logging, storing, hashing, and producing tamper-evident records of AI-disclosure events to operate the Service for the Customer, and transient processing for security and rate-limiting.
- Type of personal data: disclosure-event metadata — event type, locale, timestamp, a hashed representation of the page URL, configuration version, and site key; and IP addresses processed transiently for security and rate-limiting. The Service is designed not to collect website-visitor identifiers or other direct visitor personal data.
- Categories of data subjects: visitors and users of the Customer's websites and applications on which the Service is deployed.
- Special categories of data: none are intended or required; the Customer must not configure the Service to process special-category data.
Annex B — Security measures
- Encryption of personal data in transit.
- Application data hosted in the EU (Convex, region eu-west-1).
- Access controls and authentication for administrative access.
- Data minimisation by design (hashed page URLs; no visitor identifiers; transient-only IP processing).
- Tamper-evident, hash-chained event records enabling integrity verification.
- Logging and monitoring appropriate to the Service.
Annex C — Sub-processors
| Sub-processor | Purpose | Location | |---|---|---| | Clerk | Authentication and account management | EU / US (safeguarded) | | Convex | Application database and backend | EU (eu-west-1) | | Vercel | Hosting and content delivery | EU / US (safeguarded) | | DataFast | Privacy-focused product analytics | EU / US (safeguarded) |
Polar (payments, Merchant of Record) acts as an independent controller and is not a sub-processor under this DPA.
Disclosed provides compliance tooling and records; this document is not legal advice. Review it with your own counsel before relying on it.