Data Processing Agreement (DPA)
Last updated: April 2026
This Data Processing Agreement ('DPA') is entered into between athcode ('Amendly', processor) and any organisation using the Amendly platform ('the Client', controller). It supplements the Terms of Service and applies to all processing of personal data carried out by Amendly on behalf of the Client, in accordance with Article 28 GDPR (Regulation EU 2016/679).
1. Subject matter and duration
Amendly agrees to process personal data provided or generated by the Client solely for the purpose of providing the Amendly service (collaborative amendment management). This DPA takes effect on the date of acceptance of the Terms of Service and remains in force for the duration of the service agreement.
2. Nature and purpose of processing
Amendly processes the Client's data for the following purposes: storing and displaying documents, amendments, comments, and activity logs; sending transactional notifications to members and contributors; authenticating members (magic link, Google OAuth); enforcing security rules and rate limits.
3. Categories of data and data subjects
Data subjects: members of the Client's organisation (email, name, job title, company); external contributors (optional name and email); invitees (email, invitation status). Data categories: identification data (name, email); professional data (company, job title); content data (document and amendment text); traceability data (timestamps, IP addresses, activity logs).
4. Obligations of Amendly
Amendly agrees to: process data only on documented instructions from the Client; maintain data confidentiality (TLS encryption, restricted access); not use the data for its own commercial purposes; only engage sub-processors listed in Article 6; notify the Client within 72 hours of becoming aware of a data breach; cooperate in responding to data subject rights requests.
5. Obligations of the Client
The Client agrees to: have a valid legal basis for the data entrusted to Amendly; inform data subjects (members, contributors) of the use of Amendly via their own privacy notice or at the point of collection; not submit to Amendly special category data under Article 9 GDPR without prior written agreement.
6. Authorised sub-processors
Hetzner Online GmbH (Germany) — hosting. Stripe Inc. (United States) — payments; EU SCCs in place. Resend Inc. (United States) — transactional email; EU SCCs in place. Cloudflare Inc. (United States) — anti-bot protection (Turnstile); EU SCCs in place. Google LLC (United States) — OAuth authentication; EU SCCs in place. Any addition or replacement of a sub-processor will be notified to the Client with 14 days' notice.
7. Data breach notification
In the event of a personal data breach affecting the Client's data, Amendly will notify the Client by email (to the organisation owner's address) within 72 hours of becoming aware of the incident. The notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.
8. Fate of data at end of contract
Upon expiry or termination of the service contract, Amendly will delete the Client's data within 30 days, unless required by law to retain it. On request made before that deadline to [email protected], Amendly can provide an export of documents and amendments in DOCX or JSON format.
9. Audit rights
The Client may, upon written request to [email protected] with 30 days' notice, request information on Amendly's security and compliance measures. Amendly will respond within a reasonable timeframe. If a more extensive audit is required, it shall be conducted by an independent third party at the Client's expense and must not disrupt Amendly's operations.
Contact
For any questions regarding this DPA or to report a breach, email [email protected].