Back to Help Center

Security & Privacy

Data Protection Agreement (DPA)

Available on Enterprise plans. Drafted to GDPR Article 28(3) and covers processing scope, security measures, sub-processors, and deletion on termination.

What is a DPA?

A Data Processing Agreement (DPA) is a legally binding contract required under GDPR Article 28 whenever a data controller (your organisation) engages a data processor (8 Million Stories) to process personal data on its behalf. The DPA defines what data is processed, for what purpose, under what security measures, and what each party's responsibilities are.

The DPA doesn't create new privacy obligations. it formalises the ones that already exist under GDPR and documents compliance with Article 28's requirements. Having a DPA in place is a prerequisite for many enterprise procurement processes and GDPR compliance audits.

Who needs a DPA with 8 Million Stories?

You may need a DPA if:

  • Your organisation is based in the EEA, UK, or Switzerland, or you process data about people in those regions.
  • Your organisation's information security or legal team requires DPAs with all data processors.
  • You're using 8 Million Stories in a client-facing capacity and your clients require DPAs with sub-processors.
  • Your DPO (Data Protection Officer) has identified 8 Million Stories as a data processor in your data mapping exercise.

For many users, particularly individual consultants and small teams, the 8 Million Stories Terms of Service and Privacy Policy are sufficient documentation. A formal DPA is primarily needed for enterprise procurement and regulated industries.

What the 8 Million Stories DPA covers

The 8 Million Stories DPA, drafted in accordance with GDPR Article 28(3), covers:

  • The subject matter, nature, and purpose of processing.
  • Categories of personal data processed (account data, audit metadata).
  • 8 Million Stories' obligations as data processor, including security measures and sub-processor management.
  • Your rights as data controller, including audit rights and the right to instruct processing.
  • Sub-processor list (Supabase, Google Cloud, Upstash, Stripe, Vercel) and notification procedures for sub-processor changes.
  • Data deletion obligations upon contract termination.

How to request a DPA

DPAs are available to Enterprise plan customers. To request one, contact our support team with the subject line "DPA Request" and include your organisation's legal name and jurisdiction. We'll provide a standard DPA for review within 5 business days. If your legal team has specific amendments, please send the redlined version and we'll review via our legal counsel.

If you're not yet on an Enterprise plan but require a DPA as a condition of procurement, contact sales to discuss your requirements. we can often accommodate DPA requests on Professional plans for regulated industries.

Still need help?

Contact our support team. we typically respond within 1 business day.

Contact Support