1. Introduction
This Data Processing Addendum (DPA) supplements the distro Terms of Service and governs how we process personal data on your behalf. It applies to customers whose use of distro involves processing personal data of individuals in the EU, UK, or other GDPR-equivalent jurisdictions.
If you need a signed DPA for your compliance records, email [email protected] and we'll provide a countersigned copy within 5 business days.
2. Roles and responsibilities
You are the Data Controller for any personal data you put into distro — your app users' information, your contacts, your team members.
distro is the Data Processor. We process this data only on your documented instructions, which are defined by how you configure and use the product.
For your own account data (your email, profile, usage metrics), distro is the Controller.
3. Scope of processing
Subject matter: provision of the distro platform.
Duration: for as long as you maintain an active account.
Purpose: enabling you to capture ideas, generate drafts, publish posts, and use all features of distro.
Nature: storage, computation (AI generation via your BYOK), display.
Types of data: as described in our Privacy Policy.
4. Authorized subprocessors
You authorize distro to engage the subprocessors listed at /subprocessors. We'll notify you of any new subprocessor at least 30 days before engagement. You can object to new subprocessors in writing — if we can't resolve the objection, you may terminate your subscription with a pro-rated refund.
5. Security measures
distro implements appropriate technical and organizational measures to protect personal data, as described in detail on our Security page. These include encryption (at rest and in transit), Row Level Security, access controls with 2FA, monitoring, and incident response.
6. Data subject rights
distro will assist you in responding to data subject requests (access, deletion, correction, portability, objection) within the timeframes required by applicable law. We provide self-service tools in Settings → Data for most requests; for anything our tools can't handle, email [email protected].
7. International transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism. Our primary processing regions are EU (Frankfurt) and Asia-Pacific (Bangalore). US-based subprocessors (Stripe, some infrastructure) are bound by SCCs in our agreements with them.
8. Breach notification
If distro becomes aware of a personal data breach affecting your data, we will notify you without undue delay and in any event within 72 hours of discovery. Our notification will include: nature of the breach, categories and approximate numbers of affected records, likely consequences, measures taken to address it, and contact details for follow-up.
9. Termination and deletion
Upon termination of your subscription, you have 30 days to export your data. After 30 days, distro will delete personal data from production systems. Backup retention is 35 days, so data may persist in backups for up to 35 days post-deletion before being overwritten.
On written request, distro will provide a certificate of deletion within 30 days of completion.
10. Audits
You have the right to audit distro's compliance with this DPA upon reasonable written notice (typically 30 days). Audits are at your expense and will be conducted during business hours in a manner that doesn't interfere with our operations. For most customers, our SOC 2 reports (once available) or documentation on this page will be sufficient to satisfy audit requirements.
11. Contact
Data Protection Officer: [email protected]
DPA-specific questions: [email protected]
EU Representative: [To be appointed if required. Currently our EU users are served directly via our EU-region infrastructure.]