Data Processing Addendum
Template — Version 1.0, published July 16, 2026
This is a standard-form template made available for review before signature. It is not a signed or executed agreement, and nothing on this page by itself creates a binding data processing arrangement. To execute a signed DPA referencing your specific account, email support@citationsafe.com.
Parties
This Data Processing Addendum (“DPA”) is entered into between Digital Empire LLC, a Wyoming limited liability company with a registered address of 30 N Gould St Ste N, Sheridan, WY 82801, USA, doing business as Citation Safe (“Processor”), and the customer entity identified in the applicable order form or account (“Controller”), together the “Parties.” This DPA supplements and forms part of the Citation Safe Terms of Service.
1. Subject matter and duration
Processor processes personal data on behalf of Controller solely to provide the citation verification Service described in the Terms of Service, for the duration of the underlying subscription plus any period required for legitimate retention (see Section 6 of the Privacy Policy).
2. Nature and purpose of processing
Processing consists of: verifying citations submitted by Controller’s authorized users against public authoritative sources; storing account, authentication, and billing metadata; and, by default, storing a cryptographic hash of submitted documents rather than full document text (see Privacy Policy Section 1).
3. Categories of data subjects
Controller’s authorized users (employees, contractors, or agents who access the Service on Controller’s behalf).
4. Categories of personal data
Account identifiers (name, email), authentication metadata, usage and billing records, and, only where Controller elects to disable the hash-only default, document content submitted for verification.
5. Processor obligations
- Process personal data only on documented instructions from Controller, including regarding international transfers, unless required otherwise by law.
- Ensure persons authorized to process the data are bound by confidentiality.
- Implement the technical and organizational measures described at /security — Row Level Security enabled on every production database table, database-backed rate limiting, and payment processing isolated to Stripe.
- Not engage a new subprocessor without giving Controller the opportunity to object, per Section 7 below.
- Assist Controller, insofar as reasonably possible, with data subject rights requests and with Controller’s own obligations under Articles 32-36 GDPR.
- Notify Controller without undue delay after becoming aware of a personal data breach affecting Controller’s data.
- At Controller’s election, delete or return personal data at the end of the Service relationship, subject to legally required retention.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
6. Sub-processing
Controller provides general authorization for Processor to engage the subprocessors listed at /subprocessors, which Processor keeps current as subprocessors are added or removed. Processor imposes data protection obligations on each subprocessor materially equivalent to those in this DPA.
7. International transfers
Where personal data originating in the EEA, UK, or Switzerland is transferred to the United States, the transfer is governed by the EU Standard Contractual Clauses (Module Two: Controller to Processor, 2021 version) and, for UK transfers, the UK International Data Transfer Addendum to the EU SCCs, incorporated by reference. Executed copies with the relevant annexes completed are provided upon signed-DPA request.
8. Audits
Processor makes available the information described in Section 5 to demonstrate compliance and permits audits, including inspections, by Controller or an auditor mandated by Controller, subject to reasonable notice, confidentiality, and no more than once per 12-month period absent a suspected breach.
9. Precedence
In the event of a conflict between this DPA and the Terms of Service on data protection matters, this DPA controls.
Executing a signed copy
This page is a public template for pre-signature review. To execute a DPA bound to your specific account and order form (with SCC annexes completed), email support@citationsafe.com with your account email and entity name.
See also: Security · Subprocessor list · Privacy policy · Terms of Service
Digital Empire LLC · 30 N Gould St Ste N, Sheridan, WY 82801. This template is provided for informational purposes and does not constitute legal advice; consult your own counsel before relying on it.