Privacy & DPA (outline)
This page explains how DraftGuard handles data for the Agency model (Customer = agency, end‑clients = authorized users). It is a practical outline to help agencies assess GDPR roles and required paperwork.
1) Roles (GDPR)
- Customer (agency) typically acts as the Controller.
- DraftGuard acts as a Processor for Customer.
- End‑clients are Customer’s users; they are not parties to DraftGuard.
2) What data is processed
DraftGuard processes message payloads sent by Customer (for example: customer messages, AI draft replies, final replies, identifiers, and delivery metadata). Customer controls what is sent and remains responsible for lawfulness and content.
3) Data Processing Addendum (DPA) outline
A DPA for the Agency model should include, at minimum:
- Subject matter: webhook‑based processing of drafts and delivery callbacks.
- Duration: for the term of the subscription and any agreed retention window.
- Nature & purpose: enable human approval and delivery of replies.
- Types of data: message content, identifiers, delivery logs/metadata.
- Data subjects: Customer’s end‑users and customers (depending on Customer’s use case).
- Processor obligations: confidentiality, appropriate technical and organizational measures, assistance with requests, breach notification, deletion/return at end of contract.
- Sub‑processors: list categories and provide notice mechanism for changes.
- International transfers: describe where data is processed and safeguards (if applicable).
- Audit: reasonable audit rights or security reports.
4) Marketing‑safe sentence (Agency model)
“Your clients can use DraftGuard as authorized users. Your agency remains the customer: you control the workspaces, billing, and integrations.”
Note: This is an outline for clarity and procurement. Your lawyer should finalize the DPA text for your jurisdiction and sub‑processor setup.