Last updated: June 17, 2026

Data Processing Addendum

This Data Processing Addendum forms part of the Terms of Service between the customer and Rupam Poddar, doing business as Tenwrite, an individual operator based in India.

1. Definitions

  • “Agreement” means the Terms of Service or other agreement governing Customer’s use of the Services.
  • “Customer” means the person or organization using the Services and determining the purposes and means of processing Customer Personal Data.
  • “Processor” means Rupam Poddar, doing business as Tenwrite, when processing Customer Personal Data on Customer’s behalf.
  • “Services” means Tenwrite’s website, application, integrations, automation tools, publishing features, and related services.
  • “Customer Personal Data” means any personal data that Customer provides or makes available to Processor for processing on Customer’s behalf.
  • “Data Protection Laws” means all laws and regulations applicable to the processing of Customer Personal Data, including the GDPR/UK GDPR where applicable.
  • “GDPR” means Regulation (EU) 2016/679; “UK GDPR” means the UK General Data Protection Regulation and Data Protection Act 2018.
  • “Sub-processor” means any processor engaged by Processor to process Customer Personal Data.

2. Roles and Scope

  • Customer acts as controller or processor for Customer Personal Data, as applicable to Customer’s business and legal obligations.
  • Processor acts as processor or sub-processor, as applicable, when processing Customer Personal Data on Customer’s behalf.
  • Processor will process Customer Personal Data only on documented instructions from Customer, solely to provide the Services, secure and support the Services, and comply with law.

3. Customer Obligations

Customer is responsible for:

  • ensuring it has a lawful basis and all required rights, notices, and consents to provide Customer Personal Data to Processor;
  • ensuring its instructions comply with Data Protection Laws;
  • ensuring Customer Personal Data submitted to the Services is appropriate for the Services;
  • avoiding submission of special-category, highly sensitive, regulated, or children’s data unless Customer has a lawful basis and appropriate safeguards;
  • managing its users, team members, connected accounts, source documents, publishing destinations, and automation configurations.

4. Processing Details

  • See Annex 1 for Processing Details.

5. Processor Obligations

Processor shall:

  • Implement appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
  • Ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
  • Assist Customer, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to requests to exercise data subject rights under Data Protection Laws.
  • Assist Customer in ensuring compliance with security, breach notification, impact assessments, and prior consultation obligations, taking into account the nature of processing and the information available to Processor.
  • Notify Customer without undue delay after becoming aware of a personal data breach involving Customer Personal Data.

6. Sub-processing

  • Customer authorizes Processor to engage Sub-processors to support the Services. The current list is published on our Sub-processors page. Updates to that page constitute notice of Sub-processor changes under this DPA, unless applicable law requires a different form of notice.

If Customer reasonably objects to a new Sub-processor on data protection grounds, Customer may contact us within 10 days of the update. We will use reasonable efforts to address the objection. If we cannot reasonably resolve it, Customer may stop using the affected feature or terminate the affected Services, subject to the Agreement.

  • Processor will impose on Sub-processors data protection obligations no less protective than those set out in this DPA.
  • Processor remains responsible for Sub-processor actions and omissions to the same extent Processor would be responsible.

7. International Transfers

  • Where Customer Personal Data originating in the EEA/UK/Switzerland is transferred to a country that does not ensure an adequate level of protection, the parties will rely on appropriate transfer safeguards where required, such as the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum or Agreement, or other lawful transfer mechanisms as applicable.

    The appropriate SCC module will apply based on the parties’ roles for the relevant processing activity. Processor will make relevant transfer terms or information available upon reasonable request.

8. Data Subject Requests

  • If Processor receives a request directly from a data subject relating to Customer Personal Data, Processor will, where reasonably possible, advise the data subject to contact Customer directly and will promptly forward the request to Customer.

9. Audit and Documentation

Upon reasonable written request and no more than once per 12 months, Processor will make available information reasonably necessary to demonstrate compliance with this DPA, such as written responses, security summaries, policy excerpts, or other relevant documentation.

Customer audits must be reasonable, limited in scope, subject to confidentiality, and conducted in a way that does not compromise the security, confidentiality, availability, or operation of the Services or other customers’ data.

Remote audits and questionnaire-based assessments are preferred given our size as a solo-operated service. On-site inspections are not available unless required by applicable law or agreed in writing in advance.

10. Return and Deletion

Upon termination of the Services or upon Customer’s written request, Processor will delete or return Customer Personal Data where reasonably feasible, unless retention is required or permitted for legal, billing, tax, security, fraud-prevention, dispute-resolution, backup, or operational purposes.

Where deletion from backups is not immediately feasible, Processor will protect the data from active processing and delete it according to its normal backup lifecycle, unless earlier deletion is technically feasible.

11. Liability

  • The parties’ aggregate liability under this DPA is subject to the limitations and exclusions of liability set out in the main Agreement.

12. Precedence

  • In case of conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict with respect to the processing of Customer Personal Data.

13. Miscellaneous

  • This DPA is governed by the governing law specified in the Agreement. If the Agreement does not specify governing law, Indian law applies (excluding conflict of laws). Any disputes will follow the dispute resolution provisions in the Agreement.

Annex 1: Processing Details

ItemDetails
Subject matterProviding Tenwrite’s Google Docs to WordPress/Blogger publishing, automation, media processing, site management, and related SaaS features
DurationFor the duration of the customer’s use of Tenwrite, plus any retention period described in the Privacy Policy
Nature and purposeHosting, storing, converting, publishing, syncing, automating, securing, supporting, and improving the Service
Data subjectsTenwrite users, team members, customers, support contacts, and individuals whose data appears in user-provided content
Data categoriesAccount data, Google profile data, Google Docs content, Drive metadata, Sheets rows, Blogger/WordPress site data, publishing metadata, media files and hosted images, logs, billing identifiers, support messages, credentials/tokens where applicable
Special category dataNot intentionally collected. The Services are not designed for health records, financial account numbers, government IDs, biometric data, children’s data, or special-category data under GDPR. Customers must not submit such data unless they have a lawful basis and appropriate safeguards
Primary hosting locationEuropean Union, via Hetzner-hosted infrastructure
Sub-processorsListed on the Sub-processors page

Annex 2: Security Measures

Tenwrite applies reasonable technical and organizational measures, including:

  • EU-based backend hosting via Hetzner;
  • HTTPS/TLS for data in transit;
  • restricted administrative access;
  • encryption or equivalent protection for stored credentials and OAuth tokens where applicable;
  • limited access to production systems based on operational need;
  • monitoring and error logging for reliability and abuse detection;
  • separation of customer data where technically appropriate;
  • deletion and retention controls as described in the Privacy Policy;
  • access controls;
  • logging and monitoring;
  • infrastructure hardening where applicable;
  • backups where applicable;
  • sub-processor review appropriate to the size and risk profile of the Service.