🔥 Black Friday Save 25% on all yearly plans

Last updated: November 4, 2025

Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Customer”) and the Tenwrite operator (“Processor” or “we”). It applies to the extent we process Customer Personal Data as a processor on behalf of Customer in connection with the Services.

This DPA is designed for small teams and solo-operator businesses. By using the Services, you agree that this DPA applies unless we have a separate signed DPA.

1. Definitions

  • “Customer Personal Data” means any personal data that Customer provides or makes available to Processor for processing on Customer’s behalf.
  • “Data Protection Laws” means all laws and regulations applicable to the processing of Customer Personal Data, including the GDPR/UK GDPR where applicable.
  • “GDPR” means Regulation (EU) 2016/679; “UK GDPR” means the UK General Data Protection Regulation and Data Protection Act 2018.
  • “Sub-processor” means any processor engaged by Processor to process Customer Personal Data.

2. Roles and Scope

  • Customer is the controller and determines the purposes and means of processing.
  • Processor will process Customer Personal Data only on documented instructions from Customer and solely to provide and improve the Services and to comply with law.

3. Processor Obligations

Processor shall:

  • Implement appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
  • Ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
  • Assist Customer, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to requests to exercise data subject rights under Data Protection Laws.
  • Assist Customer in ensuring compliance with security, breach notification, impact assessments, and prior consultation obligations, taking into account the nature of processing and the information available to Processor.
  • Notify Customer without undue delay after becoming aware of a personal data breach involving Customer Personal Data.

4. Sub-processing

  • Customer authorizes Processor to engage Sub-processors to support the Services. The current list is published on our Sub-processors page.
  • Processor will impose on Sub-processors data protection obligations no less protective than those set out in this DPA.
  • Processor remains responsible for Sub-processor actions and omissions to the same extent Processor would be responsible.

5. International Transfers

  • Where Customer Personal Data originating in the EEA/UK/Switzerland is transferred to a country that does not ensure an adequate level of protection, the parties agree the European Commission Standard Contractual Clauses (Controller to Processor) apply and are incorporated by reference. Processor will make the SCCs available upon request.

6. Data Subject Requests

  • If Processor receives a request directly from a data subject relating to Customer Personal Data, Processor will, where reasonably possible, advise the data subject to contact Customer directly and will promptly forward the request to Customer.

7. Audit and Documentation

  • Upon reasonable written request and no more than once per 12 months, Processor will make available information reasonably necessary to demonstrate compliance with this DPA. To the extent such information is insufficient, Customer may conduct an audit (including inspections) once per 12 months, during normal business hours, subject to reasonable notice, confidentiality, and Processor’s security policies. Remote audits and questionnaire-based assessments are preferred given our size as a solo-operated service.

8. Return and Deletion

  • Upon termination of the Services or upon Customer’s written request, Processor will delete or return Customer Personal Data, unless retention is required by law. Where deletion from backups is not immediately feasible, Processor will securely store and isolate the data until deletion is possible.

9. Liability

  • The parties’ aggregate liability under this DPA is subject to the limitations and exclusions of liability set out in the main Agreement.

10. Precedence

  • In case of conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict with respect to the processing of Customer Personal Data.

11. Miscellaneous

  • This DPA is governed by the governing law specified in the Agreement. If the Agreement does not specify governing law, Indian law applies (excluding conflict of laws). Any disputes will follow the dispute resolution provisions in the Agreement.