Data Processing Agreement
Last updated: 2026-06-28 · Effective: 2026-06-28
This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Mastheads Terms of Service (the “Agreement”) between you (the “Customer”) and the operator of Mastheads (“Mastheads”, “we”, “us”). It governs our processing of personal data on your behalf when you use the Mastheads platform. If you require a counter-signed copy for your records, contact [email protected].
This DPA is written to align with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025, and with the EU/UK General Data Protection Regulation (“GDPR”) for customers to whom it applies. Where the two frameworks use different words for the same role, we treat them as equivalent.
1. Roles & definitions
- Personal data means any information about an identifiable individual that we process on your behalf through the platform.
- You act as the Data Fiduciary (DPDP Act) / Controller (GDPR): you decide why and how the personal data is processed.
- We act as the Data Processor (DPDP Act) / Processor (GDPR): we process the data only to provide the service, on your documented instructions.
- A Data Principal (DPDP Act) / Data Subject (GDPR) is the individual the personal data is about.
- A sub-processor is a third party we engage to help deliver the service. Our current sub-processors are listed in Schedule B.
2. Scope & instructions
We process personal data only to provide, secure, and support the platform, and only on your documented instructions — which include this DPA, the Agreement, your configuration choices in the dashboard, and your use of the service. We will not sell your personal data, nor use it to train our own or any third party’s general-purpose models. If we believe an instruction violates applicable data-protection law, we will tell you. The subject matter, nature, purpose, duration, categories of data, and categories of Data Principals are described in Schedule A.
3. Confidentiality
We keep personal data confidential and ensure that anyone authorized to process it is bound by an appropriate duty of confidentiality and processes it only as needed to deliver the service.
4. Security
We maintain reasonable technical and organizational security safeguards appropriate to the risk, as required by the DPDP Act and GDPR. These are described in Schedule C and include, at a minimum: per-tenant data isolation, encryption of data in transit, access controls and least-privilege credentials, and append-only audit logging of consent and key actions. No method of transmission or storage is perfectly secure, but we work to protect your data using industry-standard practices.
5. Sub-processors
You authorize us to engage the sub-processors listed in Schedule B to process personal data as needed to deliver the service. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will update Schedule B before adding or replacing a sub-processor that processes your personal data; if you have a reasonable, data-protection-based objection, contact [email protected] and we will work in good faith to address it, which may include you ceasing use of the affected feature.
6. Data Principal rights
Taking into account the nature of the processing, we will assist you with reasonable technical and organizational measures so you can respond to requests from Data Principals to access, correct, update, or erase their personal data, and to grievance-redressal requests under the DPDP Act. Many of these actions you can perform directly in your dashboard (including content export and deletion). If a Data Principal contacts us directly about data we process on your behalf, we will refer them to you unless legally required to act otherwise.
7. Personal data breach
If we become aware of a personal data breach affecting your personal data, we will notify you without undue delay and provide the information reasonably available to help you meet your own notification obligations — including to the Data Protection Board of India and affected Data Principals under the DPDP Act, and to supervisory authorities and data subjects under the GDPR, where those apply to you.
8. International transfers
The platform and several of our sub-processors operate outside India and outside the EU/UK (see Schedule B). By using the service you instruct us to transfer personal data to those locations to deliver it. We will not transfer personal data to any country that the Government of India restricts under the DPDP Act. Where the GDPR applies, transfers outside the EU/UK rely on an approved transfer mechanism (such as the EU Standard Contractual Clauses), available on request.
9. Return & deletion
You can export your content at any time from the dashboard. On termination of the Agreement, we will delete or return personal data we process on your behalf within a reasonable period, except where we are required to retain it by law. Certain records — such as append-only legal-acceptance, audit, and disclosure ledgers — are retained as required for legal and compliance purposes and are pseudonymized rather than deleted where deletion would defeat their legal purpose.
10. Audits & information
On reasonable written request, and no more than once per year unless required by a supervisory authority or following a breach, we will provide information reasonably necessary to demonstrate our compliance with this DPA. To protect the security and confidentiality of all customers, on-site audits are limited to enterprise customers under a separate confidentiality agreement and at reasonable times.
11. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of a conflict between this DPA and the Agreement on the subject of personal-data processing, this DPA prevails.
12. Contact & grievances
For any question, instruction, sub-processor objection, or grievance relating to personal data, contact our data-protection contact at [email protected]. We aim to respond to data-protection grievances within the timelines required by applicable law.
Schedule A — Details of processing
- Subject matter: provision of an automated editorial content-generation and website-publishing service.
- Duration: for the term of the Agreement, plus any legally required retention period.
- Nature & purpose: storing account data; retrieving content from reference links you submit; generating and editing content; publishing it to your connected website or making it available to you as drafts to read and export (where you operate without a connected website); processing payments; sending service communications; and securing and supporting the platform.
- Categories of Data Principals: your authorized users and account contacts; and any individuals named or depicted in source material, briefs, or content you process through the platform.
- Categories of personal data: account identifiers (name, email), authentication identifiers (OAuth tokens, session data), billing and transaction data (handled by our payment processor), connection credentials you provide for your own websites, any briefs, reference links, or source material you submit (and the content we retrieve from links you provide), IP address and request metadata, and any other personal data contained in the content you submit.
- Special / sensitive categories: the platform is not intended for the processing of sensitive personal data; please do not submit it through briefs or source material.
Schedule B — Sub-processors
We engage sub-processors in the following categories to deliver the service. Some are used only when the relevant feature or integration is enabled. A current list naming each sub-processor is available to customers on request to [email protected].
| Category | Purpose | Region |
|---|---|---|
| Infrastructure, CDN, DNS & security | Content delivery, DNS, edge compute, and protection for the platform and its endpoints | Global |
| Payment processor (Merchant of Record) | Subscription billing and payment processing; card data is held by the processor, never by us | Global |
| Email delivery | Delivery of transactional and service emails | USA |
| Content-processing providers | Specialized providers (such as Anthropic and OpenAI) that process content inputs and outputs to generate your articles and images | USA / global |
| Sign-in providers | Optional social sign-in, and — where you connect them — integrations for your own properties | USA / global |
| Search & indexing | Web/image lookups during content production and search-index submission for your connected properties, when those features are used | Global |
| Operations & monitoring | Service alerting and monitoring, which may include an account name/email in operational notifications | Global |
Note: where you connect your own content-management system (such as WordPress or Ghost), that system is your own service and publishing destination, not a Mastheads sub-processor. Infrastructure we operate ourselves does not transmit your personal data to third parties.
Schedule C — Security measures
- Tenant isolation:each customer’s data is logically segregated so that one customer cannot access another’s.
- Encryption in transit: traffic to the platform is served over TLS.
- Access control: modern authentication, least-privilege access, and server-side-only handling of integration credentials, which are encrypted at rest.
- Network protection: firewall, DDoS protection, and bot mitigation in front of public endpoints.
- Auditability: append-only records of legal-acceptance, consent, and key account actions.
- Data minimization: we collect and retain only the personal data needed to deliver the service.