Data Processing Agreement

Last updated: 6 July 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is subject to, the RightsRoom Terms of Service between the parties (the "Agreement"). It governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with the RightsRoom service ("the Service").

BETWEEN:

(1) the customer identified in the Agreement (the "Controller" — the literary agency or publisher using RightsRoom); and

(2) Charles Gabriel Somerville, an *entrepreneur individuel* (sole trader) trading as Fondera, SIREN 102 502 754, of 1 Rue des Buries, 51220 Hermonville, France (the "Processor" / "we").

Where the Controller is established in the United Kingdom, "Data Protection Law" means the UK GDPR and the Data Protection Act 2018. Where the Controller is established in the EU/EEA, it means Regulation (EU) 2016/679 ("EU GDPR") and applicable national law. Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach" and "Supervisory Authority" have the meanings given in Data Protection Law.

1. Roles of the parties

1.1 The Controller is the controller and the Processor is the processor of the Personal Data described in Annex 1. Each party complies with its own obligations under Data Protection Law.

1.2 The Controller warrants that it has a lawful basis under Art. 6 (and, where relevant, Art. 9) for the Processing it instructs, and that it has provided all notices and obtained all consents required for the Processor to Process the Personal Data as set out in this DPA.

2. Processor's obligations (UK/EU GDPR Art. 28(3))

The Processor shall:

(a) Instructions — Process the Personal Data only on the Controller's documented instructions (including as to international transfers), unless required to do otherwise by law, in which case it will inform the Controller first unless that law prohibits it. This DPA, the Agreement, and the Controller's use of the Service's features are the Controller's complete and documented instructions. If the Processor considers an instruction to infringe Data Protection Law, it will inform the Controller.

(b) Confidentiality — ensure that persons authorised to Process the Personal Data are bound by a duty of confidentiality.

(c) Security — implement the technical and organisational measures set out in Annex 2 (Art. 32).

(d) Sub-processors — not engage another processor without the Controller's prior general written authorisation. The Controller authorises the sub-processors listed in Annex 3. The Processor will inform the Controller of any intended addition or replacement at least 14 days in advance, giving the Controller the opportunity to object on reasonable data-protection grounds. The Processor imposes on each sub-processor the same data-protection obligations as in this DPA and remains fully liable for the sub-processor's performance.

(e) Data-subject rights — taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise Data-Subject rights under Chapter III (Art. 12–23). Where a Data Subject contacts the Processor directly, the Processor will refer them to the Controller and not respond except on the Controller's instruction.

(f) Assistance — assist the Controller in ensuring compliance with its obligations under Art. 32–36 (security, Personal Data Breach notification, data protection impact assessments and prior consultation), taking into account the nature of Processing and the information available to the Processor.

(g) Deletion / return — at the Controller's choice, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless retention is required by law. On termination the Controller may export its data via the Service; the Processor will delete Controller Personal Data within 30 days of termination unless legally required to retain it.

(h) Audit — make available to the Controller all information necessary to demonstrate compliance with Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable notice (and no more than once per year save where required by a Supervisory Authority or following a Personal Data Breach).

(i) Storage retention and deletion lifecycle — the Controller's documents held in the EU file storage of the AI sub-processor (Annex 3), including any per-tenant document library, fall into two categories, each on the Processor's deletion lifecycle:

    (1) Uploaded source documents (e.g. scans and PDFs ingested for extraction) may be stored in the Controller's RightsRoom account for as long as the Controller uses them in the Service. The separate runtime spool copy used for AI ingestion is transient, deleted after pickup/processing and swept within a defined backstop window. Any corresponding AI-provider stored file is kept on the Processor's deletion lifecycle.

    (2) Generated records (e.g. contracts the Service produces and surfaces as the Controller's legal record) are retained for the duration of the business relationship, as the Controller instructs, and are deleted within 30 days of termination (clause 2(g)).

    In both cases, on the Controller's or a Data Subject's erasure request (Art. 17) the Processor deletes the corresponding stored files where they remain under its control, including the AI-provider file via the sub-processor's file-deletion function where applicable, together with the related records it holds. Transient AI processing that does not require a stored file is configured to minimise retention under the available provider settings.

3. AI processing and model-training controls

3.1 The Service uses artificial-intelligence (AI) features, provided by the AI sub-processor identified in Annex 3, to assist with ingesting, organising and drafting from the Controller's data. Where the Controller uses those features, Controller Personal Data is processed by that AI sub-processor under the Processor's data processing agreement with that sub-processor (Art. 28(4)) and the safeguards in Annex 3, and is retained by it only as needed to provide the features and the applicable deletion lifecycle.

3.2 The Processor does not use Controller Personal Data to train Fondera-owned AI or machine-learning models. Third-party AI-provider training controls are managed through the sub-processor contract, account configuration and evidence register before any unqualified public no-training claim is made.

3.3 Data the Controller imports through a connected Google account (Google Sheets) is processed by the Processor's own deterministic logic only and is not sent to the AI sub-processor, consistent with the Google API Services User Data Policy (Limited Use).

4. Personal Data Breach

The Processor will notify the Controller without undue delay and in any event within 48 hours after becoming aware of a Personal Data Breach affecting the Controller's Personal Data, with the information the Controller reasonably needs to meet its own Art. 33/34 obligations. The Processor will take reasonable steps to mitigate and remediate the breach.

5. International transfers

5.1 The Personal Data is hosted within the European Economic Area (Hetzner data centre, Germany). The Processor is established in France (EEA).

5.2 For a UK Controller, the transfer of Personal Data from the UK to the Processor in the EEA relies on the UK's adequacy regulations recognising the EEA as providing an adequate level of protection; no further transfer safeguard is required for UK→EEA flows. The Processor will not transfer the Personal Data outside the UK/EEA without the Controller's prior written authorisation and an appropriate transfer mechanism (e.g. the UK Addendum or EU Standard Contractual Clauses). The AI processing is performed within the EU (Annex 3); the one sub-processor outside the UK/EEA (email delivery — Annex 3) operates under such safeguards.

5.3 Data residency and self-hosting. The Personal Data, including the AI processing, is hosted within the EU/EEA. For a Controller with heightened residency requirements, a self-hosted deployment is available on request, under which the Personal Data and the AI models run within the Controller's or an agreed infrastructure and do not leave it.

6. Liability and term

6.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.

6.2 This DPA takes effect on acceptance of the Agreement and continues for as long as the Processor Processes Personal Data on the Controller's behalf. Clauses that by their nature should survive termination (including 2(g), 2(h), 4) survive.

6.3 In the event of conflict between this DPA and the Agreement on data-protection matters, this DPA prevails.

---

ANNEX 1 — Details of Processing

| Item | Detail | |---|---| | Subject-matter | Provision of the RightsRoom rights-management platform to the Controller. | | Duration | The term of the Agreement. | | Nature & purpose | Storage, organisation, retrieval, display, export, normalisation and AI-assisted ingestion and drafting of the Controller's rights, contract, contact and royalty records, and — on the Controller's instruction — transmission of email communications to the Controller's contacts (e.g. the Controller's authors, publishers and co-agents), to operate the Service. This includes the Processor retaining derived working memory about the Controller's data to provide continuity and quality-vetting of the Service, kept per-Controller and on the deletion lifecycle (clause 2(i)). AI processing is carried out by the AI sub-processor in Annex 3 (clause 3). | | Categories of Data Subjects | The Controller's staff/users; the Controller's authors and clients; co-agents; publisher and rights-buyer contacts; translators; other counterparties named in deals/contracts. | | Categories of Personal Data | Names, business contact details (email, phone, address, role), professional/commercial information (deal terms, advances, royalties, payment details), correspondence, and any personal data the Controller chooses to upload in source documents. | | Special category data | None requested or required. The Controller shall not upload special-category data (Art. 9) save where strictly necessary and lawfully grounded; it must notify the Processor first. | | Frequency | Continuous for the term. |

ANNEX 2 — Technical and Organisational Measures (Art. 32)

  • Access control: per-tenant isolation; every record scoped by `tenant_id`; row-level access enforced so no cross-tenant access by construction. Role-based access (owner / admin / member) per tenant.
  • Authentication: passwords hashed with argon2id (never stored in plaintext); strong password policy; account lockout with exponential backoff; email verification; signed-token password reset.
  • Transport security: HTTPS/TLS only (HSTS); secure, httpOnly, SameSite session cookies with short TTL; CSRF protection.
  • Application hardening: rate-limiting on authentication endpoints; secure HTTP headers (CSP, HSTS); audit log of authentication and authorisation events (`re_auth_events`: login, failure, reset, role change).
  • Hosting: EEA data centre (Germany); server-side data access only; database access restricted to least-privilege service roles.
  • Resilience & integrity: database backups; logical replication; principle of least privilege on DB grants.
  • AI processing: Controller Personal Data sent to the AI sub-processor is processed under a data processing agreement with the provider and retained only as needed to provide the feature and applicable deletion lifecycle; Google-imported data is ring-fenced from the AI path (Limited Use).
  • Document storage & deletion: uploaded documents may be stored in the Controller's RightsRoom account; the runtime spool copy used for AI ingestion is transient and deleted after pickup/processing or within a defined backstop window. Where a file is stored by the AI sub-processor, the Processor tracks it in the deletion lifecycle and honours erasure by deleting the stored file via the sub-processor's file-deletion function where applicable. Transient processing calls are configured to minimise retention under the available provider settings.
  • Derived working memory: the Service's quality-vetting agent retains derived working memory about the Controller's data, held per-Controller (strictly partitioned, no cross-Controller memory), tagged to the source records and data subjects it derives from so that erasure requests are honoured surgically, and subject to the deletion/retention lifecycle. Any signal sent to operator channels outside the EEA (e.g. Telegram notifications) is de-identified first.
  • Confidentiality: personnel/agents bound by confidentiality; credentials never transmitted over insecure channels.

ANNEX 3 — Authorised Sub-processors

| Sub-processor | Purpose | Location | |---|---|---| | Hetzner Online GmbH | Server / database hosting | Germany (EEA) | | Mistral AI | AI-assisted ingestion, organisation and drafting (clause 3) — document OCR, extraction, vetting and drafting — and secure document storage (the Controller's uploaded documents are held via Mistral's EU file storage) | European Union (France; EU data centres). Mistral's Data Processing Addendum applies (GDPR Art. 28); model-training controls are tracked through the account configuration and evidence register; any limited onward transfer to Mistral's own sub-processors is covered by EU Standard Contractual Clauses. Stored documents are deleted on the Processor's retention/deletion lifecycle (clause 2(i)). A self-hosted (open-weight) deployment is available for high-sensitivity Controllers, keeping Personal Data within the agreed infrastructure. | | Google (Google Workspace) | Email delivery — transmitting service emails and the messages the Controller sends to its contacts from within the Service, via Google Workspace | United States, under EU Standard Contractual Clauses and the UK Addendum; Google's Workspace / Cloud Data Processing Addendum applies | | Yousign | Electronic signature of contracts the Controller generates in the Service (processes the document and signatories' names/emails) | European Union (France); Yousign's Data Processing Agreement applies. *Enabled only when the e-signature feature is switched on.* | | Stripe | Payment processing / billing for the Controller's subscription | United States, under EU Standard Contractual Clauses and the UK Addendum (EU-US Data Privacy Framework certified); Stripe's Data Processing Agreement applies | | Xero | Invoicing (only where the Controller connects its own Xero organisation) | EU/UK |

Controller Personal Data processed by the AI sub-processor is retained only to provide the feature and the applicable deletion lifecycle (clause 3). Data imported from a connected Google account is not sent to the AI sub-processor (Google Limited Use).