Back to home
Legal

Data Processing Agreement

Last updated: 11 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Redacto ("Provider") and applies where the Provider processes personal data on the Customer's behalf as a processor under the GDPR (Regulation (EU) 2016/679).

1. Roles of the parties

  • The Customer acts as the data controller for personal data contained in documents uploaded to the Service.
  • Redacto acts as the data processor, processing that personal data only to provide the redaction service requested by the Customer.

2. Subject matter and purpose of processing

Redacto processes personal data contained in documents uploaded by the Customer for the sole purpose of detecting sensitive data, producing a redacted output, and making that output available for download. Processing is limited to what is necessary to provide the Service.

3. Duration

Processing continues for the duration of the Customer's use of the Service. Uploaded documents are processed and then deleted — the original upload is removed from the Provider's storage as soon as redaction is complete. Account and billing data is retained for the duration of the account, subject to the Privacy Policy.

4. Categories of data and data subjects

Because the Customer chooses what to upload, the categories of personal data are determined by the Customer. Typical categories may include names, contact details, identifiers, financial details, or other personal data contained in business documents. Data subjects may include the Customer's employees, clients, patients, contractors, or any individual mentioned in the uploaded documents.

5. Provider obligations

  • Process personal data only on documented instructions from the Customer (the instructions include the Terms, this DPA, and the Customer's use of the Service).
  • Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organisational measures — see section 6.
  • Assist the Customer with data subject requests where reasonably possible.
  • Assist the Customer with DPIAs and prior consultations where required.
  • Notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data.
  • Delete or return personal data after the end of the service, as instructed.

6. Technical and organisational measures

Provider maintains appropriate measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:

  • Encryption in transit — all traffic to and from the Service uses HTTPS.
  • Access control — role-based access for personnel, least-privilege policies, multi-factor authentication for administrative access.
  • Isolated processing — uploads live in isolated processing workspaces and are deleted as soon as redaction is complete.
  • Data minimisation — only metadata strictly needed for operation of the Service is retained after processing.
  • Logging and monitoring — for security, abuse prevention, and incident response, without logging the content of documents.
  • Backups — backups are encrypted and rotated; they exclude original uploaded documents, which are deleted after processing.
  • Incident response — a process for detecting, investigating, and notifying breaches.

7. Subprocessors

Provider uses vetted subprocessors to run the Service — for example for hosting, authentication, payments, and AI-assisted entity detection. Each subprocessor is bound by data protection obligations consistent with this DPA. A current list of subprocessors is available on request at support@redacto.co. Provider will notify Customers in advance of material changes to the subprocessor list and give them the opportunity to object.

8. Data subject rights

Because documents are not retained after processing, the scope of data subject requests is typically limited to account and billing information. Provider will assist Customers in responding to data subject requests to the extent reasonably possible and within the timeframes required by the GDPR. Data subjects can contact the Customer directly, or write to support@redacto.co for routing.

9. International transfers

Where personal data is transferred outside the EU/EEA, Provider relies on Standard Contractual Clauses and, where appropriate, supplementary measures. A list of transfer mechanisms is available on request.

10. Breach notification

Provider will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data. The notification will include the information reasonably available at the time and will be updated as more details become known.

11. Audits

On reasonable request, Provider will make available information necessary to demonstrate compliance with this DPA, including summaries of independent assessments where available. Audits that require physical access to systems are subject to reasonable notice and scheduling.

12. Deletion of data

On termination of the Service, or at the Customer's request, Provider will delete personal data processed on behalf of the Customer, except where retention is required by law (e.g. billing records required by tax law). Customers may also delete their own account and all associated personal data directly from the Profile page in the Redacto application at any time, without contacting support.

13. Liability and order of precedence

Nothing in this DPA changes the liability provisions of the Terms of Service. In case of conflict between this DPA and the Terms, this DPA prevails for matters relating to the processing of personal data.

14. Contact

Questions about this DPA, or requests for a signed copy: support@redacto.co.