← Back to Structured Outputs

Data Processing Agreement

Last updated: October 27, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer") and Structured Outputs ("Processor," "we," or "us") and governs the processing of personal data in connection with the Service.

This DPA is designed to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

  • Controller: The Customer who determines the purposes and means of processing personal data
  • Processor: Structured Outputs, which processes personal data on behalf of the Controller
  • Sub-processor: Third-party service providers that process personal data on behalf of the Processor
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data
  • Data Subject: An identified or identifiable natural person

3. Scope and Applicability

This DPA applies to all processing of personal data by the Processor on behalf of the Controller in connection with the Service.

Types of Personal Data

  • User identification data (name, email address)
  • Authentication data (Google account credentials)
  • Schema content and metadata
  • Usage data and analytics
  • Technical data (IP addresses, logs)

Categories of Data Subjects

  • Users of the Service
  • Administrators of Customer accounts

4. Processor's Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process personal data have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Respect the conditions for engaging sub-processors
  • Assist the Controller in responding to data subject requests
  • Assist the Controller in ensuring compliance with GDPR obligations
  • Delete or return personal data upon termination of services
  • Make available all information necessary to demonstrate compliance

5. Security Measures

The Processor implements the following technical and organizational measures:

Technical Measures

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Secure authentication mechanisms (OAuth 2.0)
  • Regular security updates and patches
  • Network security and firewalls
  • Intrusion detection systems
  • Regular security audits and penetration testing

Organizational Measures

  • Access controls and authentication
  • Staff training on data protection
  • Confidentiality agreements with personnel
  • Incident response procedures
  • Data breach notification protocols
  • Regular backups and disaster recovery
  • Vendor security assessments

6. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

Sub-processorServiceLocation
Vercel Inc.Hosting and deploymentUnited States
Supabase Inc.Database servicesUnited States
Google LLCAuthentication, AnalyticsUnited States
OpenAI Inc.AI/LLM processingUnited States

The Processor shall:

  • Inform the Controller of any intended changes to sub-processors
  • Provide the Controller with an opportunity to object to such changes
  • Ensure sub-processors are bound by data protection obligations equivalent to this DPA
  • Remain fully liable to the Controller for the performance of sub-processors

7. Data Subject Rights

The Processor shall, to the extent possible, assist the Controller in fulfilling data subject requests:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

Requests shall be responded to within 30 days or as required by applicable law.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting the Controller's data.

The notification shall include:

  • Nature of the breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of personal data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for more information

9. Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIA) when required under GDPR Article 35.

10. International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Such transfers shall be governed by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Other appropriate safeguards as required by GDPR Article 46

11. Data Retention and Deletion

Upon termination of the Service or upon Controller's request, the Processor shall:

  • Return all personal data to the Controller, or
  • Delete all personal data and existing copies
  • Certify deletion in writing if requested

Exception: Data may be retained where required by applicable law.

12. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller.

Audit requests must be:

  • Made in writing with reasonable advance notice
  • Conducted during normal business hours
  • Limited to once per year unless there is suspicion of non-compliance
  • Subject to confidentiality obligations

13. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the main Service Agreement.

The Processor shall indemnify the Controller against fines and penalties imposed by supervisory authorities due to the Processor's breach of this DPA or GDPR.

14. Term and Termination

This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller. Upon termination:

  • All data processing shall cease
  • Personal data shall be returned or deleted as specified
  • Certifications of deletion shall be provided if requested

15. Order of Precedence

In the event of any conflict between this DPA and the main Service Agreement, this DPA shall prevail to the extent of the conflict with respect to data protection matters.

16. Contact Information

For any questions or concerns regarding this DPA, please contact:

Data Protection Officer

Email: structuredoutputs@gmail.com

Enterprise Customers

Enterprise customers may request a customized DPA with additional terms and conditions. Please contact us at structuredoutputs@gmail.com to discuss your specific requirements.