The DPA.
GDPR, UK GDPR, all the contracts.

1. Parties and roles

This Data Processing Addendum is entered into between you (the 'Controller', meaning the entity that decides why and how personal data is processed) and HumanGPT, operated by Outline Technologies (the 'Processor', meaning the entity that processes personal data on your instructions).

2. Definitions

'Personal Data' has the meaning given in GDPR Article 4. 'Processing' means any operation performed on personal data. 'Subprocessor' means any third party HumanGPT uses to deliver the service. 'Data Subject' means the natural person to whom Personal Data relates.

3. Scope and subject matter

HumanGPT processes the text content you submit through the Service for the sole purpose of returning humanized output to you. The duration of processing is the time required to fulfill each request, plus any reasonable retention defined in the Privacy Policy (which for free-tier requests is zero, and for account-holders is the duration of the account).

4. Categories of data and data subjects

Categories of Personal Data we may process on your behalf include: any text you submit (which may contain names, contact details, or any other personal information you choose to include), the IP address from which the request is made, and standard browser metadata (user agent, referrer). Categories of Data Subjects: your end users, employees, customers, or any individual whose data you choose to include in submitted text.

5. Processor obligations

HumanGPT will:

• Process Personal Data only on documented instructions from the Controller, including with regard to international transfers.
• Ensure that personnel authorized to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (HTTPS everywhere, encrypted storage, principle-of-least-privilege access).
• Engage Subprocessors only with prior general written authorization, and impose equivalent data protection obligations on them.
• Assist the Controller with responding to Data Subject requests (access, deletion, rectification, portability, restriction, objection).
• Notify the Controller without undue delay (within 72 hours) of becoming aware of a Personal Data breach.
• Make available all information necessary to demonstrate compliance with this DPA, and allow audits as outlined in section 9.
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of services.

6. Approved subprocessors

As of the last update of this DPA, HumanGPT uses the following Subprocessors. We will provide 30 days' notice via email and an updated list before adding any new Subprocessor, and you have the right to object.

• Google LLC (Gemini API) – humanizer model inference. Data location: United States. Safeguards: Google Cloud SCCs, ISO 27001, SOC 2.
• Vercel Inc. – application hosting. Data location: global edge network. Safeguards: Vercel SCCs, SOC 2 Type II.
• Cloudflare Inc. – CDN, DDoS protection. Data location: global edge. Safeguards: Cloudflare SCCs, SOC 2.
• Creem Inc. – payment processing (paid users only). Data location: United States. Safeguards: Creem SCCs, PCI DSS compliant.
• Resend Inc. – transactional and newsletter email (opted-in users only). Data location: United States. Safeguards: Resend SCCs.

7. International data transfers

Where Personal Data of EU/UK Data Subjects is transferred to a country that has not received an adequacy decision from the European Commission or the UK Information Commissioner's Office, the transfer is governed by the Standard Contractual Clauses (SCCs) approved by the European Commission, with any required UK Addendum, supplemented by the technical and organizational measures described in section 5.

8. Data Subject rights

Where a Data Subject contacts HumanGPT directly with a request to exercise GDPR/UK GDPR rights regarding Personal Data we process on your behalf, we will forward that request to the Controller within 48 hours and will not respond to the Data Subject directly except to confirm we have forwarded the request.

9. Audits

Once per year, you may request a copy of our most recent SOC 2 / ISO 27001 attestation reports (when available) or an equivalent compliance summary. For audits beyond standard documentation, we will agree on scope and timing in good faith. Audit costs are borne by the Controller. Where the audit reveals material non-compliance, HumanGPT bears the cost of remediation.

10. Personal data breach notification

We will notify you in writing without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach that affects your data. The notification will include: nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed.

11. Termination and data deletion

Upon termination of the agreement, HumanGPT will, at the Controller's choice, return or delete all Personal Data within 30 days, unless retention is required by law. We will provide written confirmation of deletion upon request.

12. Liability and indemnification

Each party's liability under this DPA is limited as set out in the main Terms of Service. Each party will indemnify the other for damages caused by its own breach of this DPA or its underlying GDPR/UK GDPR obligations.

13. Governing law and conflicts

This DPA is governed by the same law as the underlying Terms of Service. Where a conflict arises between the Terms and this DPA in respect of the subject matter herein, this DPA prevails. Where a conflict arises between this DPA and the SCCs, the SCCs prevail.

14. Entry into force

This DPA enters into force the moment you start using HumanGPT and applies for the duration of your subscription or relationship with us. To request a counter-signed copy on your company letterhead, email [email protected] with the subject 'DPA request' and we will return it within 5 business days.