Legal

Data Processing Addendum

Last updated: 9 May 2026. The DPA forms part of the Terms of Service for customers subject to GDPR or equivalent regulations.

1. Roles

You (the customer) are the Data Controller. Journalify acts as Data Processor on your behalf. You determine the purposes and means; we process per your instructions.

2. Scope of processing

We process personal data uploaded to or generated by the Service to provide that Service. Categories of data subjects: your staff, your subscribers/readers, and individuals named in editorial content. Categories of data: contact info, account credentials, behavioural data, content metadata.

3. Sub-processors

We use the following sub-processors:

  • Microsoft Azure — hosting, storage, identity (regional, your choice)
  • Stripe — payment processing (US, with EU representative)
  • Cloudflare — DNS, WAF, edge caching (global)
  • New Relic — observability + APM (EU collector for EU customers)
  • Azure Communication Services — transactional email (regional)

We notify you 30 days before adding a new sub-processor, and you have the right to object on reasonable grounds.

4. Data residency

You choose your tenant region at signup: UAE North, West Europe, or East US. Customer data does not leave the chosen region. Sub-processor data flows are documented per region.

5. Security measures

We implement technical and organisational measures including: encryption at rest (AES-256) and in transit (TLS 1.2+), private network endpoints, role-based access control, MFA for administrative access, audit logging on every mutation, and regular security testing. Full details in the security overview at /security.

6. Breach notification

We notify you without undue delay (within 72 hours) of any confirmed data breach involving your personal data, including the nature of the breach, scope, and remediation steps.

7. Data subject rights

We provide tooling for you to fulfil data subject rights (access, rectification, erasure, portability) via the platform's API and audit log. For complex requests we provide reasonable assistance.

8. International transfers

Where data leaves the EU/EEA, we rely on Standard Contractual Clauses (SCCs) and supplementary measures. The full text of our SCCs is incorporated by reference into this DPA.

9. Audit rights

Once per year (or following a confirmed breach) you may audit our compliance with this DPA. We provide our SOC 2 Type II report (when complete) and answer reasonable security questionnaires within 5 business days.

10. Term + return/deletion of data

This DPA terminates with the underlying subscription. Upon termination, data is retained for 90 days for export, then permanently deleted (with cryptographic deletion of encryption keys).

11. Contact

Data Protection Officer: [email protected]

Need a signed copy?

Contact us with your legal entity details and we'll countersign within one business day. We can also adapt to your standard DPA template if your procurement requires it.

Request signed DPA