Data Processing Agreement

How to use this document

This Data Processing Agreement ("DPA") forms part of the agreement between Twira Ltd (the "Processor") and the Customer for use of Twira Pro or Enterprise. Free-tier and Education-tier users are not covered because Twira Ltd does not process personal data on behalf of those users.

A signed PDF version of this DPA is available on request. Submit the compliance form at /contact?topic=compliance from a verified company domain and include your subscription details. We typically return a signed DPA within five business days.

1. Roles and scope

For the limited categories of personal data Twira Ltd processes on behalf of the Customer (billing data, account email, contact-form submissions, and licence-activation telemetry), the Customer is the Controller and Twira Ltd is the Processor.

For all other data the Customer generates using Twira (including source code, indexes, audit chains, lore, masterplan content, and any personal data the Customer chooses to scan, redact, or transmit through the AI Compliance Proxy), Twira Ltd is not a processor for the Customer, because that data does not transit Twira Ltd's systems. It remains on the Customer's machines, and any onward transmission goes from the Customer's machine to a third party (typically a large-language-model provider) chosen and contracted by the Customer.

2. AI Compliance Proxy, specific scope and disclaimer

The AI Compliance Proxy operates entirely on the Customer's machines. Twira Ltd does not receive, store, or have access to the content the Customer passes through the proxy, nor to the content the proxy passes onward to the Customer's configured LLM provider. Twira Ltd is therefore not a processor in respect of that content.

The proxy is provided as a defence-in-depth detection layer designed to identify known patterns of personal data, credentials, and other regulated content prior to transmission. It is not a guarantee. Detection patterns may produce false positives or false negatives. The Customer remains responsible, as Controller, for the lawfulness of any onward transmission to its configured LLM provider, including the choice of provider, the terms of the Customer's contract with that provider, the configuration of any additional safeguards, and the ongoing review of detection outcomes. The Customer must not treat the AI Compliance Proxy as its sole or principal safeguard for personal data leaving its environment.

3. Nature and purpose of processing

• Subject matter. Provision of the Twira Pro or Enterprise service to the Customer.
• Duration. The term of the Customer's Subscription, plus any short post-termination wind-down for billing and statutory retention.
• Nature. Receipt of billing data via Stripe; issuance and verification of licence keys; delivery of transactional emails (trial, renewal, status); handling of contact-form submissions sent to Twira Ltd.
• Purpose. Enabling the Customer to use the service the Customer has paid for.
• Categories of data subjects. The Customer's authorised users; the Customer's billing contacts; any other natural person whose personal data the Customer chooses to include in a contact-form submission to Twira Ltd.
• Categories of personal data. Names, business email addresses, billing country, brand and last four digits of the card (held by Stripe, not by us), IP addresses and user-agent strings at the moment of contact-form submission, and the free-text content of any submission.

4. Customer obligations

• Maintain a lawful basis under UK GDPR / EU GDPR for the processing of the personal data of its users carried out through its use of the Software.
• Provide the notice required under UK GDPR / EU GDPR Articles 13 and 14 to its data subjects in respect of that processing.
• Ensure that the categories of personal data the Customer chooses to send to its configured LLM provider, through the AI Compliance Proxy or otherwise, are lawful for the Customer to send.
• Implement appropriate technical and organisational measures on its own machines, on which the bulk of processing takes place.
• Respond to data-subject requests in respect of the personal data the Customer controls.

5. Processor obligations

• Process the personal data only on the documented instructions of the Customer (the Customer's instructions being this DPA, the Subscription Terms, the EULA, and any subsequent written instruction signed between the parties).
• Ensure that personnel authorised to process the personal data are bound by an obligation of confidentiality.
• Implement appropriate technical and organisational measures (see § 7).
• Assist the Customer in responding to data-subject requests where Twira Ltd's systems hold the relevant data.
• Notify the Customer without undue delay of any personal-data breach affecting the Customer's data, and in any event within 72 hours of becoming aware.
• Delete or return personal data at the end of the service term, subject to ongoing statutory retention requirements.
• Make available all information reasonably necessary to demonstrate compliance with this DPA.

6. Sub-processors

Twira Ltd uses the following sub-processors for the processing covered by this DPA:

• Stripe, Inc. and Stripe Payments Europe Ltd, payment processing, Stripe Tax. United States and European Union. https://stripe.com/privacy
• Microsoft Corporation (Azure), hosting for the marketing site, licence-activation service, and Stripe webhook. UK South. https://www.microsoft.com/en-us/trust-center
• Plausible Insights OÜ, cookieless website analytics. European Union. https://plausible.io/privacy
• Anthropic, PBC, drafting and triage of business correspondence. Commercial tier; no model training on inputs. United States. https://www.anthropic.com/legal/privacy
• OpenAI, LLC, drafting and triage of business correspondence. Commercial / Team / Enterprise tier; no model training on inputs. United States. https://openai.com/policies/privacy-policy
• Google LLC, drafting and triage of business correspondence. Vertex AI / Workspace commercial tier; no model training on inputs. United States. https://policies.google.com/privacy

7. Sub-processor change-notice and objection

Material additions to the sub-processor list above will be notified to the Customer at least 30 calendar days in advance, during which the Customer may object on reasonable grounds. Where the Customer objects on reasonable grounds, Twira Ltd will work with the Customer to find an alternative; failing that, the Customer may terminate the Subscription with a pro-rated refund of any pre-paid period.

8. Technical and organisational measures

• TLS 1.2 or higher for all communications between the Customer, the marketing website, the licence-activation service, and our sub-processors.
• Encryption at rest for billing records held by Stripe and for the licence-activation database held by Twira Ltd.
• Role-based access to internal systems with multi-factor authentication for every administrative account.
• Audit logging of administrative access to systems holding personal data.
• Regular security review of the marketing site, the licence-activation service, and our software dependencies, with severity-scaled remediation.
• Vendor due diligence on sub-processors, including review of each vendor's published security and privacy posture before engagement.
• Personnel security: background checks where required by law and confidentiality undertakings for staff with access to personal data.

9. Certifications and external assurance

Twira Ltd is at an early commercial stage and does not currently hold a SOC 2, ISO 27001, or comparable independent certification. The intention is to begin a SOC 2 Type I observation window within the first twelve months of generally-available commercial release; we will communicate progress through this page rather than make commitments we cannot date. Pending that, Customers requiring independent assurance may rely on the sub-processor certifications of Stripe, Microsoft Azure, Anthropic, OpenAI, and Google, each of which publishes its own SOC 2 and ISO reports.

10. Personal-data breach notification

Where a personal-data breach affects the Customer's data, Twira Ltd will notify the Customer without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address it.

11. International transfers

Where personal data is transferred outside the United Kingdom or the European Economic Area in the course of the processing covered by this DPA, the transfer is governed by Standard Contractual Clauses (the current EU Commission 2021/914 SCCs together with the UK Information Commissioner's International Data Transfer Addendum, or the UK International Data Transfer Agreement directly) or by an equivalent legally-recognised mechanism, including an applicable adequacy decision.

12. Audits

The Customer may, on reasonable notice and at the Customer's own cost, audit Twira Ltd's compliance with this DPA, subject to reasonable confidentiality and scheduling protections. Where Twira Ltd holds a current SOC 2 Type II report or equivalent, that report will satisfy the audit right in respect of the matters it covers.

13. Term and termination

This DPA remains in force for the duration of the Customer's Subscription. On termination, Twira Ltd will delete or return all personal data within 30 calendar days, unless retention is required by law (for example to meet UK tax-record retention).

14. Order of precedence

If a conflict exists between this DPA, the Subscription Terms, and the EULA, this DPA controls for matters of data protection; the Subscription Terms control for matters of the commercial relationship; the EULA controls for matters of the software-licence grant.

Contact

Questions about this DPA, or to request a signed copy: submit the compliance form at /contact?topic=compliance.