P
Pressroom
Legal

Data Processing Addendum

Last updated May 12, 2026.

This Data Processing Addendum ("DPA") forms part of the Pressroom Terms of Service between Pressroom Labs, Inc. ("Processor") and the Customer ("Controller").

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller solely to provide the Pressroom service, for the duration of the Controller's subscription.

2. Nature and purpose of processing

Hosting, processing, and transmitting Controller's editorial content, WordPress credentials, and team member information to deliver the Pressroom platform.

3. Categories of data subjects

  • Controller's authorized users (admins, editors, viewers).
  • Authors and contributors referenced in published content.

4. Categories of personal data

  • Identity data: name, email, profile photo.
  • Authentication data: tokens, IP addresses, sign-in timestamps.
  • Content data: drafts, AI runs, audit log entries.

5. Processor obligations

  • Process personal data only on documented instructions from Controller.
  • Ensure persons authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Annex A).
  • Engage sub-processors only with general written authorization (current list available on request).
  • Assist Controller with data-subject requests, breach notifications, and DPIAs.

6. International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on the EU Standard Contractual Clauses (Module 2) and the UK International Data Transfer Addendum, incorporated by reference.

7. Security measures (Annex A)

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Per-environment encryption keys; WordPress credentials encrypted with AES-GCM and a separate key.
  • Postgres row-level security enforcing per-workspace isolation.
  • Principle of least privilege for engineering access; audited via central IdP.
  • Annual penetration testing and continuous dependency scanning.
  • Incident response plan with 72-hour breach notification commitment.

8. Audit

Controller may, no more than once per year and on reasonable notice, request information necessary to demonstrate Processor's compliance, including SOC 2 reports when available.

9. Return or deletion of data

On termination, Processor will delete or return personal data within 30 days, except where law requires longer retention.

Signing

This DPA is automatically incorporated into the Terms of Service for all paid plans. Enterprise customers may countersign a standalone version — email legal@pressroom.app.

This document is provided for transparency and is not a substitute for legal advice. Enterprise customers can request our full legal pack at legal@pressroom.app.