Data Processing Agreement (template)

This is the template DPA documenting the processor relationship between the buyer (data controller) and Inkwell (data processor). For a real engagement we'd countersign a copy out of band. The text below is intentionally light — it's a portfolio demonstration.

Data we process

• Submission payloads — whatever fields the buyer's form schema declares.
• Submitter IP addresses + user-agent strings (metadata column).
• Email addresses (when present in the payload).
• File uploads (when configured per form).

Retention

• Submission payloads: 90 days hot, then PII-purged in place.
• Submission metadata (excluding IP) retained indefinitely for aggregate analytics.
• IP addresses redacted to /24 (IPv4) or /48 (IPv6) at the 90-day mark.
• Delivery attempt response bodies: 30 days, then truncated.
• File uploads: configurable per workspace, default 30 days.
• Audit events: 365 days, then cold-archived.

Sub-processors

See /legal/sub-processors for the maintained list. Major sub-processors include AWS S3 (us-west-2 by default), MaxMind GeoLite2 (IP geolocation), Postmark / Resend (email delivery if configured).

Subject access + erasure

Two endpoints serve subject rights:

• POST /v1/data-subjects/lookup — given an email, returns submission IDs + form references containing that address (without exposing the payload).
• DELETE /v1/data-subjects/by-email — queues an asynchronous erasure that cascades through submissions, files, delivery attempts, and audit-row redaction. Status via the request ID.

Breach notification

Inkwell will notify the buyer within 72 hours of becoming aware of a personal data breach that affects the buyer's submission data.

Termination

On termination of the engagement, Inkwell will return all buyer-controlled data + delete any processor-held copies within 30 days.

This DPA template is a portfolio artifact, not a legally executed agreement. For production use we'd execute a real DPA out of band.