← Back to Home

Data Processing Agreement

Last updated: March 2026

1. Definitions

  • Controller: The user or organization that determines the purposes and means of processing Personal Data via Versalith.
  • Processor: Versalith, which processes Personal Data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person, as processed in connection with the Service.
  • Sub-processor: Third parties engaged by Versalith to process Personal Data.
  • Data Subject: The identifiable natural person to whom Personal Data relates.

2. Scope

This Data Processing Agreement (DPA) applies when Versalith processes Personal Data on behalf of a Controller in the course of providing the Versalith Service. It forms part of the Terms of Service and supplements the Privacy Policy. Where the user acts as a Controller, this DPA governs the processing relationship.

3. Data Processing Details

  • Subject matter: Provision of AI blog generation services.
  • Duration: For the term of the Service agreement.
  • Nature and purpose: Processing necessary to operate the Service, including authentication, content generation, storage, and payment facilitation.
  • Categories of Data Subjects: End users of the Service, including individuals whose data the Controller provides or who are represented in generated content.
  • Types of Personal Data: Account identifiers (email, name, avatar), blog content and prompts, usage data, and payment-related identifiers as described in the Privacy Policy.

4. Processor Obligations

Versalith shall:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect Personal Data.
  • Assist the Controller in responding to Data Subject requests and in ensuring compliance with applicable data protection laws.
  • Notify the Controller of any Sub-processor engagement and ensure Sub-processors provide equivalent protection.
  • Delete or return Personal Data upon termination, as instructed.

5. Sub-processors

Versalith engages the following Sub-processors:

  • Supabase: Auth (Google SSO), database (PostgreSQL).
  • OpenAI, Anthropic, Google: AI content generation.
  • Unsplash: Image services.
  • Razorpay: Payment processing.

We will inform Controllers of material changes to Sub-processors. Sub-processors are bound by data processing terms that provide substantially equivalent protection to this DPA.

6. Data Subject Rights

Versalith will assist Controllers in fulfilling Data Subject requests (access, rectification, erasure, restriction, portability, objection) to the extent required by applicable law. Controllers should direct such requests to Versalith; we will respond within the timeframe required by law. Our Privacy Policy describes how end users may exercise their rights directly.

7. Security Measures

Versalith implements encryption in transit (TLS) and at rest, access controls, secure authentication (OAuth 2.0), and other measures described in our Security Practices. We will maintain security measures appropriate to the risk and update them as necessary.

8. Data Transfers

Personal Data may be transferred to Sub-processors located outside the Controller's jurisdiction. Where required, we implement appropriate safeguards (e.g., Standard Contractual Clauses) to ensure an adequate level of protection. Controllers may request details of transfer mechanisms.

9. Breach Notification

Versalith will notify the Controller without undue delay after becoming aware of a Personal Data breach. The notification will include the nature of the breach, the categories and approximate number of records concerned, likely consequences, and measures taken or proposed to address the breach. We will assist Controllers in meeting their own breach notification obligations.

10. Audit Rights

Upon reasonable notice, Controllers may request information necessary to demonstrate compliance with this DPA. Versalith will provide such information and, where required by law or by a Controller with sufficient authority, may allow audits or inspections, subject to confidentiality and reasonable scheduling.

11. Termination

Upon termination of the Service, Versalith will, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller, unless retention is required by law. This obligation survives termination.

12. Contact

For DPA-related inquiries, contact Versalith at contact@versalith.com.