Data Processing Agreement (DPA)
Version: 1.0 Between: [CUSTOMER LEGAL NAME] ("Customer") and StoryCycle Labs, 1621 Central Ave, Cheyenne, WY 82001, United States ("StoryCycle")
This Data Processing Agreement ("DPA") forms part of the agreement between Customer and StoryCycle governing Customer's use of StoryCycle Genie (the "Service") (the "Agreement").
1. Definitions
"Personal Data," "Controller," "Processor," "Data Subject," "Processing," and "Supervisory Authority" have the meanings given in applicable data protection law, including the GDPR where applicable. "Customer Data" means data submitted to the Service by or on behalf of Customer, including Personal Data.
2. Roles and scope
2.1 Customer is the Controller (or a Processor acting on behalf of another Controller) of Personal Data within Customer Data; StoryCycle is a Processor.
2.2 StoryCycle will Process Customer Data only (a) to provide and secure the Service, (b) per Customer's documented instructions, including use of the Service's features, and (c) as required by law, in which case StoryCycle will notify Customer unless legally prohibited.
2.3 Details of Processing. Subject matter: provision of the Service. Duration: the term of the Agreement plus the deletion period in section 6. Nature and purpose: hosting, storage, transmission, and AI-assisted content generation. Categories of Data Subjects: Customer's authorized users and individuals whose data appears in Customer Content. Categories of Personal Data: account and contact data, user-submitted content, usage data.
3. Confidentiality
StoryCycle ensures that personnel authorized to Process Customer Data are bound by confidentiality obligations and Process it only as needed to provide the Service.
4. Sub-processors
4.1 Customer authorizes the sub-processors listed in StoryCycle's Sub-processor List (Annex B), including the LLM inference providers identified there.
4.2 StoryCycle will provide at least 15 days' notice of new or replacement sub-processors. Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected services and receive a pro-rata refund of prepaid fees.
4.3 StoryCycle imposes data-protection obligations on sub-processors no less protective than this DPA and remains liable for their performance.
4.4 AI processing instruction. Customer instructs StoryCycle to transmit prompts and context to the LLM providers in Annex B solely to generate requested outputs. StoryCycle will not permit Customer Data to be used to train models, and will pass through equivalent restrictions to LLM sub-processors where the provider offers them.
5. Security
StoryCycle implements appropriate technical and organizational measures described in Annex A, including encryption in transit and at rest, row-level tenant isolation, role-based access control, and multi-factor authentication for privileged access. StoryCycle may update these measures provided overall security is not materially reduced.
6. Deletion and return
Upon termination of the Agreement, or upon Customer's written request, StoryCycle will delete Customer Data within 30 days, except where retention is required by law or for billing records. Upon request, StoryCycle will provide Customer an export of Customer Content in a commonly used format before deletion.
7. Personal data breach
StoryCycle will notify Customer without undue delay and within 72 hours of becoming aware of a Personal Data Breach affecting Customer Data, providing information reasonably available about the nature, scope, and remediation of the breach, and will cooperate with Customer's reasonable requests.
8. Assistance
Taking into account the nature of Processing, StoryCycle will reasonably assist Customer with: (a) responding to Data Subject requests (access, deletion, portability, etc.); (b) security of Processing; (c) breach notifications to authorities or Data Subjects; and (d) data protection impact assessments, where required.
9. Audit
StoryCycle will make available information reasonably necessary to demonstrate compliance with this DPA, including responses to Customer's security questionnaires and summaries of third-party assessments when available. No more than once annually (except after a breach), Customer may conduct an audit through a mutually agreed process that does not compromise other customers' data.
10. International transfers
Customer Data is processed in the United States. Where applicable law requires a transfer mechanism for EU/UK Personal Data, the parties incorporate the Standard Contractual Clauses per Annex C.
11. Liability and order of precedence
Liability under this DPA is subject to the limitations in the Agreement. If this DPA conflicts with the Agreement regarding Processing of Personal Data, this DPA controls.
Annex A — Technical and Organizational Measures
- Encryption in transit: TLS for all client and service-to-service traffic.
- Encryption at rest: platform-level encryption of database and object storage; application-layer AES-256 encryption for stored credentials and API keys.
- Tenant isolation: PostgreSQL row-level security on all tenant-scoped tables; anonymous role holds no privileges.
- Access control: role-based access within accounts; least-privilege database grants.
- Authentication: managed identity provider; MFA supported; MFA enforced for privileged/administrative access.
- Payment data: handled exclusively by Stripe (PCI-DSS Level 1); StoryCycle does not store card data.
- Monitoring: error monitoring with PII capture disabled by default.
- Personnel: confidentiality obligations; access limited to operational need.
Annex B — Sub-processors
The current Sub-processor List (published in this documentation section) is incorporated by reference.
Annex C — Standard Contractual Clauses
Where Customer Data includes Personal Data subject to the GDPR or UK GDPR, the parties will execute the applicable Standard Contractual Clauses, which are incorporated into this DPA upon execution.
Signatures
Customer: Name / Title / Date
StoryCycle: Name / Title / Date