dpa
data processing addendum
last updated 6 june 2026
This DPA forms part of our terms of service and applies where Schema Theory processes personal data on a business customer's behalf — principally personal data inside the properties and accounts the customer connects. For data we process for our own purposes, we act as independent controller under the privacy policy.
roles & details (art. 28)
Processor: Mikhail Galustov (EI), trading as Schema Theory. Controller: the Customer. Subject-matter: processing needed to provide the service. Duration: the engagement plus the periods in the terms. Nature/purpose: crawling, fetching, measuring, analysing, scoring, generating briefs and fixes. Data subjects: the Customer's visitors, customers, leads, staff. Data: as in the privacy policy; special-category data must not be routed through the service unless agreed in writing.
our obligations
We process personal data only on the Customer's documented instructions (including the terms, the service configuration, and the act of connecting properties); ensure confidentiality of authorised personnel; apply the security measures below; respect the sub-processor conditions; assist with data-subject requests and Articles 32–36; and, at the Customer's choice, delete or return personal data at the end of provision, subject to the carve-out below.
sub-processors
The Customer gives general authorisation for us to engage sub-processors, listed at schematheory.org/subprocessors. We give notice of intended additions or replacements and allow objection on reasonable data-protection grounds within 14 days. We impose equivalent obligations on sub-processors and remain liable for them.
security (art. 32)
Encryption in transit; access controls and least privilege; EU/EEA residency where feasible; secure storage of credentials and tokens; logging and monitoring; vendor due diligence; staff confidentiality; incident response; backup and recovery. Full measures available on request.
breach notification
We notify the Customer without undue delay after becoming aware of a personal-data breach affecting their data, and assist with their notification duties (Arts. 33–34).
international transfers
Where processing the Customer's personal data involves a transfer outside the EEA without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Modules 2 and/or 3), with annexes populated from this DPA, plus supplementary measures.
return or deletion — and retained rights
On termination, at the Customer's choice, we return or delete the Customer's personal data processed as processor within 30 days, unless retention is required by law. This does not apply to, and we may retain and continue to use indefinitely: aggregated and irreversibly anonymised data; service data and derived data generated in operating the service; the Corpus; and models, embeddings, rubrics, and benchmarks trained or improved using any of the foregoing — because these are not, or no longer constitute, the Customer's personal data.
audits
On reasonable notice, no more than once per year (unless required by a regulator or following an incident), the Customer may verify compliance via a written questionnaire and, where genuinely necessary, an audit under confidentiality that does not compromise other customers' data. We may satisfy audit rights through third-party reports.
signing
Business customers who need a counter-signed copy can request one at [email protected].