Data Processing Addendum

The terms under which TheAccessible.org processes Customer Personal Data on behalf of business customers, including GDPR/UK-GDPR obligations and Standard Contractual Clauses.

Version
1.0
Published
April 21, 2026
Next review
April 21, 2027
Approved by
Larry Anglin

1. Purpose

This Data Processing Addendum ("DPA") supplements the Terms of Service between Customer and TheAccessible.org ("Provider") and governs Provider's processing of Customer Personal Data on Customer's behalf.

If you require a signed counterpart, email legal@theaccessible.org with your organization name and the primary contact. We will return a countersigned copy within 5 business days.

2. Definitions

Terms used but not defined here have the meanings given to them in the GDPR, UK GDPR, or CCPA/CPRA as applicable.

  • Customer Personal Data — personal data processed by Provider on behalf of Customer in connection with the Service.
  • Data Subject — an identified or identifiable natural person.
  • Standard Contractual Clauses (SCCs) — the European Commission's Decision 2021/914 module 2 (Controller-to-Processor) clauses, or module 3 (Processor-to-Processor) where applicable.
  • UK IDTA — the UK International Data Transfer Addendum to the SCCs.

Other capitalized terms follow the Terms of Service.

3. Roles

For Customer Personal Data processed through the Service, Customer is the controller (or processor, where Customer is itself acting for a third-party controller) and Provider is the processor. Each party will comply with its obligations under applicable data-protection laws.

4. Subject matter, duration, nature and purpose
Subject matter Processing Customer Personal Data to provide the Service
Duration The term of the Terms of Service
Nature and purpose Document accessibility remediation, related tooling, account management, billing
Types of personal data Account data (name, email, organization); document content submitted by Customer or its users; usage logs
Categories of data subject Customer's employees, users, and end-users whose data appears in submitted documents

5. Customer instructions

Provider processes Customer Personal Data only on Customer's documented instructions, including as set out in the Terms of Service and this DPA. If Provider believes an instruction violates data-protection law, Provider will tell Customer and may pause processing until resolved.

6. Confidentiality

Personnel authorized to process Customer Personal Data are bound by written confidentiality obligations or equivalent statutory duties.

7. Security

Provider maintains the technical and organizational measures described in the Security Overview, and will not materially weaken them during the term of this DPA. Customer is responsible for configuring its own use of the Service (e.g., strong passwords, MFA, access management) appropriately.

8. Subprocessors

8.1 Current list

The current subprocessor list is published at Subprocessors and is incorporated into this DPA.

8.2 General authorization

Customer grants Provider general authorization to engage the listed subprocessors, subject to §8.3.

8.3 Notice and objection

Provider will give at least 30 days' prior notice before engaging a new subprocessor for Customer Personal Data (by updating the list and emailing the primary contact on the account). Customer may object to a new subprocessor on reasonable data-protection grounds during that window. If the parties cannot resolve the objection, Customer may terminate the affected services and receive a pro-rata refund of pre-paid fees for the unused period.

8.4 Flow-down

Provider will impose on each subprocessor obligations substantially similar to those in this DPA by contract.

9. Data subject rights

Taking into account the nature of the processing, Provider will assist Customer in fulfilling its obligations to respond to data-subject rights requests, through:

  • The self-service controls in the Service (export, deletion, etc.).
  • The DSAR Procedure.
  • Ad-hoc assistance where the above are insufficient, at Provider's then- current professional-services rates or as included in the order form.

10. International transfers

Where Customer Personal Data originating in the EEA, UK, or Switzerland is transferred to a jurisdiction without an adequacy decision, the parties rely on:

  • The SCCs (Module 2 or 3 as applicable), incorporated into this DPA by reference, with the following selections:
    • Clause 7 (Docking Clause): included.
    • Clause 9(a) (Use of sub-processors): option 2 (general written authorization), with the 30-day notice period in §8.3.
    • Clause 11 (Redress): optional language excluded.
    • Clause 17 (Governing law): the law of the Republic of Ireland.
    • Clause 18 (Choice of forum): the courts of Ireland.
    • Annex I (Parties, description of processing, competent supervisory authority): filled in from Customer's account details and §4 of this DPA.
    • Annex II (Technical and organizational measures): the Security Overview.
    • Annex III (Sub-processors): the published Subprocessors list.
  • The UK IDTA, incorporated for UK transfers.
  • Equivalent safeguards for Swiss transfers.

11. Personal-data breach

Provider will notify Customer of a personal-data breach affecting Customer Personal Data without undue delay and in any event within 72 hours of confirmation, per our Breach Notification Policy. The notification will include the information required by GDPR Article 33(3).

12. Return and deletion

Upon termination of the Service, and at Customer's choice, Provider will return or delete Customer Personal Data within 30 days, except where applicable law requires continued retention (see the Data Retention Policy for specifics, including billing records). Customer may also self-serve deletion through the Service at any time.

13. Audits

Provider will make available to Customer all information necessary to demonstrate compliance with this DPA, and will allow for audits (including inspections) by Customer or an auditor mandated by Customer, subject to:

  • Reasonable advance notice (at least 30 days, except in the event of a breach).
  • Execution of confidentiality obligations.
  • Scope limited to information reasonably necessary to assess compliance.
  • Frequency of at most once per year, unless required more frequently by a supervisory authority.

Where available, Provider will satisfy audit obligations by providing copies of third-party attestations (e.g., SOC 2) under NDA, in lieu of on-site audits. See the Security Overview §12 for the status of such attestations.

14. CCPA/CPRA addendum

For Customer Personal Data subject to CCPA/CPRA:

  • Customer is a business and Provider is a service provider as those terms are defined in the CCPA/CPRA.
  • Provider will not (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information outside the direct business relationship with Customer; or (c) combine Personal Information received from or on behalf of Customer with data received from any other source, except as permitted by regulation.
  • Provider certifies that it understands these restrictions and will comply with them.

15. Liability

The parties' liability under this DPA is governed by the limitations in the Terms of Service §12.

16. Conflicts

If there is a conflict between this DPA and the Terms of Service, this DPA prevails on matters of personal-data protection. If there is a conflict between this DPA and the SCCs, the SCCs prevail.

17. Changes

Provider may update this DPA from time to time. Material changes will be announced at least 30 days in advance by email to the primary contact and by updating the effective date at the top of this page.

18. Contact