Legal
Data Processing Agreement
This data processing agreement (DPA) describes how Verbaterm and its operators process personal data on behalf of a customer when the customer uses Verbaterm features that involve customer-provided content. It supplements the privacy policy and terms of service.
Last updated: July 12, 2026
1. Scope and roles
When a customer account pastes policy text or otherwise submits content that may contain personal data, the customer determines the purpose and means of that processing and acts as controller (or equivalent). Verbaterm processes that customer content to provide the requested review and related product features and acts as processor (or equivalent) for that content.
For Verbaterm’ own account administration, billing, security, public library operation, and product analytics needed to run the service, Verbaterm acts as an independent controller. Those activities are described in the privacy policy.
2. Subject matter and duration
The subject matter is the processing of customer-provided content and related review artifacts needed to deliver Verbaterm private-review and account features. Processing lasts for the duration of the customer’s use of those features and any retention period required to complete deletion, security, or legal obligations.
3. Nature and purpose of processing
- Receive and store pasted or submitted content for review.
- Analyze content through the Verbaterm review pipeline, which may include AI processing via OpenRouter and underlying model providers.
- Generate, display, and store findings, citations, summaries, and user feedback tied to the review.
- Enforce usage limits, provide history/delete controls, and support account operations.
4. Types of personal data and data subjects
Customer content may incidentally include names, contact details, account identifiers, or other personal data that appear inside a policy document or accompanying notes. Data subjects may include the customer’s personnel, end users described in a policy, or other individuals whose information appears in submitted text. Verbaterm does not require customers to submit special-category data and asks customers not to paste unnecessary sensitive personal data.
5. Customer instructions
Verbaterm will process customer content only to provide the service, follow documented product controls (such as delete), comply with law, or act on documented customer instructions through the product interface. If Verbaterm cannot follow an instruction without violating law, it will explain the limitation where legally permitted.
6. Confidentiality and security
Verbaterm requires personnel and processors with access to customer content to protect it and limit access to what is needed to operate the service. Technical and organizational measures include account authentication, access controls for admin surfaces, encrypted transit, and deletion controls for private reviews. No security measure is perfect; customers remain responsible for deciding what text to submit.
7. Subprocessors
Customer content may be processed by subprocessors needed to run Verbaterm, including authentication (Clerk), payments (Stripe) when billing features are used, AI review routing (OpenRouter and model providers), and hosting/database infrastructure. Verbaterm remains responsible for subprocessor performance under this DPA to the extent required by applicable law.
8. International transfers
Verbaterm and its subprocessors may process data in the United States or other countries where they operate. Where a transfer mechanism is required, Verbaterm will rely on appropriate contractual or legal transfer tools offered by its providers or required by law.
9. Assistance, deletion, and return
Customers can access, export where the product supports it, or delete private reviews through account history controls. Deleting a review removes stored text, generated review content, citations, and finding feedback together. Upon account closure or written request through available support channels, Verbaterm will delete or return customer content from active systems within a reasonable period, except data retained for security, dispute, tax, or legal compliance.
10. Audit and compliance information
Because Verbaterm is a small self-serve product, formal on-site audits are not a default entitlement. Upon reasonable written request, Verbaterm will provide available documentation about security and processing practices to the extent needed to demonstrate compliance with this DPA, subject to confidentiality and without disclosing other customers’ data.
11. Liability and precedence
Liability related to processing under this DPA is subject to the limitations in the legal notice and terms of service, except where prohibited by law. If there is a conflict about personal-data processing of customer content, this DPA controls for that subject. For all other topics, the legal notice and terms of service control.
12. Contact
DPA questions should be directed to Verbaterm and its operators through the product’s existing support channels.