A baseline Data Processing Addendum, ready to sign.
This is Confinity's baseline DPA. It is designed to be signed as-is by Family-plan customers; Enterprise customers can negotiate changes via counsel. The ten sections below are an abbreviated preview of the bound document.
Version: 2026-Q2GDPR + UK GDPR + LGPDSCC 2021/914 + UK DTA
The PDF is built from the same source as the preview below, so what you download always matches what you see here. Counsel reviews the final version before publication.
Preview
The ten sections at a glance.
1. Definitions
Plain-language definitions of Controller, Processor, Sub-processor, Personal Data, Processing, Special Category Data, and Data Subject, aligned with GDPR Article 4 and UK GDPR.
2. Subject matter and duration
The processing covered by this DPA is the performance of the Confinity service. Duration tracks the underlying service agreement.
3. Nature and purpose of processing
Confinity processes customer personal data to provide the service: authentication, memory storage and retrieval, messaging, billing, and customer support.
4. Categories of data subjects and personal data
Customer, authorised users of the customer, contributors to a memorial created by the customer. Data categories: identifiers, account metadata, entry bodies, voice samples (ephemeral), contributor names.
5. Sub-processor engagement
Confinity engages sub-processors listed at /trust/centre/subprocessors. New sub-processors that touch customer content trigger a 14-day notice window to the customer.
6. International transfers
Transfers outside the EEA / UK rely on the Standard Contractual Clauses (2021/914) + UK DTA as appropriate. SCC modules per sub-processor are listed on the Sub-processors page and in /legal/scc-dta.
7. Security measures
TLS 1.3 in transit, AES-256 at rest, least-privilege access, MFA on admin consoles, quarterly restore drills, annual third-party pen-test, written incident-response plan with a 30-minute paging SLA.
8. Data-subject requests
Confinity assists the customer in responding to data-subject requests within the 30-day statutory window. DSARs can be raised at /app/settings/privacy or by email to privacy@confinity.com.
9. Personal data breach
Confinity notifies the customer without undue delay and in any event inside 72 hours of becoming aware of a personal data breach, per GDPR Article 33.
10. Deletion and return
On termination, Confinity returns customer data in an open export format and deletes remaining copies inside 30 days, save for backup tapes rotated out inside 90 days.
How to sign
For Family plans, downloading the PDF and signing it satisfies your side. Return it to privacy@confinity.com and we will counter-sign inside five business days. For Enterprise plans, contact us before signing.
Looking for more?
The Trust Centre indexes every honest doc we publish. The binding legal sits below it.