Talking Unicorn Talking Unicorn
Sign in Get started

Data Processing Agreement (DPA)

Last updated: 2026-05-28.

This DPA forms part of the Terms of Service and applies where Talking Unicorn (the "Processor") processes Personal Data on behalf of a B2B customer (the "Controller") in the course of providing the service. By signing up as a tenant or by separate written acceptance, the Controller and Processor agree to the terms below.

This document is the template form. We can countersign a copy on request — write to legal@talkingunicorn.email with the legal entity name and signing contact. We can also accept your standard form provided it doesn't materially differ from the rights and obligations laid out here.

1. Definitions

Terms in initial capitals not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, or the California Consumer Privacy Act / CPRA, as applicable to the Controller's jurisdiction.

"Personal Data" means any data in the Controller's tenant that identifies or could identify a natural person.

"Subprocessor" means any third party engaged by the Processor to assist in providing the service. The current list is at /legal/subprocessors.

"Standard Contractual Clauses" or "SCCs" means the EU Commission's 2021 SCCs, Module 2 (Controller-to-Processor), and the UK ICO's International Data Transfer Addendum.

2. Subject matter, nature, and purpose

The Processor processes Personal Data submitted by the Controller and its end users into the Talking Unicorn service for the purpose of providing:

The duration of processing is for the term of the Controller's subscription, plus the retention periods in §6.

3. Categories of data and data subjects

4. Controller obligations

The Controller represents that it has the right to share with the Processor any Personal Data it submits to the service, and that it has provided any notices and obtained any consents required under applicable law.

5. Processor obligations

The Processor will:

  1. Process Personal Data only on the Controller's documented instructions, including with respect to international transfers, unless required to do so by EU/UK/US law (in which case the Processor will inform the Controller before processing, unless prohibited by that law).
  2. Ensure that personnel authorized to process the Personal Data are committed to confidentiality.
  3. Implement appropriate technical and organisational measures, as described in the Trust & Security page at /legal/trust.
  4. Engage Subprocessors only with the Controller's general authorisation, in accordance with §7 below.
  5. Assist the Controller, taking into account the nature of processing, in fulfilling its obligations to respond to data subject requests.
  6. Assist the Controller in ensuring compliance with security, breach notification, and DPIA obligations.
  7. At the Controller's choice, delete or return Personal Data after the end of the provision of services, save where retention is required by law.

6. Retention

While the subscription is active, Personal Data is retained according to the Controller's configured retention policies (see /admin/storage-policy).

After cancellation, data is retained:

The Controller may request earlier deletion at any time by emailing privacy@talkingunicorn.email with a written instruction from a signatory.

7. Subprocessors

The Processor's current Subprocessors are published at /legal/subprocessors. The Processor gives the Controller at least 30 days' notice before adding or replacing a Subprocessor. If the Controller objects on reasonable grounds relating to data protection, the Controller may terminate the affected service on notice and receive a pro-rata refund of any prepaid unused service.

The Processor remains liable to the Controller for the performance of any Subprocessor's obligations under this DPA.

8. International transfers

Personal Data may be transferred to and processed in jurisdictions outside the European Economic Area, the United Kingdom, or the Controller's home jurisdiction, as listed in /legal/subprocessors. Where required, such transfers are governed by:

The Controller hereby authorises the Processor to enter into the SCCs with relevant Subprocessors on the Controller's behalf, with the Controller as the data exporter and the Subprocessor as the data importer.

9. Security incidents

The Processor will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach affecting the Controller's data, providing the information required by GDPR Article 33(3) to the extent then available.

Initial notice goes to the email on file for the tenant admin and may be followed by phone if the impact warrants.

10. Audits

Once per twelve-month period, on at least 30 days' written notice and under reasonable confidentiality terms, the Controller may audit the Processor's compliance with this DPA, either by reviewing the Processor's most recent third-party audit reports (when available) or by sending up to two representatives for a remote review. The Controller pays its own costs of audit; the Processor will not charge for reasonable cooperation.

11. Governing law

This DPA is governed by the law specified in the Terms of Service. If the Controller is in the EEA or UK, mandatory provisions of EU or UK data protection law take precedence over any conflicting provision of this DPA.

12. Order of precedence

If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to processing of Personal Data. If there is a conflict between this DPA and an annex (such as the SCCs), the annex controls.

This is a template. We are not your lawyer. Have your counsel review this DPA against your specific obligations before signing.