Draft — not legal advice
This document is an AI-prepared draft awaiting review by a qualified lawyer. Do not rely on it as a final statement of your rights or our obligations until the “DRAFT” line is removed from the source markdown.
Data Processing Agreement (Sub-Processor List)
DRAFT — not legal advice. This document is an AI-prepared draft. It must be reviewed and finalised by a qualified lawyer (GDPR Art. 28 + Standard Contractual Clauses) before public use. This page is intended as a customer-facing sub-processor transparency notice, not as a full Article 28 contract — full DPAs are signed directly with our processors.
Effective date: 23rd May 2026 Last updated: 23rd May 2026
This page lists the third-party service providers ("sub-processors") that process personal data on behalf of Branchwriter, and the safeguards under which each transfer is made. It supplements our Privacy Policy §5.
If you are a business that needs a signed Article 28 GDPR Data Processing Agreement with us (for example, because you sponsor a paid subscription for your employees and Branchwriter therefore processes data on your behalf), email {{PRIVACY_EMAIL}} — we can sign a standard DPA.
For ordinary reader subscriptions Branchwriter is the controller, not a processor of your data, and what follows is for transparency only.
1. Sub-processor list
| Processor | Role | Categories of data | Where it is processed | Transfer safeguard |
|---|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing (card, SEPA, Apple/Google Pay), subscription management, fraud detection, VAT calculation, refunds | Customer name (if provided to Stripe), email, card / payment method, billing address, country of residence, purchase history with Branchwriter | Ireland (primary) with onward transfers to Stripe Inc. (US) | EU SCCs (Commission Decision 2021/914) + Stripe's binding corporate rules; Stripe's EU–US Data Privacy Framework certification |
| Resend Inc. | Outbound email (magic-link sign-in, billing receipts, chapter publish digests, refund correspondence) | Email address, message content, delivery telemetry (opens / bounces) | United States | EU SCCs; Resend EU–US DPF certification (verify currency before publishing) |
| Functional Software, Inc. dba Sentry | Server and client error logging (stack traces, request URL, user ID if signed in, browser version) | User ID (opaque), email if attached to error report, IP at time of error, request metadata | United States | EU SCCs; Sentry EU–US DPF certification |
| Discord, Inc. (only when you choose to link Discord) | Granting Premium / Patron / Vanguard roles in our community server | Discord user ID, server membership state | United States | EU SCCs; consent-based (Art. 6(1)(a)) |
| Hetzner Online GmbH | Hosting (read.engramia.dev), database, off-site encrypted backups via Storage Box | All Branchwriter data, in storage and in transit through our servers | Germany (Falkenstein / Nuremberg) and Finland (Helsinki) for the Storage Box | None required — EEA processing |
| Cloudflare, Inc. (under evaluation — confirm or remove before publishing) | Edge proxy and DDoS protection | IP address, request metadata | Global edge network | EU SCCs; Cloudflare EU–US DPF certification |
| Anthropic, PBC (used by the author offline; not for reader data) | Drafting chapter prose from author-supplied prompts and world-bible material | No reader personal data is sent. Only author prompts, the style guide, and the world bible. | United States, via the author's own subscription | Not a processor of reader data; listed for transparency |
We do not use any of the following: third-party analytics tools that profile readers; advertising networks; data brokers; cross-site tracking; affiliate programmes that share personal data with networks.
2. Security commitments
Every sub-processor above has signed at least one of: (i) the EU Standard Contractual Clauses, (ii) a written Article 28 GDPR Data Processing Agreement, or (iii) terms equivalent to the above where the processor is established in the EEA.
Branchwriter's own security measures are summarised in our Privacy Policy §10 and include:
- TLS 1.2+ for all traffic in transit
- Encryption at rest (LUKS on the host volume; GPG AES-256 for off-site backups)
- Magic-link sign-in (no password storage); hashed verification tokens
- Role-based access control (4 tiers); double-guarded at layout and action level
- Stripe webhook signature verification (no unauthenticated payment events accepted)
- IP and per-account rate limiting on authentication and voting
- Audit logging of administrator actions
- Daily off-site encrypted backups to a separate EU region; restore drills documented in our runbooks
3. Sub-processor changes
If we add, remove, or materially change a sub-processor:
- We will update this table.
- For material additions that affect the location or category of data processed, we will give at least 30 days' notice by email to active subscribers.
- Business customers who have signed an Article 28 DPA with us may object in writing within the notice period; if we cannot resolve the objection we will both work toward an orderly termination.
For ordinary readers, your remedy in case of objection is to close your account from Account → Danger zone before the change takes effect.
4. Contact
Privacy and DPA matters: {{PRIVACY_EMAIL}}.