Data Processing Agreement
This page is the plain-language summary of Sorby's Data Processing Agreement (DPA). It explains what the DPA covers, what is in it, and how to get a signed copy. The DPA itself is the legally operative document; if anything on this page is inconsistent with the executed DPA, the DPA controls.
Last updated: 2 May 2026.
Who needs a DPA
You should have a DPA in place with Sorby if any of the following is true:
- You are subject to the EU GDPR or the UK GDPR.
- Your customers, employees, or end users are located in the EU, EEA, or UK and their personal data may end up in your Sorby workspace (for example, in interview notes or research records).
- Your security or procurement team requires a signed DPA before approving a SaaS purchase.
- You are a US business subject to California's CCPA/CPRA and need to confirm Sorby's status as a "service provider".
If none of these applies you can still request a DPA — we will sign one.
Roles
Under GDPR, Sorby acts as the processor and you, the customer, act as the controller. You decide what personal data goes into your workspace and why; Sorby processes that data on your documented instructions, which are: provide the Sorby Discovery service in accordance with our Terms of Service.
Sorby is not a joint controller. We do not use customer data for our own purposes. We do not train AI models on customer data. We do not sell or share customer data for advertising.
What the DPA covers
The Sorby DPA is built to satisfy Article 28 of the GDPR and the equivalent UK GDPR provisions. It maps as follows.
| Article 28 requirement | Where covered in our DPA |
|---|---|
| Subject matter, duration, nature, and purpose of processing | Section 2 ("Roles and Scope") and Annex I |
| Types of personal data and categories of data subjects | Annex I |
| Controller’s documented processing instructions | Section 3 ("Processor Obligations") |
| Confidentiality of personnel processing the data | Section 4 |
| Technical and organisational measures (Article 32) | Annex II |
| Engagement of sub-processors and prior authorisation | Section 6 and Annex III |
| Assistance with data-subject rights (Articles 12–22) | Section 3.5–3.6 |
| Assistance with security, breach notification, and DPIAs (Articles 32–36) | Section 3.5 |
| Personal-data-breach notification within 72 hours | Section 3.7 |
| Deletion or return of personal data at end of services | Section 8 |
| Audit and information rights | Section 5 |
| International data transfers (SCCs and UK IDTA) | Section 7 and Annex IV |
The DPA also includes the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum by reference, so a single signature covers both EEA and UK transfers.
Technical and organisational measures (Annex II, summary)
The full list lives in the executed DPA. Headline controls:
- Encryption. TLS 1.2+ in transit (TLS 1.3 where supported); AES-256 at rest for primary database, backups, and identity records.
- Access control. Role-based access in-application; MFA available to every end user; production-database access restricted to a named two-person operations team and audited via Supabase connection logs.
- Tenant isolation. Every query scoped by workspace_id at the application layer, with server-side membership verification on every mutation; Postgres Row-Level Security policies in place as defence in depth.
- Audit logging. Append-only audit log of every workspace mutation, exportable by workspace admins.
- Backups. Daily automated backups in the same EU region as primary data; Point-in-Time Recovery enabled from first paid customer.
- Vulnerability management. Dependabot weekly; pnpm audit on every CI run; coordinated disclosure at security@sorby.io.
- Personnel. Confidentiality obligations apply to every person with access to customer data. Access removed within 24 hours of role change or departure.
- Incident response. Documented runbook; notification to affected customers within 72 hours of becoming aware of a personal-data breach.
See /security for the public version of these controls and for our compliance posture.
Sub-processors
The DPA grants general authorisation for engaging sub-processors on the published list, with at least 30 days' advance notice of additions or replacements. You may object to a new sub-processor on reasonable data-protection grounds and, if we cannot agree on a resolution within 30 days, terminate the affected workspace with a pro-rated refund.
Current list: /legal/sub-processors.
Breach notification
If we become aware of a personal-data breach affecting your workspace, we will notify you without undue delay and in any case within 72 hours, by email to every workspace admin. The notification will describe: what happened, what data was involved, what we have already done, what you may need to do, and a contact for follow-up. A written post-mortem follows within 30 days.
Your rights as controller
- Audit.Once per twelve months, on at least 30 days' written notice, with reasonable scope and during normal business hours, with costs borne by you except where the audit reveals material non-compliance. Once we have a SOC 2 report (target: Q2 2027), you agree to accept that report in lieu of an on-site audit.
- Sub-processor objection. Object within 30 days of notice; if you object and we cannot resolve within 30 days, terminate the affected workspace with a pro-rated refund.
- Data export. Receive your workspace data via CSV at any time during the term and during the 30-day post-termination grace window.
- Deletion. All personal data deleted within 60 days of contract termination — see retention timeline.
Data-subject rights
If an end user contacts Sorby directly to exercise GDPR rights with respect to data held in your workspace, we will not action the request ourselves. We will route it to your workspace admin's registered email, identify ourselves as the processor, and assist you in fulfilling the request as required by Article 28(3)(e). If an end user is exercising rights with respect to their Sorby account itself (their identity record, not workspace content), we will action the request directly.
How to request a signed DPA
Use our contact form and include:
- Your legal entity name and registered address.
- The Sorby workspace(s) the DPA should cover.
- The name and email of the signatory.
- Whether you require execution via DocuSign, your own e-signature platform, or PDF.
We respond within 2 business days with our standard DPA. The standard DPA can be executed without changes; if your legal team requires markup, we will work with you. We do not charge for the DPA, and we do not gate it behind a paid plan. We will not delay closing a deal over DPA mechanics.
Governing law and updates
The DPA is governed by the law specified in the executed copy (defaulting to the law of the customer's country of establishment within the EEA or the UK; otherwise English law). It updates when (a) the underlying SCCs are revised by the European Commission, (b) we add a sub-processor in a new jurisdiction, or (c) a regulator issues binding guidance that requires an amendment. Material updates are notified to every customer with an executed DPA at least 30 days in advance.
Ready to start the conversation
Use our contact form and we will reply within 2 business days.