Trust · Legal

The DPA.

Our Data Processing Agreement incorporates the EU Standard Contractual Clauses (2021) and the UK IDTA Addendum. Request a copy below; we counter-sign for self-serve customers and accept counsel-to-counsel redlines for Enterprise.

What's in it

The Felarity DPA defines the legal framework for how we process customer data on your behalf. It establishes that Felarity is the data processor and you are the data controller with respect to the personal data contained in your meetings, transcripts, and intelligence reports. The agreement covers:

Processing instructions — the scope, nature, and purpose of processing is limited to what is necessary to deliver the Felarity service as described in your Order Form.
Security measures — technical and organizational measures including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, audit logging, and Ed25519-signed attestation chains for every meeting record.
Sub-processors — the current, authoritative list is published at /trust/subprocessors/. We provide thirty days' notice before adding or replacing a sub-processor, and you retain the right to object.
International transfers — the EU SCCs (Module 2: controller-to-processor, 2021/914) and the UK International Data Transfer Addendum are incorporated as exhibits and govern any transfer outside the EEA or UK.
Audits — we provide our most recent compliance documentation and a completed CAIQ on request under NDA. Annual on-site audit rights are reserved for Enterprise customers with reasonable notice.
Return and deletion — on termination, we return or delete customer personal data within thirty days, and certify deletion in writing on request.
Breach notification — we notify you without undue delay and in any event within seventy-two hours of becoming aware of a personal data breach affecting your data, with the detail required under GDPR Article 33(3).

Available editions

We offer two paths depending on your tier and procurement posture.

Self-serve · Starter & Professional Negotiated · Enterprise

The self-serve DPA is our standard, non-negotiable form. We send it through DocuSign within two business days of your request; both parties sign electronically and you receive a counter-signed PDF. It is appropriate for Starter and Professional subscriptions and covers the vast majority of GDPR and UK GDPR compliance use cases.

The negotiated DPA is available to Enterprise customers. Your counsel sends redlines against our master form; our legal team responds within five business days. We accept reasonable changes to indemnity, liability caps, audit cadence, and notification timelines. We do not negotiate the SCC text itself (it is fixed by the European Commission) or our sub-processor list.

Request the DPA

Fill out the form below. We send the DPA from legal@felarity.com; check your filters if you don't see it within one business day.

What to expect

Acknowledgement within one business day. A real person from our legal team will confirm receipt and route your request.
DocuSign within two business days for self-serve. Sign electronically; you'll receive a counter-signed PDF the same day.
Redlines turnaround within five business days for Enterprise. We mark up against your draft (or send our master for your counsel to mark up) and schedule a working session if it helps move things forward.
Sub-processor change notice. Once executed, you'll be added to the notification list for any future sub-processor changes — thirty days in advance, with a documented objection window.

Questions or escalations: legal@felarity.com. For the current sub-processor list, see /trust/subprocessors/. For our broader compliance posture, see /trust/.

Last updated: June 7, 2026