Effective date: July 3, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Ghosts ("Ghosts," "we," "us") and the customer that accepts our Terms of Use or another written agreement referencing this DPA ("Customer," "you") (together, the "Agreement"). It applies whenever we process personal data on your behalf in the course of providing ghosts.app and the Ghosts platform (the "Service"). This DPA applies automatically to all paid workspaces. If you need a countersigned copy for your records, see Section 10.
For the briefs, notes, uploads, drafts, revisions, and other material you and your workspace members submit to or generate in the Service ("Customer Content"), you are the controller (or, where you act for your own clients, a processor) and Ghosts is your processor within the meaning of Article 28 of the EU General Data Protection Regulation ("GDPR") and equivalent laws. For account, billing, and usage data we collect to run the Service, Ghosts is an independent controller, and our Privacy Policy applies instead of this DPA.
Subject matter. Processing of Customer Content to provide the Service under the Agreement.
Duration. The term of the Agreement, plus the deletion period in Section 7.
Nature and purpose. Hosting and storing Customer Content; generating, scoring, fact-checking, and revising drafts you request; running research you enable; maintaining your content library; and providing support you ask for.
Categories of personal data. Any personal data you choose to include in Customer Content, typically names, contact details, professional information, and other information about the people your content concerns. You control what you submit; the Service does not require special-category data, and you agree not to submit it unless your use case requires it and the law permits it.
Categories of data subjects. Your personnel and workspace members, your clients and their personnel, and other individuals referenced in the material you submit.
(a) Documented instructions. We process Customer Content only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law that applies to us, in which case we will inform you before processing unless that law prohibits it. The Agreement, this DPA, and your use of the Service's settings and features are your documented instructions. We will tell you if, in our opinion, an instruction infringes applicable data protection law.
(b) Confidentiality. Every person we authorize to process Customer Content is bound by a contractual or statutory duty of confidentiality.
(c) Security. We implement and maintain the technical and organizational measures described in the Security Measures annex (Section 9), consistent with Article 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.
(d) Subprocessors. You give us general authorization to engage subprocessors to provide the Service. Our current list is published at /legal/subprocessors. We will give workspace administrators at least 30 days' notice before adding a new subprocessor. If you object on reasonable data-protection grounds within that period and we cannot offer a workaround, you may terminate the affected services and receive a prorated refund of prepaid fees. We impose data-protection obligations on each subprocessor that are no less protective than this DPA, and we remain responsible for their performance.
(e) Data-subject rights. Taking into account the nature of the processing, we assist you with appropriate technical and organizational measures, insofar as this is possible, in fulfilling your obligation to respond to data-subject requests (access, rectification, erasure, restriction, portability, and objection). If a data subject contacts us directly about Customer Content, we will refer them to you and will not respond except on your instruction or where required by law.
(f) Breach notification and assistance. We will notify you without undue delay, and in any event within 72 hours of confirming a personal data breach affecting Customer Content. The notice will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and the measures taken or proposed. We will also provide reasonable assistance with your data protection impact assessments and prior consultations with supervisory authorities, insofar as they relate to our processing.
(g) Deletion or return. At termination of the Agreement, at your choice, we will delete or return all Customer Content containing personal data and delete existing copies, unless law requires us to retain it. Deleted data leaves production systems promptly and is removed from encrypted backups within 30 days as those backups expire. Where a legal obligation (such as a court preservation order) requires retention, we will isolate the affected data from further processing and delete it when the obligation ends.
(h) Demonstrating compliance. We will make available the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits may occur no more than once per year, on reasonable prior notice, during business hours, at your cost, and subject to our confidentiality and security requirements. We will first satisfy audit requests with existing documentation and third-party reports where they reasonably address your questions.
We are based in the United States and process Customer Content there and in the regions our subprocessors operate. Where the processing involves a transfer of personal data from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the European Commission's 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA by reference: Module Two applies where you are a controller, and Module Three applies where you are a processor acting for your own controllers. For UK transfers, the ICO's International Data Transfer Addendum applies to the Clauses. The details of the processing in Section 2, the subprocessor list, and the Security Measures annex complete the appendices to the Clauses.
We will reasonably cooperate with you in dealings with supervisory authorities that concern our processing of Customer Content, and will promptly inform you of any legally binding request for disclosure of Customer Content by a public authority unless prohibited from doing so.
Each party's liability under this DPA is subject to the limitations of liability in the Agreement, except where applicable data protection law does not permit such limitation.
This DPA takes effect when the Agreement takes effect and remains in force as long as we process Customer Content on your behalf, including the deletion period in Section 3(g).
If this DPA conflicts with the Agreement, this DPA controls with respect to the processing of personal data in Customer Content. If the Standard Contractual Clauses apply and conflict with this DPA, the Clauses control.
This DPA applies automatically to paid workspaces without further action. If your compliance program requires a countersigned copy, email [email protected] and we will provide a signature version.
Questions about this DPA: [email protected].