Forthwith LLC

Data Processing Agreement

This DPA forms part of the Terms of Service between Forthwith LLC (“Processor”) and the customer (“Controller”), and governs the processing of Personal Data by Processor on behalf of Controller in connection with the Service. Effective date: April 15, 2026.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person under applicable data protection laws.
  • "Processing" has the meaning given in GDPR Article 4(2).
  • "GDPR" means Regulation (EU) 2016/679.
  • "Subprocessor" means any third party engaged by Processor to process Personal Data on behalf of Controller.

2. Roles of the Parties

  • Controller determines the purposes and means of the Processing of Personal Data.
  • Processor processes Personal Data only on behalf of Controller and in accordance with this DPA.

3. Scope of Processing

3.1 Subject Matter

Processing of Personal Data submitted by Controller through the Service for translation and related workflows.

3.2 Duration

Processing continues for the duration of the Agreement and until deletion in accordance with Section 10.

3.3 Nature and Purpose

  • Translation of submitted text using third-party model providers
  • Storage and retrieval of translation jobs
  • Service operation, debugging, and support

3.4 Categories of Data Subjects

  • Controller's end users
  • Employees or contractors
  • Individuals whose data is included in submitted content

3.5 Categories of Personal Data

  • Text content submitted for translation (which may contain personal data)
  • Account identifiers and metadata
  • Technical and usage data (e.g., IP address, request metadata)

4. Processor Obligations

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Ensure personnel are subject to confidentiality obligations
  • Implement appropriate technical and organizational measures
  • Assist Controller in meeting GDPR obligations where applicable
  • Notify Controller of any Personal Data Breach without undue delay

5. Subprocessors

Controller authorizes Processor to engage the following Subprocessors:

  • Google — translation processing
  • OpenAI — translation processing
  • Anthropic — translation processing
  • Stripe — billing and payment processing
  • Amazon Web Services (SES) — email delivery
  • Hetzner Online, Inc. — hosting and infrastructure

Processor shall:

  • Impose data protection obligations on Subprocessors
  • Remain responsible for Subprocessor performance
  • Notify Controller of material changes

6. International Transfers

Processor and its Subprocessors may process Personal Data outside the European Economic Area.

Where required, Processor relies on:

  • Standard Contractual Clauses (SCCs)
  • Supplementary safeguards

7. Security Measures

Processor implements appropriate security measures, including:

  • Encryption in transit (TLS)
  • Access controls
  • Authentication mechanisms
  • Logging and monitoring

8. Data Subject Rights

Processor shall assist Controller in responding to data subject requests where reasonably possible.

9. No Training on Customer Data

Processor does not use Personal Data submitted by Controller to train its own models or those of its Subprocessors.

10. Data Retention and Deletion

  • Translation content is generally deleted within approximately 30 days
  • Controller may request deletion at any time
  • Data is deleted upon termination unless required by law

11. Audit Rights

Processor shall make available reasonable information to demonstrate compliance.

Audits must be reasonable in scope, frequency, and notice.

12. Liability

Liability is subject to the limitations in the Agreement unless otherwise required by law.

13. Governing Law

This DPA is governed by the law specified in the Agreement.

14. Order of Precedence

This DPA prevails over conflicting terms in the Agreement with respect to data protection.

15. Contact

For privacy inquiries: support@forthwith.dev

Annex: EU Standard Contractual Clauses (Module 2)

For transfers of Personal Data from the EEA, UK, or Switzerland to non-adequate jurisdictions, the parties incorporate the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor), as follows:

  • Clause 7 (Docking): Applies.
  • Clause 9 (Subprocessors): Option 2 (general authorization) applies.
  • Clause 11 (Redress): Optional language does not apply.
  • Clause 17 (Governing Law): Ireland.
  • Clause 18 (Forum): Ireland courts.

Annex I

A. Parties

  • Exporter (Controller): Customer
  • Importer (Processor): Forthwith LLC — support@forthwith.dev

B. Transfer Description

  • Data Subjects: End users, employees, contractors, included individuals
  • Personal Data: Translation content, account metadata, technical data
  • Sensitive Data: Not required but may be included by Controller
  • Frequency: Continuous
  • Purpose: Translation, storage, support
  • Retention: ~30 days for content; longer for metadata
  • Subprocessors: As listed above

C. Supervisory Authority

Determined per GDPR.

Annex II — Security Measures

  • Encryption in transit
  • Access controls
  • Authentication systems
  • Logging and monitoring
  • Data minimization

Annex III — Subprocessors

  • Google
  • OpenAI
  • Anthropic
  • Stripe
  • AWS (SES)
  • Hetzner Online, Inc.

UK and Switzerland Addendum

  • UK GDPR applies where relevant
  • UK Addendum incorporated
  • Swiss FADP applies where relevant