DPA

Data processing addendum.

This page describes the data-processing terms StoryHQ is prepared to apply where a workspace customer uses StoryHQ to process personal data in uploaded material, workspace records, reports, messages, and related product data.

Last updated 1 June 2026

01

Roles

For workspace content that a customer uploads, creates, or instructs StoryHQ to process, the workspace customer is generally the controller or business and StoryHQ acts as processor or service provider. For account administration, billing, security, product operations, and legal compliance, StoryHQ may act as an independent controller.

These roles may vary depending on the customer, jurisdiction, and any separate written agreement. This page describes StoryHQ’s baseline processing posture; customers that require a signed DPA, negotiated subprocessor notice, or jurisdiction-specific terms should request a reviewed written agreement before using StoryHQ for regulated or especially sensitive workflows.

02

Processing instructions

StoryHQ processes customer personal data to provide the service according to the customer’s use of the product, these policies, the subscription agreement, and any documented support or security instructions that StoryHQ accepts.

StoryHQ may refuse instructions that would require unlawful processing, compromise security, interfere with other customers, or require functionality the product does not currently support.

03

Data subjects and data categories

  • Users: names, email addresses, authentication details, workspace roles, account preferences, support messages, activity events, and billing-related identifiers.
  • Workspace participants and collaborators: names, email addresses, messages, invitations, roles, and activity metadata.
  • Creative material subjects: personal data that may appear inside uploaded scripts, books, articles, notes, decks, reports, messages, and generated outputs.
  • Operational records: IP-derived rate-limit data, device/browser context where collected by providers, logs, errors, job status, model-call metadata, and audit events.

04

Purpose of processing

StoryHQ processes data to authenticate users, provide workspace access, store and retrieve materials, run extraction and AI analysis, generate reports, development notes, scene breakdowns, cast lists, HOD lists, compare drafts, answer project Q chat, send transactional email, manage billing, support customers, prevent abuse, monitor reliability, track costs, and improve the service.

05

Subprocessors

StoryHQ uses subprocessors to host the app, store data, authenticate users, process payments, send email, run background jobs, provide observability, and perform AI processing. The current list is published on the Subprocessors page.

StoryHQ will update the Subprocessors page when material subprocessors are added or removed. Customers with negotiated notice requirements should rely on their written agreement.

06

Security measures

  • Workspace-scoped access controls and Supabase row-level security.
  • Private storage buckets and server-mediated access to material.
  • Per-session second-factor gates, authenticator-app MFA support, passkey recognition where enabled, recovery-code handling for MFA reset, and idle-session expiry.
  • Forensic PDF watermarking for served files.
  • Reader-role restrictions on downloads, report exports, and comparison exports.
  • Rate limiting, schema validation, audit events, webhook signature verification, server-side billing writes, and server-only service-role access.
  • Security response headers including CSP, HSTS, frame blocking, MIME sniffing protection, referrer policy, and permissions policy.
  • Use of established infrastructure providers for hosting, storage, payments, email, observability, and AI processing.

07

Assistance and deletion

StoryHQ will provide reasonable assistance, through product controls or support, for access, deletion, security, and data-subject requests that relate to customer personal data processed in StoryHQ.

When a workspace or account is deleted, StoryHQ deletes or schedules deletion of active product data where supported. Backups, logs, billing records, security records, provider records, and legal records may persist for a limited period.

08

Transfers and audits

StoryHQ and its subprocessors may process data internationally. Provider-specific transfer mechanisms and compliance terms apply through those providers.

StoryHQ does not currently publish SOC 2 or ISO 27001 audit reports. Enterprise customers that require security review should contact StoryHQ before uploading highly sensitive material.