Data Processing Addendum
This Data Processing Addendum (the Addendum) forms part of the Buzzscribed Terms of Use (and any ancillary or related documentation), as updated or amended from time to time (the Agreement), between you, the Customer (as defined below) and Buzzscribed. All capitalised terms not defined in this Addendum have the meaning set out in the Agreement.
This Addendum only applies if and to the extent Buzzscribed processes personal data on behalf of a Customer that qualifies as a controller with respect to that personal data under Applicable Data Protection Law (as defined below). If the Customer had entered into earlier data processing terms with Buzzscribed, those terms are replaced by this Addendum.
1. Data Protection
1.1 Definitions
In this Addendum, the following terms have the following meanings:
a) controller, processor, data subject, personal data, processing (and process) and special categories of personal data have the meanings given in Applicable Data Protection Law
b) Applicable Data Protection Law means the EU General Data Protection Regulation (Regulation 2016/679) (the GDPR) and/or the UK General Data Protection Regulation (the UK GDPR) and any EU Member State and/or UK laws made under or pursuant to the GDPR and/or UK GDPR, and/or the Australian Privacy Act 1988 (Cth)
c) Customer has the same meaning as 'you' in the Buzzscribed Terms of Use
1.2 Relationship of the Parties
The Customer (the controller) appoints Buzzscribed as a processor to process the personal data described in Annex A (the Data) only on the controller's documented instructions (and as per the terms set out in this Addendum) for the purposes described in the Agreement or as otherwise agreed in writing by the parties (the Permitted Purpose). Each party must comply with the obligations that apply to it under Applicable Data Protection Law.
1.3 Prohibited Data
Unless explicitly requested by Buzzscribed to do so, the Customer will not disclose (and will not permit any data subject to disclose) any special categories of personal data to Buzzscribed for processing.
1.4 International Transfers
Buzzscribed will not transfer the Data outside of the European Economic Area (EEA) nor the United Kingdom (UK) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission and/or the UK Secretary of State (as applicable) has decided provides adequate protection for personal data (an Adequate Country), or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission and/or UK Secretary of State or UK Information Commissioner (as applicable). The Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 (EU SCCs) and the UK International Data Transfer Agreement (UK IDTA) are incorporated into this Addendum by reference and shall apply where the Data is transferred to a recipient outside an Adequate Country. Module Two (Controller to Processor) of the EU SCCs applies with Buzzscribed as data importer. To this end, you authorise Buzzscribed to enter into standard contractual clauses as your agent and on your behalf with any recipient of Data who is not located in an Adequate Country where this is necessary for compliance with Applicable Data Protection Law.
1.5 Confidentiality of Processing
Buzzscribed will ensure that any person it authorises to process the Data (an Authorised Person) will protect the Data in accordance with Buzzscribed's confidentiality obligations under the Agreement.
1.6 Security
Buzzscribed will implement technical and organisational measures, as set out in Annex C, which may be amended and updated from time to time, to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a Security Incident).
1.7 Subcontracting
The Customer consents to Buzzscribed engaging third-party subprocessors to process the Data for the Permitted Purpose provided that:
(i) Buzzscribed maintains an up-to-date list of its subprocessors, which is available in Annex B, which it will update with details of any change in subprocessors at least 30 days prior to the change;
(ii) Buzzscribed imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and
(iii) Buzzscribed remains liable for any breach of this Addendum that is caused by an act, error or omission of its subprocessor.
The Customer may object to Buzzscribed's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Buzzscribed will either not appoint or replace the subprocessor or, if Buzzscribed determines at its sole discretion that this is not reasonably possible, the Customer may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by the Customer up to and including the date of suspension or termination).
1.8 Cooperation and Data Subjects' Rights
Buzzscribed will provide reasonable and timely assistance to the Customer (at the Customer's expense) to enable the Customer to respond to:
(i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and
(ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.
If any such request, correspondence, enquiry or complaint is made directly to Buzzscribed, Buzzscribed will promptly inform the Customer, providing full details.
1.9 Data Protection Impact Assessment
If Buzzscribed believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it will inform the Customer and provide reasonable cooperation to the Customer in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
1.10 Security Incidents
If it becomes aware of a confirmed Security Incident, Buzzscribed will inform the Customer without undue delay and will provide reasonable information and cooperation to the Customer so that they can fulfil any data breach reporting obligations they may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Buzzscribed will further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep the Customer informed of all material developments in connection with the Security Incident.
1.11 Deletion or Return of Data
Buzzscribed may retain the Data for a period of 90 days after a subscription is terminated in case the Customer later needs access to it. On expiry of this period or on the Customer's earlier request, Buzzscribed will delete or return the Data in a manner and form decided by Buzzscribed, acting reasonably. This requirement will not apply to the extent that Buzzscribed is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Buzzscribed shall securely isolate and protect from any further processing.
1.12 Audit Rights
Buzzscribed will make available to the Customer, on request, all information reasonably necessary to demonstrate compliance with this Addendum and Applicable Data Protection Law, and will allow for and contribute to audits and inspections conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice (not less than 30 days), confidentiality obligations, and scope limitations to protect other customers' data. Such audits will be conducted during normal business hours and will not unreasonably interfere with Buzzscribed's operations.
1.13 Processing Instructions
Buzzscribed will process the Data only on the documented instructions of the Customer, unless required to do so by applicable law, in which case Buzzscribed will inform the Customer of that legal requirement before processing (unless prohibited from doing so by law). If Buzzscribed believes that an instruction from the Customer infringes Applicable Data Protection Law, Buzzscribed will promptly inform the Customer and will not be required to comply with that instruction until the Customer confirms it or modifies it.
Annex A - Data Processing Details
1. Subject Matter and Duration of Processing
The subject matter of personal data to be processed is that of the contacts of the Customer entered by or at the election of the Customer into the Buzzscribed platform.
The duration of processing personal data shall be for as long as we have a business relationship with the Customer, and at the end of that relationship, we will act in accordance with clause 1.11 regarding deletion or return of such personal data.
2. Nature and Purpose of Processing
The nature and purpose of processing personal data is to enable the functionality of the Buzzscribed Platform as set out in the Agreement and related documentation.
3. Types of Personal Data Processed
The types of personal data processed include:
- Names
- Addresses
- Contact details (email, phone)
- Professional information (job title, organisation)
- Other personal data types entered by the Customer for use on the Buzzscribed platform
4. Categories of Data Subjects
The categories of data subjects include:
- Journalists and media professionals
- Suppliers and service providers of Customer
- Customers and clients of Customer
- Employees and contractors of Customer
- Spokespersons and talent
- Other contacts of the Customer
Annex B - Buzzscribed Subprocessors
We use third-party subprocessors to help provide services. They process data you input, which may include personal data.
Third Parties
We use the following third-party subprocessors to help us provide our services to you. These subprocessors process data that you input into the services, which may include personal data.
| Subprocessor |
Service |
Location | Transfer Mechanism |
| Microsoft Azure |
Cloud infrastructure and hosting |
Australia (Sydney) |
N/A (domestic) |
| SendGrid (Twilio) |
Transactional email delivery |
United States |
EU SCCs + DPF |
| Stripe, Inc. |
Payment processing |
United States |
EU SCCs + DPF |
| Google Analytics |
Website usage analytics |
United States |
EU SCCs + DPF |
| OpenAI |
AI features (optional, subscriber-enabled) |
United States |
EU SCCs + DPF |
OpenAI processes data only when AI features are actively used by the subscriber. Data sent includes text content for analysis and summarisation only. OpenAI's API terms prohibit use of API inputs for model training. Data is not retained by OpenAI beyond the processing request. Google Analytics is used on public-facing website pages only and does not process personal data entered by subscribers into the platform.
Standard Contractual Clauses are in place with all US-based subprocessors for the transfer of personal data from the EEA and UK.
For the most current list of subprocessors, please contact privacy@buzzscribed.com.
Last updated: February 2026 | Version 1.1
Annex C - Technical and Organisational Security Measures
Buzzscribed implements the following technical and organisational measures to protect personal data:
- Encryption in transit: All data transmitted between users and our platform is encrypted using TLS 1.2 or higher.
- Encryption at rest: Data stored on Microsoft Azure is encrypted at rest using AES-256 encryption.
- Access controls: Role-based access controls limit data access to authorised personnel only. Multi-factor authentication is required for administrative access.
- Backups: Automated daily backups with point-in-time restore capability. Backups are encrypted and stored in a geographically separate Azure region.
- Incident response: Documented incident response procedures with defined roles and escalation paths.
- Security reviews: Annual review of security measures and controls.
- Staff training: All personnel with access to personal data receive data protection training.
- Network security: Azure Web Application Firewall, DDoS protection, and intrusion detection systems.
Last updated: February 2026 | Version 1.1