Legal
Data Processing Addendum
Last updated: 2025-01-01. This template is provided for review and must be countersigned for it to be enforceable. Email legal@unifysheets.com for an executable copy.
1. Definitions
"Customer" means the entity that has accepted UnifySheets' Terms of Service. "Personal Data", "Processing", "Controller" and "Processor" have the meanings given to them by the GDPR (EU 2016/679) and equivalent laws.
2. Roles and scope
The Customer acts as Controller, and UnifySheets acts as Processor with respect to Personal Data submitted to the Service. UnifySheets will Process Personal Data only on documented instructions from the Controller, including with regard to international transfers.
3. Categories of data
Account data: email, name, hashed authentication identifiers, subscription status. Operational metadata: file name, sheet name, column headers, row/column counts, mapping configurations. UnifySheets does not store the contents of spreadsheets you upload — files are parsed in your browser and never persisted server-side.
4. Subprocessors
UnifySheets relies on the subprocessors listed at /legal/subprocessors. Customer authorises the use of those subprocessors and will be notified of any new addition with at least 30 days' notice.
5. Security
UnifySheets implements industry-standard technical and organisational measures: row-level security on all customer-scoped tables, encryption in transit (TLS 1.2+), encryption at rest (managed by Supabase), least privilege access controls, and a strict CSP. Spreadsheet contents are processed entirely client-side and are never written to disk on our infrastructure.
6. Sub-processing chain for AI
When the Customer triggers the AI mapping feature, UnifySheets sends a minimal payload to Anthropic (column headers, file names, and at most three sample rows per file). No row data beyond the sample is transmitted. Anthropic acts as a sub-processor under their own DPA.
7. International transfers
Where Personal Data is transferred outside the EEA/UK, UnifySheets and its subprocessors rely on Standard Contractual Clauses (2021/914) as the transfer mechanism.
8. Data subject rights
UnifySheets will promptly notify Customer of any data subject request received directly and will provide reasonable assistance in fulfilling such requests. Customers can self-serve account deletion via the Settings page; mappings and merge logs are removed within 30 days.
9. Breach notification
UnifySheets will notify Customer without undue delay, and in any event within 72 hours, of any confirmed Personal Data Breach affecting the Customer's data.
10. Return / deletion
On termination, UnifySheets will delete all Personal Data within 60 days, except as required to comply with legal obligations (e.g. tax records).