Data Processing Agreement

Customer is the data controller. SongCraft is the data processor for personal data processed on customer's behalf within the studio.

• Subject matter: AI-assisted lyric writing & arrangement.
• Duration: for the term of customer's subscription, plus a 30-day deletion window.
• Nature & purpose: hosting, AI inference, payment processing.
• Categories of data subjects: customer's authorised users.
• Categories of personal data: account identifiers, lyrics, chat transcripts, billing data.

See the up-to-date list on the GDPR page. We notify customers of new sub-processors at least 30 days in advance.

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Row-level security on all tenant data.
• Least-privilege access; production access logged.
• Routine vulnerability scans and dependency updates.
• Incident response: critical breach notification within 72 hours.

Standard Contractual Clauses (Module 2) apply where personal data is transferred outside the EEA/UK.

Customers may request our SOC 2 / ISO summaries (when available) and compliance attestations once per year, free of charge.

For an executed DPA, email privacy@songcraft.app with your company details. We typically return a signed PDF within 3 business days.