Legal

Data Processing Agreement

Last updated: June 2026 · Applicable to all FactCircles accounts

Scope

This Data Processing Agreement ("DPA") forms part of the FactCircles Terms of Service and applies whenever FactCircles processes personal data on your behalf as a data processor under applicable data protection law, including the GDPR and UK GDPR.

1. Definitions

Controller means the organisation or individual who determines the purposes and means of processing personal data (typically the session organiser or the company deploying FactCircles for its team).

Processor means FactCircles Inc., which processes personal data on behalf of the Controller.

Personal Data means any information relating to an identified or identifiable natural person as defined under applicable data protection law.

Sub-Processor means any third party engaged by FactCircles to process personal data on the Controller's behalf.

2. Scope of processing

FactCircles processes the following categories of personal data on behalf of the Controller:

  • Participant email addresses and display names.
  • Session content — written responses submitted during the Questions phase.
  • Session metadata — phase timestamps, participant status, outcome documents.
  • Payment records (Stripe customer ID, invoice status).

Processing is conducted for the sole purpose of delivering the conflict resolution facilitation service as described in the Terms of Service.

3. Instructions

FactCircles processes personal data only on documented instructions from the Controller. Use of the platform constitutes such an instruction. FactCircles will inform the Controller if it believes any instruction infringes applicable data protection law.

4. Confidentiality

FactCircles ensures that persons authorised to process personal data are subject to appropriate confidentiality obligations.

5. Sub-processors

FactCircles uses the following sub-processors:

  • xAI (Grok API) — processes session content to generate facilitator prompts and resolution summaries. Location: United States.
  • Stripe, Inc. — processes payment data. Location: United States. PCI DSS Level 1 certified.
  • Cloud infrastructure provider — hosts the FactCircles backend and database. Location: United States (primary) with EU region available on request.

FactCircles will notify the Controller of any intended changes to sub-processors, giving reasonable opportunity to object. Sub-processors are bound by data processing agreements that provide equivalent protections to this DPA.

6. Security measures

FactCircles implements the technical and organisational measures described on the Security page, including TLS 1.3 in transit, AES-256 at rest, access controls with MFA, and incident response procedures.

7. Data subject rights

FactCircles will assist the Controller in fulfilling data subject access, rectification, deletion, portability, and objection requests to the extent technically feasible. Requests should be directed to privacy@factcircles.app.

8. Data breach notification

FactCircles will notify the Controller without undue delay — and in any event within 72 hours — upon becoming aware of a personal data breach affecting data processed under this DPA.

9. Deletion and return

Upon termination of the service or on request, FactCircles will delete or return all personal data processed under this DPA, unless retention is required by applicable law.

10. International transfers

Where personal data is transferred outside the EEA, FactCircles relies on the EU Standard Contractual Clauses (SCCs) as the transfer mechanism. A copy of the SCCs can be provided on request.

11. Audit rights

FactCircles will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits conducted by the Controller or an appointed third party, subject to reasonable notice and confidentiality obligations.

12. Contact

For DPA-related enquiries: privacy@factcircles.app