Data Processing Addendum

Last updated July 13, 2026

When Epitaph LLC processes your organization’s Personal Data to provide Scribe, we act as your processor (service provider). Our Data Processing Addendum ("DPA") sets out the data-protection commitments that apply. This page summarizes it and offers a pre-filled template to sign.

Download the DPA

Download the DPA template, complete your organization’s details in Section 1, sign, and return a copy to legal@epitaph.llc. We will countersign and send an executed copy back.

Download DPA (PDF)

What the DPA covers

  • Roles and scope — you are the controller of Customer Data; we process it only on your instructions to provide the Service, and we do not sell or share it.
  • Processing details — the categories of data subjects and Personal Data (including OSHA injury/illness fields and limited health information), and the subject matter and duration of processing.
  • Confidentiality — personnel are bound to confidentiality and least-privilege access.
  • Security measures annex — the technical and organizational measures we maintain, mirroring our Security overview.
  • Subprocessors — our authorized subprocessor list by reference, with an opportunity to object to new ones.
  • Breach notification — notice of a personal data breach affecting your data without undue delay, targeting within 72 hours.
  • Return and deletion — a 30-day post-termination export window, then deletion in the ordinary course, subject to legal-retention duties.
  • U.S.-only processing — Customer Data is processed and stored in the United States.

Questions

To ask about the DPA or request changes for an enterprise agreement, contact us at legal@epitaph.llc.