Overview
At Dictionary, we recognize that trust is foundational to our relationship with you. This page outlines our Data Processing Agreement (DPA), compliance frameworks, security architecture, and data governance practices. Whether you are an individual user or an enterprise organization, our commitment to data protection remains unwavering.
Acceptance of Terms: By using Dictionary's services or API, you acknowledge and agree to the terms outlined in this document and our accompanying Privacy Policy.
Data Processing Agreement (DPA) Terms
Our DPA governs how we process personal data on behalf of our customers. It aligns with global data protection regulations and establishes clear responsibilities for both parties.
Key Provisions
- Roles & Responsibilities: Dictionary acts as a Data Processor for customer-provided data. Customers retain ownership and controller status.
- Lawful Basis: Processing is conducted under contractual necessity and legitimate interest, with explicit consent where required.
- Processing Instructions: We process data strictly according to documented instructions provided by the controller or as mandated by law.
- Confidentiality: All personnel with access to personal data are bound by strict confidentiality obligations and undergo regular security training.
- Subprocessors: Any third-party subprocessors are vetted, contractually bound, and disclosed in our Subprocessor List.
Compliance Frameworks & Certifications
Dictionary undergoes regular third-party audits and maintains compliance with internationally recognized standards. Our security posture is continuously evaluated against evolving threats and regulatory requirements.
GDPR (EU/UK)
Full compliance with EU General Data Protection Regulation and UK Data Protection Act 2018.
CCPA / CPRA
Adherence to California Consumer Privacy Act and California Privacy Rights Act requirements.
SOC 2 Type II
Independently audited for Security, Availability, and Confidentiality controls.
ISO 27001:2022
Information Security Management System (ISMS) certified by accredited bodies.
NIST CSF 2.0
Security controls mapped to the National Institute of Standards and Framework.
DEPA Ready
Preparing for EU Data Act compliance with cross-border data portability features.
Security Architecture & Measures
We employ a defense-in-depth strategy, combining modern infrastructure, rigorous access controls, and continuous monitoring to safeguard your data.
- Encryption: AES-256 at rest; TLS 1.3 in transit. Customer keys (BYOK) available on Enterprise plans.
- Access Control: Role-based access control (RBAC), multi-factor authentication (MFA), and just-in-time privileged access.
- Infrastructure: Hosted on AWS GovCloud & EU regions with SOC 2/ISO 27001 compliant data centers.
- Monitoring & Detection: 24/7 SIEM, automated threat detection, and anomaly-based alerting.
- Penetration Testing: Quarterly third-party penetration tests and annual red team exercises.
- Vulnerability Management: Automated patching, CVE tracking, and strict SBOM (Software Bill of Materials) compliance.
Data Lifecycle & Retention
We maintain strict data minimization and retention policies. Personal data is never retained longer than necessary to fulfill the service purpose or comply with legal obligations.
| Data Type | Purpose | Retention Period | Deletion Trigger |
|---|---|---|---|
| Search Queries | Service delivery & analytics | 90 days (anonymized after) | Account deletion / expiry |
| API Keys & Auth Logs | Security & access management | 12 months | Key revocation |
| Billing Information | Payment processing | 7 years (tax compliance) | Account closure + statutory period |
| Support Tickets | Customer service resolution | 24 months post-resolution | Automatic archival & deletion | r>
Customers may request data export or deletion at any time via the dashboard or by contacting our Privacy Office. Enterprise customers can configure custom retention policies aligned with internal governance requirements.
Subprocessors & Third-Party Transfers
Dictionary relies on vetted third-party services to operate efficiently. All subprocessors are contractually obligated to meet the same security and privacy standards outlined in this DPA.
| Subprocessor | Service Category | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud Infrastructure & Hosting | US East, EU (Frankfurt/Ireland) |
| Stripe | Payment Processing | US, EU |
| Auth0 | Identity & Access Management | US, EU |
| Twilio | Communication & Notifications | US, EU |
International Transfers: Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, and supplementary technical measures (encryption, pseudonymization) to ensure equivalent protection.
Breach Notification & Incident Response
In the event of a confirmed personal data breach affecting customers, Dictionary will notify the relevant Data Protection Officer or designated contact within 72 hours of becoming aware, as required by GDPR Article 34. Our incident response team follows a documented playbook including containment, forensic analysis, regulatory reporting, and customer communication.
Compliance & Privacy Inquiries
For questions regarding this DPA, data subject requests, security assessments, or enterprise compliance requirements, please contact our Privacy & Compliance team.
Reach the Privacy Office
We typically respond to compliance inquiries within 1-2 business days.
✉️ privacy@dictionary.comPhysical Address: Dictionary Inc., 100 Language Way, Suite 400, San Francisco, CA 94105, USA