When enterprise customers submit data through Writer, Writer is acting as a data processor following the customer's instructions, while the customer remains legally responsible for that data under privacy law.
This analysis describes what Writer's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This allocation of legal roles has significant implications for enterprise compliance teams: it means the enterprise customer bears primary obligations under GDPR for lawful basis, data subject rights, and privacy notices related to the data they submit to Writer.
Interpretive note: The precise scope of what constitutes 'Customer Data' versus other data categories processed by Writer may vary by contract and use case, affecting the boundaries of the controller/processor allocation.
Enterprise customers are responsible for ensuring their use of Writer complies with applicable privacy laws, including obtaining any necessary consents from employees or end users whose data is submitted to the platform.
How other platforms handle this
We collect and receive information as a data controller for our own purposes and as a data processor on behalf of our customers. When our customers use our products to process data about their end users and employees, we act as a data processor on their behalf. Our customers, as data controllers, de...
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
When we provide the Service to our customers, we act as a data processor on behalf of those customers. Our customers are the data controllers, meaning that they determine the purposes and means of the processing of personal data that is submitted into the Service. If you are an end user of a custome...
Monitoring
Writer has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"With respect to Customer Data that enterprise customers submit to Writer's Services, Writer acts as a data processor on behalf of the customer, who acts as the data controller. The customer is responsible for ensuring they have the appropriate rights and permissions to submit such data to Writer.— Excerpt from Writer's Writer Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Article 28, which governs processor agreements and requires a written contract specifying the subject matter, duration, nature, and purpose of processing, as well as obligations and rights of the controller. UK GDPR contains equivalent requirements. The allocation of controller status to the enterprise customer places GDPR Articles 13 and 14 notice obligations, Article 6 lawful basis obligations, and Articles 15-22 data subject rights response obligations on the customer. GOVERNANCE EXPOSURE: High for enterprise customers. Organizations subject to GDPR or UK GDPR that deploy Writer must ensure a compliant DPA is in place, that their privacy notices cover processing by Writer as a sub-processor, and that they have documented their lawful basis for submitting employee or customer data to Writer's platform. Failure to do so creates direct regulatory exposure for the enterprise customer as controller. JURISDICTION FLAGS: EU and UK organizations face the highest exposure given GDPR Article 28 requirements. California CPRA-regulated businesses should ensure a service provider agreement is in place with Writer, as the CPRA imposes similar written agreement requirements for service providers. Canadian organizations under PIPEDA should assess whether outsourcing notification obligations apply. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams must obtain and execute Writer's DPA before submitting personal data to the platform. The DPA should specify sub-processor lists, breach notification timelines (GDPR requires 72-hour notification to supervisory authority), data deletion timelines, and audit rights. The policy's statement that the customer is responsible for having appropriate rights to submit data also creates potential indemnification exposure if data is submitted without proper authorization. COMPLIANCE CONSIDERATIONS: Organizations should update their data processing records of activities (GDPR Article 30) to include Writer as a processor, review and update privacy notices to reference Writer's processing, confirm DPA execution, and assess whether existing data subject consent or legitimate interest assessments cover the submission of data to Writer's platform.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This allocation of legal roles has significant implications for enterprise compliance teams: it means the enterprise customer bears primary obligations under GDPR for lawful basis, data subject rights, and privacy notices related to the data they submit to Writer.
Enterprise customers are responsible for ensuring their use of Writer complies with applicable privacy laws, including obtaining any necessary consents from employees or end users whose data is submitted to the platform.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Writer.