We use cookies

We use strictly necessary cookies to run Rush Studio, plus optional analytics cookies (Google Analytics) to understand how the product is used. You choose what we’re allowed to load. See our Privacy Policy.

Rush Studio
Overview
All featuresThe whole toolkit, on one page
What sets us apart
Seven things you won't find bolted onto a legacy TMS.
See all features →
Deep dives
Brand voiceTone & terms the AI follows
AutomationsLocalize on every PR
AI qualityScored & flagged before review
Catch broken layoutsPreview in the real UI
Pre-flight layout riskSpot overflow before you translate
ResonancePredict how each market reacts
Quality AutopilotAI quality that runs itself
LanguagesIntegrationsPricing
Overview
Early accessBe one of our first teams
Launching in 2027
Join early access and help shape Rush Studio.
Get early access →
By role
Technical writersDocs that translate on every PR
Marketing teamsCampaigns shipped in every market
Localization managersRun the whole pipeline from one screen
Product managersUI strings, in-app copy, release notes
Design opsFigma frames into 22 languages
BlogContact
  • English
  • Español
Sign inSign up
Legal · GDPR

GDPR & Data Processing Addendum

Last updatedMay 20, 2026·Questions?

How Rush Studio complies with GDPR, the UK GDPR, and equivalent regulations — including our sub-processor list, lawful bases, international transfer mechanisms, and standard DPA.

On this page
01Summary02Who's the controller, who's the processor03Lawful basis04Categories of personal data05Data subjects06Sub-processors07International transfers08Data subject rights09Data Processing Addendum (DPA)10Incident response11Security measures12Data Protection Officer
Related
→ Privacy Policy→ Terms of Service→ Contact us
01

Summary

This page consolidates everything Rush Studio does to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent data-protection laws elsewhere. It also serves as our standard Data Processing Addendum (DPA) — see section 9 for the contract terms.

If you need a signed DPA in PDF form, email privacy@rush-studio.com with your company details. Standard turnaround: 1 business day.
02

Who's the controller, who's the processor

Under GDPR terminology:

  • For your own account data (name, email, billing) — Rush Studio is the controller. We decide what data to collect and why.
  • For the content you put into Rush Studio (your files, segments, glossaries, TM) — Rush Studio is the processor. You're the controller; we act on your instructions.

This page covers both relationships. The contract terms in section 9 govern us as your processor.

03

Lawful basis

We rely on these GDPR Article 6 bases, depending on the activity:

  • Contract (Art. 6(1)(b)) — running the Service for you.
  • Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, product improvement, marketing to existing customers.
  • Consent (Art. 6(1)(a)) — optional features, prospect marketing.
  • Legal obligation (Art. 6(1)(c)) — tax, audit, regulatory.
04

Categories of personal data

Rush Studio handles the following categories of personal data:

  • Account data — name, work email, company, role, password hash, profile preferences.
  • Authentication data — login timestamps, IP, device, MFA tokens.
  • Customer content — files, segments, translation memory, glossaries, comments. May contain personal data depending on what you upload.
  • Usage data — feature usage, error reports, session duration.
  • Billing data — company name, billing address, VAT number, payment method (we don't store full card numbers; Stripe does).
  • Support data — emails and tickets you send to us.
05

Data subjects

The people whose personal data we may process include:

  • Your team — colleagues you invite to your workspace.
  • Your reviewers and translators — freelancers or agencies you assign work to.
  • Individuals named in your content — anyone mentioned in files you upload (employees, customers, third parties).

If you upload content containing personal data, you are responsible for ensuring you have a lawful basis to share it with us. We process it under your instructions, per the DPA.

06

Sub-processors

We use the following sub-processors to deliver the Service. We have a written data-processing agreement with each one. We give 30 days' notice before adding or replacing any of them; you can object via privacy@rush-studio.com.

Sub-processorPurposeLocation
Amazon Web Services (AWS)Cloud hosting, primary infrastructureFrankfurt, DE · Dublin, IE
CloudflareCDN, DDoS protection, edge cachingGlobal
StripePayment processingDublin, IE
PostmarkTransactional email deliveryBoston, US
LinearInternal issue tracking (no customer data)San Francisco, US
DeepLAI machine translation (selected languages)Cologne, DE
Google Cloud TranslationAI machine translationEU + US regions
OpenAIAI translation, quality estimation, reader-resonance analysisSan Francisco, US
Microsoft Azure Cognitive ServicesDocument OCR (text extraction from uploads)EU region

For AI sub-processors specifically: we send the segment being processed and the limited context the task needs — neighbouring segments for continuity, your glossary terms, and your brand-voice / tone settings. We never send account, billing, or authentication data. Requests to OpenAI are sent with storage disabled (store: false) so they are not retained for model training or evaluation; customers on our Scale plan can additionally request an account-level Zero Data Retention agreement. DeepL and Google process content under their standard no-training business terms.

07

International transfers

Primary data storage stays in the European Union. Some sub-processors (notably US-based AI providers and our email delivery service) involve transferring personal data outside the EU/UK.

For these transfers we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, with the 2021 revisions.
  • UK International Data Transfer Addendum for UK-origin data.
  • EU-US Data Privacy Framework for sub-processors certified under it (currently AWS, OpenAI, Google).

Transfer impact assessments are available under NDA — email privacy@rush-studio.com.

08

Data subject rights

Under GDPR, individuals have the right to access, rectify, erase, restrict, port, and object to processing of their personal data, plus the right to withdraw consent and to lodge a complaint with a supervisory authority.

If you're our direct customer: most rights are exercisable from your account settings. For anything else, email privacy@rush-studio.com; we respond within 30 days.

If you're not our customer but your data is in a customer's workspace: we'll route your request to the relevant customer (the controller). Their privacy policy will apply.

09

Data Processing Addendum (DPA)

This section is our standard DPA, which forms part of your Terms of Service when you use Rush Studio with personal data.

9.1 Scope. We act as a processor on your behalf in respect of the customer content you upload to the Service. We process that content only on your documented instructions, as set out in these Terms and the Service's documentation.

9.2 Confidentiality. We ensure that personnel authorized to process your data are bound by confidentiality obligations.

9.3 Security. We implement the technical and organizational measures described in section 11, which we consider appropriate to the risk.

9.4 Sub-processors. You give us general authorization to engage sub-processors. The current list is in section 6. We will give 30 days' notice before changes and impose equivalent obligations on each sub-processor.

9.5 Data subject requests. We will assist you in responding to data subject requests, taking into account the nature of the processing. We will forward to you any request we receive directly that relates to your content.

9.6 Incidents. We will notify you of a personal data breach without undue delay, and in any event within 72 hours of becoming aware of it. See section 10.

9.7 Audits. Once per year, you may audit our compliance with this DPA, subject to reasonable notice and confidentiality. SOC 2 and similar reports are accepted in lieu of on-site audit for most cases.

9.8 Return / deletion. On termination, we will delete or return your customer content within 30 days, subject to retention required by law.

9.9 International transfers. Where transfers outside the EEA occur, the SCCs in the EU Commission Implementing Decision 2021/914 apply, with the modules and options indicated in our standard DPA exhibit. Request the exhibit for the formal copy.

10

Incident response

If a security incident affects your data, we notify the affected customers without undue delay, and in any case within 72 hours of becoming aware of it. The notice includes:

  • The nature of the incident and the categories of data affected.
  • The approximate number of data subjects affected.
  • The likely consequences.
  • The measures we've taken or propose to mitigate it.
  • The contact at Rush Studio you can ask follow-up questions of.

Major incidents are also disclosed publicly on our status page within 24 hours.

11

Security measures

Our technical and organizational measures include (non-exhaustive):

  • TLS 1.3 encryption in transit; AES-256 at rest.
  • Role-based access control with least-privilege defaults.
  • Mandatory MFA for all production access.
  • Centralized audit logging, retained for 13 months.
  • Annual penetration test by an external vendor (latest report available under NDA).
  • SOC 2 Type II certified, ISO 27001 in progress.
  • Daily encrypted backups with cross-region replication, 30-day point-in-time recovery.
  • Quarterly disaster recovery drills.
  • Security training for all employees on hire and annually.
12

Data Protection Officer

Rush Studio has appointed a Data Protection Officer (DPO) as required by GDPR Article 37 (we handle personal data at scale and so are required to appoint one).

DPO: Pedro Almeida
Email: privacy@rush-studio.com
Postal: Rush Studio Ltd., 12 Hatton Garden, London EC1N 8AT, UK

Our EU representative under GDPR Article 27 is appointed in Berlin, contactable via the same DPO email.

●
End of document.

If anything here is unclear, tell us — we'll rewrite it in the next revision.

Rush Studio

One translation dashboard for the whole localization pipeline. From upload to delivery, in 100+ languages.

Product
  • Dashboard
  • Features
  • Languages
  • Integrations
  • Pricing
Company
  • About
  • Customers
  • Careers
  • Contact
Resources
  • Blog
  • Docs
  • Changelog
  • Security
  • AI & data
  • Status
© 2026 Rush Studio Ltd.Privacy · Terms · DPA · AI & data