1. Introduction
This Data Processing Agreement (“DPA”) forms part of the agreement between:
- Customer — the entity or individual that registers for a ArtInStack Creator account and agrees to our Terms of Service (“you,” “Controller” where applicable); and
- ArtInStack (“we,” “us,” “Processor” where applicable),
collectively the “Parties.”
This DPA applies when we process personal data on your behalf in connection with the Services—for example, when you use the Platform to host a public site, operate a client portal, sell products to End Customers, or store client/project information.
When we process personal data for our own purposes (e.g., your account billing, marketing to you, product analytics on our marketing site, or compliance as platform operator), we act as an independent controller and our Privacy Policy applies—not this DPA.
2. Definitions
Capitalized terms not defined here have the meanings in the Terms or applicable data protection law.
- “Applicable Data Protection Law” means GDPR, UK GDPR, and similar laws that apply to the processing of personal data under this DPA.
- “Personal Data” means information relating to an identified or identifiable natural person.
- “End Customer” means a natural person who visits your site, uses your client portal, or purchases from you through the Services.
- “Subprocessor” means a third party we engage to process Personal Data on your behalf.
- “Services” means the ArtInStack products described in the Terms and documentation.
3. Roles and scope
3.1 When this DPA applies (Processor role)
We act as a Processor (or service provider under CCPA/CPRA) when we process Personal Data on your instructions through the Services, including:
| Processing activity | Examples of Personal Data | Data subjects |
|---|---|---|
| Hosting & delivery | Images, videos, files, pages, blog posts | End Customers, subjects in your content |
| Client portal | Email, name, access events, favorites, proofing selections | End Customers / clients |
| Commerce | Order email, shipping address, cart contents, payment references | End Customers |
| Courses & events | Enrollment, progress, registration details | Students / attendees |
| Team collaboration | Comments, assignments on your projects | Your team, clients |
| Email on your behalf | Messages you trigger to End Customers | End Customers |
You are the Controller for that processing unless you act as a processor for another party (e.g., agency), in which case you warrant you have authority to appoint us as subprocessor.
3.2 When we are Controller
We are Controller for: account registration and authentication; subscription billing to you; fraud prevention on the Platform; product improvement based on aggregated/de-identified data; and legal compliance related to our operation of the Platform. See the Privacy Policy.
4. Details of processing
Subject matter: Provision of the creative-business Platform (websites, portfolios, delivery, commerce, courses, team tools).
Duration: For the term of your account plus retention periods in Section 12.
Nature and purpose: Storage, organization, retrieval, transmission, display, backup, security, payment facilitation, fulfillment routing, and support as configured in your account.
Categories of data subjects: End Customers, your clients, subjects depicted in media (where identifiable), and your authorized users.
Types of Personal Data: Contact details, identifiers, order and delivery data, usage/logs tied to identities, content you upload, and technical metadata (including EXIF/location where present and not redacted by your settings).
Special categories: The Services are not designed for you to collect special-category data (health, biometric, etc.). You must not upload such data unless you have a lawful basis and appropriate safeguards; we do not actively monitor content for categories.
5. Your responsibilities (Controller)
You agree to:
- Lawful basis — Ensure a valid legal basis (or End Customer consent where required) for all Personal Data you submit to the Services.
- Transparency — Provide End Customers a privacy notice that accurately describes your practices and our role.
- Instructions — Configure the Services (visibility, portals, checkout, geo settings, cookies) consistent with your policies. Your use of account settings and published content constitutes documented instructions unless we agree otherwise in writing.
- Accuracy — Keep Personal Data accurate and relevant.
- Rights requests — Respond to End Customer requests (access, deletion, etc.) for data you control; we will assist per Section 10.
- Security — Maintain strong credentials, limit team access, and notify us promptly of suspected breaches affecting your account.
6. Our obligations (Processor)
We will:
- Process only on instructions — Process Personal Data only on your documented instructions as in Section 5, unless required by law (in which case we will inform you unless prohibited).
- Confidentiality — Ensure personnel authorized to process Personal Data are bound by confidentiality.
- Security — Implement appropriate technical and organizational measures (see Section 8).
- Subprocessors — Use Subprocessors only as permitted in Section 7.
- Assistance — Reasonably assist with data protection impact assessments and consultations with supervisory authorities where required, considering the nature of processing and information available to us.
- Deletion/return — Upon termination or your written request, delete or return Personal Data per Section 12, subject to legal retention.
- Audit information — Make available information necessary to demonstrate compliance and allow audits described in Section 11.
7. Subprocessors
7.1 Authorization
You provide general authorization for us to engage Subprocessors listed on our Subprocessor List. We remain responsible for Subprocessors’ performance of data protection obligations.
7.2 Changes
We will maintain an up-to-date Subprocessor List and provide notice of material changes as described on that page (typically 30 days before a new Subprocessor processes your End Customer data). You may object on reasonable grounds relating to data protection by contacting [email protected] within the notice period. If we cannot accommodate the objection, you may terminate the affected Services or your account as your sole remedy.
7.3 Flow-down
We impose data protection terms on Subprocessors that are substantially similar to this DPA for processor obligations.
8. Security measures
We maintain measures appropriate to risk, including as applicable:
- Encryption in transit (TLS) for data transmitted over public networks;
- Access controls and authentication for production systems;
- Logical separation of customer data in multi-tenant architecture;
- Backup and recovery procedures;
- Monitoring and incident response processes; and
- Vendor review for high-risk Subprocessors.
No security is perfect. You are responsible for credentials, team permissions, and configuration (e.g., public vs private albums, portal access codes).
Incident notification: If we become aware of a Personal Data breach affecting your End Customer data in our custody as Processor, we will notify you without undue delay and provide information reasonably available to help you meet your obligations. We will not notify End Customers on your behalf unless agreed or required by law.
9. International transfers
Personal Data may be processed in the United States and other countries where we or Subprocessors operate. Where Applicable Data Protection Law requires safeguards for transfers from the EEA/UK/Switzerland, we rely on:
- Standard Contractual Clauses (EU Commission 2021/914, as applicable), incorporated by reference and completed as follows:
- Module Two (Controller to Processor) applies to transfers from you (Controller) to us (Processor);
- Module Three (Processor to Processor) applies to transfers from us to Subprocessors where required;
- the UK International Data Transfer Addendum (where UK GDPR applies); and
- supplementary measures we reasonably implement where required by regulators.
[Counsel: attach executed SCC annex or link to downloadable PDF.]
Stripe and other payment/fulfillment providers may transfer data under their own compliance frameworks when they act as independent controllers or subprocessors in payment flows.
10. Data subject rights
We will promptly notify you if we receive a request from an End Customer to exercise rights under Applicable Data Protection Law, unless legally prohibited.
You are responsible for responding. We will provide reasonable assistance (e.g., export or deletion tools in the dashboard, or manual support for complex requests) at no additional fee for standard requests, or at agreed rates for excessive or repetitive requests.
Our Privacy Policy describes rights for your account data as our customer.
11. Audits
Upon written request no more than once per 12 months (unless required by a supervisory authority or after a material security incident), you may request information to verify our compliance with this DPA. We may satisfy this through:
- responses to a reasonable security questionnaire;
- summary of third-party certifications or audit reports (if available); or
- an onsite or remote audit under mutual NDA, scheduled in advance, during business hours, and not unreasonably disruptive.
If you require an onsite audit not covered above, you bear the cost unless we are in material breach.
12. Retention and deletion
During the term: We retain Personal Data processed on your behalf while your account is active and as needed to provide the Services.
After termination or deletion request:
- We will delete or anonymize End Customer and content data within [30–90] days after account deletion completes, except data we must retain by law or for legitimate legal claims (e.g., billing records, fraud prevention).
- Backups may persist for a limited period before overwrite.
- You should export data before deletion using available export tools.
Legal holds: We may retain data if required by law or governmental request.
13. Liability
Liability arising from this DPA is subject to the limitation of liability and indemnification provisions in the Terms of Service, except where Applicable Data Protection Law prohibits such limitation for Processor fines or direct damages mandated by law.
Each Party’s aggregate liability under this DPA follows the Terms unless a separate signed enterprise agreement states otherwise.
14. CCPA / CPRA (service provider terms)
To the extent the CCPA/CPRA applies, we act as your service provider for Personal Data we process on your behalf. We will not:
- Sell or share Personal Data (as defined by CPRA) for cross-context behavioral advertising;
- retain, use, or disclose Personal Data for any purpose other than providing the Services specified in the Terms and this DPA (and as permitted by CPRA for service providers); or
- combine Personal Data with data from other sources except as permitted for service providers.
You represent that you provide any required notice at collection and opt-out rights to California residents for your own practices.
15. Order of precedence
If there is a conflict between this DPA and the Terms regarding processing of End Customer Personal Data, this DPA controls. For all other matters, the Terms control.
A signed enterprise agreement or order form with custom data protection terms prevails over this web DPA for the signing customer.
16. Term and updates
This DPA is effective on the Effective date above and continues while you use the Services. We may update this DPA to reflect legal or product changes. Material changes will be posted with a new effective date and, where required, additional notice. Continued use after the effective date constitutes acceptance where permitted.
17. How to execute or request a signed copy
- Standard customers: Accepting the Terms incorporates this DPA by reference.
- Enterprise / agency / EU studio customers: Contact [email protected] for a countersigned PDF, custom SCC exhibit, or security questionnaire.
ArtInStack
DPA & privacy: [email protected]
