Data Processing Addendum
Effective date:
This Data Processing Addendum ("DPA") forms part of the StudioFlow Terms of Service and applies whenever StudioFlow processes personal data of a photographer's clients on the photographer's behalf. It is written to satisfy Article 28 GDPR and equivalent provisions of UK GDPR and the CCPA/CPRA (where StudioFlow acts as a "service provider").
1. Roles
- The photographer (you) is the controller of the personal data of their clients, leads, and gallery recipients ("Client Data").
- StudioFlow is the processor, processing Client Data only on your documented instructions — which are, in the first instance, your use of the product's features.
- For your own account data (your name, email, billing), StudioFlow is an independent controller under the Privacy Policy.
2. Scope of processing
| Item | Description |
|---|---|
| Subject matter | Operation of the StudioFlow client-management platform. |
| Duration | The term of your subscription plus the deletion window (90 days). |
| Nature & purpose | Hosting, storage, transmission, display, backup, and (where you invoke AI features) automated drafting — solely to provide the service. |
| Categories of data | Contact details, household/booking records, communications, contracts, invoices, photographs and gallery files, favorites and download activity. |
| Data subjects | Your clients, leads, gallery recipients, and people appearing in photographs (which may include minors, under consents you obtain). |
3. Our obligations as processor
- Process Client Data only on your instructions, and tell you if an instruction appears to violate data-protection law.
- Ensure persons authorized to process Client Data are bound by confidentiality.
- Implement the technical and organizational measures in Section 5.
- Assist you, taking into account the nature of processing, with data-subject requests (access, erasure, portability, etc.) and with your obligations on security, breach notification, and impact assessments.
- Notify you without undue delay after becoming aware of a personal-data breach affecting Client Data.
- Delete or return Client Data at the end of the service, then delete remaining copies within 90 days unless law requires retention.
- Make available information necessary to demonstrate compliance, and allow audits as described in Section 7.
4. Subprocessors and flow-down
You authorize the subprocessors listed at /legal/subprocessors. We impose data-protection obligations on every subprocessor that are no less protective than this DPA (flow-down), and we remain fully liable to you for their performance. We will give at least 30 days' notice (by email to account owners) before adding or replacing a subprocessor; if you object on reasonable data-protection grounds and we cannot resolve it, you may terminate the affected service and receive a pro-rated refund of prepaid fees.
5. Security measures
- Encryption in transit (TLS 1.2+) and at rest (provider-level AES-256).
- Role-scoped access controls; production access limited to authorized personnel on a need-to-know basis, with logging.
- Continuous database backups with point-in-time recovery (via Neon).
- Network and application-level protections: rate limiting, CSRF protection, vulnerability patching.
- Vendor security reviews for all subprocessors. SOC 2 is in progress (see Security).
6. International transfers
Where Client Data is transferred outside the EEA/UK to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: controller-to-processor), which are incorporated by reference, supplemented by the UK Addendum where applicable.
7. Audits
We satisfy audit requests first through documentation (this DPA, the subprocessor list, security summaries, and third-party reports when available). Where law gives you a broader audit right, audits require 30 days' notice, occur at most annually, and must not compromise other customers' data.
8. CCPA service-provider terms
To the extent the CCPA/CPRA applies, StudioFlow acts as your service provider: we do not sell or share Client Data, do not retain or use it outside our business relationship, and certify that we understand these restrictions.
9. Precedence and contact
If this DPA conflicts with the Terms, this DPA prevails for data-protection matters. Questions and breach reports: support@studioflow.1labs.app.
Draft — pending legal review.