Data Processing Agreement

1. Subject Matter and Duration

The Processor provides hosting and collaboration services for immersive audio projects (“THE SERVICE”). In doing so, the Processor may process personal data on behalf of the Controller.

Processing shall take place for the duration of the contractual relationship under the Terms and until deletion in accordance with the retention periods defined in the Privacy Policy.

2. Nature and Purpose of Processing

Processing may include:

• Storage of user account data
• Authentication and access management
• Hosting of project-related content
• Logging of access and activity
• Transmission of transactional emails
• Technical error monitoring

The purpose of processing is to provide and maintain THE SERVICE.

3. Types of Personal Data

Depending on usage, the following categories may be processed:

• Names
• Email addresses
• Login credentials
• IP addresses
• Access logs
• Communication data
• Project-related content uploaded by the Controller

The Processor does not independently determine the content of uploaded data.

4. Categories of Data Subjects

Data subjects may include:

• Employees or contractors of the Controller
• Invited authorized users
• Clients, musicians, producers, or other collaborators
• Website visitors

5. Obligations of the Controller

The Controller shall:

• Ensure lawful collection of personal data
• Ensure that processing is based on a valid legal ground
• Provide necessary privacy information to data subjects
• Not upload unlawful content

The Controller remains solely responsible for the content uploaded to THE SERVICE.

6. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions of the Controller
• Ensure confidentiality of persons authorized to process data
• Implement appropriate technical and organizational measures (TOMs)
• Assist the Controller in responding to data subject requests where required
• Notify the Controller without undue delay in case of a personal data breach

7. Technical and Organizational Measures (TOMs)

The Processor implements appropriate measures including:

• Encrypted HTTPS connections
• Role-based access control
• Authentication via secure tokens
• Infrastructure-level security measures
• Server-side logging and monitoring
• Regular security updates

No internet-based system can be guaranteed to be completely secure.

8. Sub-Processors

The Controller authorizes the use of the following sub-processors:

• Cloudflare (infrastructure and CDN services)
• Supabase (authentication and database services)
• Resend (transactional email delivery)
• Payment providers (e.g., Stripe)
• Error monitoring providers (if used)

The Processor shall ensure that sub-processors are contractually bound to appropriate data protection obligations.

The Processor may add or replace sub-processors provided that equivalent safeguards are maintained.

9. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), such transfers shall be based on:

• Adequacy decisions of the European Commission, or
• Standard Contractual Clauses (SCCs), or
• Other lawful transfer mechanisms

10. Assistance and Audits

The Processor shall provide reasonable information necessary to demonstrate compliance with this DPA.

Formal audits shall be limited to what is reasonable and proportionate, taking into account the size and nature of THE SERVICE.

11. Data Return and Deletion

Upon termination of the contractual relationship, personal data shall be deleted in accordance with the retention periods defined in the Privacy Policy.

Restoration after deletion is not guaranteed.

12. Liability

Liability under this DPA shall be governed by the limitation of liability provisions set forth in the Terms and Conditions.

13. Final Provisions

In case of conflict between this DPA and the Terms, this DPA shall prevail with regard to data protection matters.

By accepting the Terms and Conditions, the Controller also accepts this DPA.