This Data Processing Agreement and its Appendixes (“DPA”) is incorporated into and forms part of the Terms of Service available at https://www.creatopy.com/legal-information/terms-of-service/, as applicable, and as may be updated from time to time (the “Agreement”) between CREATOPY INC., a Delaware corporation with a having its business address at 490 Post St Ste 500 PMB 2080 San Francisco, CA 94102, United States, including its affiliates (collectively, “Creatopy,” “we,” “us,” or “our”) and the entity or person(s) identified as customer in the relevant customer account or any written agreement (“Customer”).
In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over other terms in the Agreement to the extent of such conflict or inconsistency.
Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
This DPA applies where and to the extent that Creatopy is acting as a Processor or Service Provider (as applicable) of Personal Data on behalf of Customer under the Agreement.
1. DEFINITIONS
(a) “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable: (i) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act and together with associated regulations (“CCPA”); Virginia Consumer Data Protection Act of 2021(the “VCDPA"); Colorado Privacy Act (the "CPA") as well as any other similar state law governing the processing of Personal Data (as they become effective, collectively the “U.S. State Privacy Laws”); (ii) Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Data Protection Act (“Swiss FADP”); and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”), collectively (“European Privacy Laws”); iii) the Australian Privacy Act 1988 (Cth) ("Australian Privacy Laws"); (iii) the New Zealand Privacy Act 2020; (iv) the Philippines Republic Act No. 10173; (v) the Brazilian Data Protection Law (Brazil) No. 13,709/2018 (Portuguese: Lei Geral de Proteção de Dados Pessoais) (the "LGPD"); For the avoidance of doubt, if Creatopy’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
(b) “Data Subject” means an identified or identifiable individual whose Personal Data is processed.
(c) “Permitted Affiliates” means any of your Affiliates that (i) are permitted to use the Service pursuant to the Agreement, but have not signed their own separate agreement with Creatopy and are not a “Customer” as defined under the Agreement
(d) “Personal Data” means any information relating to an identified or identifiable individual or any other information defined as “personal data,” “personal information,” “personally identifiable information,” and similar terms under the applicable Data Privacy Laws, that is Processed in relation to the Agreement.
(e) “Personal Data Breach” means a breach of Creatopy’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data.
(f) “SCCs” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.
(g) The terms “Controller”, “Processor”, “Data Subject” and “processing” have the meanings given to them in Applicable Privacy Laws or, if not defined therein, the GDPR (and “process”, “processes” and “processed” shall be interpreted accordingly) and the terms “Business” and “Service Provider” have the meanings given to them in the CCPA.
(h) “UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 12 April 2023 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), as may be amended, superseded or replaced from time to time.
(i) Any capitalised terms used but not defined in this DPA shall have the meanings given to them under the Agreement.
2. DATA PROCESSING
Roles of the Parties. With regard to the processing of Personal Data provided by Customer (“Customer Personal Data”) for the provision of the Service, Creatopy is the Processor and Customer is the Controller. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider,” as those terms are defined in the CCPA and other Data Privacy Laws.
Where the terms “Controller” and “Processor” are not explicitly defined under applicable Data Privacy Laws, the parties agree that their respective obligations under this DPA shall be interpreted in a manner that best aligns with the intended scope of those roles, while ensuring full compliance with the applicable Data Privacy Laws.
Instructions. Creatopy will process Personal Data only in accordance with documented instructions from the Customer and only as necessary to perform its obligations under the Agreement (including for its own commercial purpose). Creatopy shall promptly inform the Customer if it becomes aware that Customer’s instructions infringe applicable Data Privacy Laws.
The parties agree to comply with the applicable Data Privacy Laws as well as any relevant guidance from data protection authorities concerning such processing. Customer is responsible for ensuring that any instructions to Creatopy regarding the processing of Personal Data comply with applicable laws.
Security. Creatopy will implement appropriate technical and organizational measures to safeguard Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as outlined in Annex 2 (“Technical and Organizational Measures”). Notwithstanding any provision to the contrary, Customer acknowledges that Creatopy may modify or update periodically these measures at Creatopy’s sole discretion by publishing updates provided that such modification or update does not diminish the overall level of security.
Customer is solely responsible for assessing whether the data security measures implemented within the Service satisfy Customer’s obligations under applicable Data Privacy Laws. Additionally, the Customer remains responsible for ensuring the secure use of the Service, including safeguarding Personal Data during transmission to and from the Service (e.g., through secure backups or encryption).
Conflict of Laws. If we become aware that we are unable to process Customer Personal Data in accordance with Customer’s instructions due to a legal obligation under applicable law, we will:(i) promptly inform Customer of that legal obligation, to the extent permitted by law; and(ii) where required, suspend all processing activities (excluding the storage and safeguarding of the affected Customer Personal Data) until Customer provides new instructions that we can lawfully follow. In such cases, we shall not be held liable under the Agreement for any delay or failure in performing the relevant Service until lawful and feasible instructions are provided.
Confidentiality. Creatopy shall treat all Personal Data of the Controller as strictly confidential and shall ensure that all persons authorized to process such Personal Data are subject to appropriate confidentiality obligations. Specifically:
All persons authorized by the Processor to process the Controller’s Personal Data shall:
(a) Be subject to a written contractual obligation of confidentiality, or a professional or statutory obligation of confidentiality, that survives the termination of their engagement;
(b) Be informed of the confidential nature of the Personal Data and the Processor’s obligations under this DPA;
(c) Be provided with appropriate training regarding data protection and confidentiality requirements.
Return or Destruction of Customer Personal Data. Upon Termination, at the Customer’s written instructions, Creatopy shall return or destroy all Customer Personal Data. However, this stipulation shall not be applicable where Creatopy is required under the applicable laws to retain any or all Customer Personal Data. In such cases, Creatopy shall securely isolate and safeguard the retained Customer Personal Data from further processing, except as required by law, until destruction becomes possible.
3. SUBPROCESSING
Customer authorizes Creatopy to engage Sub-Processors to process Customer Personal Data on Customer’s behalf in several ways: (i) for providing hosting and infrastructure services; (ii) for support specific Service features, integrations or other operational purposes; and (iii) through Creatopy’s Affiliates for Service, support and operational/administrative purposes. Certain Sub-Processors will be applicable to Customer’s use of the services by default, while others will only apply if the Customer will use the corresponding features or services. Creatopy will provide reasonable prior notice at least 10 days before any changes or replacements of any Sub-Processor by posting details at the url: Annex no. 3 - Sub-Processors List and may provide Customer with a mechanism to receive notifications of new Sub-Processors. Customer may object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Customer Personal Data within 5 days of notification at dpo@creatopy.com. If Customer raises an objection, both parties agree to engage in good faith discussions to reach a commercially reasonable resolution. If no resolution is achieved, Creatopy will, at our sole discretion, either refrain from appointing the proposed Sub-Processor or allow Customer to suspend or terminate the affected Service in accordance with the termination terms of the Agreement, without any liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
When engaging Sub-Processors, Creatopy will ensure that they are bound by data protection obligations that offer a level of protection for Customer Personal Data that is at least equivalent to those set out in this DPA, as relevant to the services they provide. Where Creatopy cannot disclose a Sub-Processor agreement to Customer, Creatopy shall provide all information (on a confidential basis) it reasonably can in connection with such agreement.
4. COOPERATION AND AUDIT
When necessary, Creatopy shall cooperate and assist Customer to exercise its obligations under applicable Data Privacy Laws in addressing (i) any complaints or requests from the Data Subjects, with respect to processing of their Personal Data, in accordance with the Data Subjects’ rights under applicable Data Privacy Laws (ii) any other correspondence, enquiry or complaint received from any authority, regulator or other third party in connection with Creatopy’s processing of the Customer Personal Data, unless prohibited by applicable Privacy Laws.
The Customer acknowledges that Creatopy undergoes regular audits by independent third-party auditors in accordance with industry standards. Upon request, Creatopy shall provide the Customer with a summary of its audit report(s). Additionally, Creatopy will respond to any written audit-related inquiries from the Customer and provide supporting documentation. The Customer agrees to exercise its audit rights under Clause 8.9 of the SCCs by directing Creatopy to follow the audit procedures outlined in this Section.
5. DATA TRANSFER
Customer acknowledges and agrees that, in order to deliver the Services under the Agreement, Creatopy may access, process and transfer Customer Personal Data from/to other jurisdictions than the ones Customer Personal Data was first collected (e.g. USA). Each party will ensure that any such cross-border transfers of Customer Personal Data comply with applicable Data Privacy Laws and will take such measures as are necessary to ensure that the transfer is made in compliance with Data Privacy Laws.
SCCs. If Personal Data is transferred outside of the European Economic Area (“EEA”) or Switzerland to a country that is not recognized under GDPR as providing an adequate level of protection for Personal Data and is not covered by a suitable framework recognized by relevant authorities or courts, then the Standard Contractual Clauses (“SCCs”) annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 (as amended, replaced, or superseded from time to time) shall automatically apply and are hereby incorporated by reference into this DPA and will enter into force between the parties without the need for further action or execution, as of the commencement of such transfer. The parties agree to comply with and be bound by the SCCs for such transfers.
UK SCC Addendum. If Personal Data is transferred outside of the United Kingdom to a country that is not recognized to offer an adequate level of protection for Personal Data and is not covered by a suitable framework recognized by relevant authorities or courts that offer an adequate level of protection for Personal Data, then the parties agree to incorporate the UK SCC or any other transfer mechanism as adopted by a decision of the applicable supervisory authority or by a legally binding decision made by any other authorized body.
Alternative Transfer Mechanism. In the event that Creatopy is required to adopt an alternative transfer mechanism under European Privacy Laws, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with European Privacy Laws), and Customer agrees to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.
6. PERSONAL DATA BREACHES
Creatopy shall notify Customer without undue delay upon becoming aware of a Customer Personal Data Breach and shall provide timely information/updates, as reasonably requested by the Customer in order to assist the Customer in notifying competent authorities and/or affected Data Subjects, where such notification is required under applicable Data Privacy Laws.
Creatopy shall take all reasonable steps necessary to mitigate or remediate the impact of any Personal Data Breach affecting Customer Personal Data and will keep the Customer informed of any material updates related to the incident. Customer agrees not to issue any communication or public statement—including legal filings or notifications to regulators or affected individuals, unless mandatory under the applicable Data Privacy Laws —that directly or indirectly identifies Creatopy in connection with the breach without Creatopy’s prior written consent.
7. TERM AND TERMINATION
The term of this DPA will follow the term of the Agreement. This DPA will remain in force until (i) it is replaced or repealed by mutual agreement of the parties or (ii) the Agreement is terminated or expires (together “Termination”). However, any obligations which by their nature survive the termination of the Agreement, shall continue in full force and effect even after its Termination.
8. GENERAL PROVISIONS
Amendments. Notwithstanding anything else to the contrary in this DPA and without prejudice to the “Security” or “Subprocessing” Sections of this DPA, we reserve the right to make any updates and changes to this DPA, to reflect current acceptable practices. The provisions of the Section 12 “Modification of Terms” from the Agreement shall be applicable.
Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
Parties to this DPA. By entering into an Agreement with Creatopy, you also agree to be bound by this DPA (including, where applicable, the SCCs) on behalf of yourself and in the name and on behalf of your Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer” will include you and such Permitted Affiliates.
Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates
9. APPLICABLE LAW
This DPA will be governed by and construed in accordance with the Governing Law from the Agreement, unless required otherwise by Data Privacy Laws.
ANNEXES:
Annex 1 - Customer Personal Data
Annex 2 - Technical and Organizational Measures
Annex 3 - Sub-Processors List
Annex 1- Customer Personal Data
A. Categories of data subjects whose personal data is transferred:
(a) Users of the Service (including Customer’s employees, contractors, representatives, and Users who access or use the Service)
(b) Individuals whose personal data is included in content, datasets, or other materials uploaded, submitted, or processed by data exporter or its Users through the Service
(c) Persons authorized to represent the data exporter, such as account administrators, billing contacts, or other designated representatives
Depending on Customer's use of the Service, additional categories of data subjects may include individuals whose information is contained in data exporter-uploaded datasets or User-generated content.
B. Categories of personal data transferred
The Customer independently determines the categories of personal data, which may include but are not limited to the following:
(a) User/Customer Data: name, title, phone number , access credentials (e.g., email address, username, password, billing address, IP address, cookie ID, browser ID, device ID, actions and events taken on the website and in the app (including pages viewed, logins, searches, uploads, downloads, design edits, comments, purchases).
(b) User-Generated Content: any personal data included in content created, uploaded, or edited by Customer or its users in the Service (e.g., images, videos, creative assets, text, comments).
(c) Customer-Uploaded Datasets: personal data included in datasets uploaded by Customer or its users for purposes such as audience targeting, personalization, analytics, or campaign management.
(d) Usage Data: activity logs, device/browser information, and other metadata relating to use of the Service.
(e) Other Personal Data: any other personal data that Customer or its users upload, submit, or otherwise process through the Service, including but not limited to customer names, photos of individuals, or other identifiers contained in advertising content or creative assets
C. Processing Operations
The processing of Personal Data by Creatopy on behalf of Customer may include, but is not limited to, the following operations: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data, as necessary to provide the Services under the Agreement, as further described in this DPA, and/or as required by applicable law and documented instructions of Customer.
