Перейти к основному содержимому
ContiaНазад к приложению

Data Processing Addendum

Version 1.0.0 · Effective February 27, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between you (“Controller,” “you,” or “your”) and Contia, operating the Contia platform (“Processor,” “we,” “us,” or “our”). This DPA applies to the extent that we process Personal Data on your behalf in connection with your use of the Contia service (“Service”).

1. Scope and Applicability

This DPA supplements the Agreement and applies where and to the extent that applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and other applicable privacy legislation (collectively, “Data Protection Laws”), require a data processing agreement between the parties.

This DPA prevails over any conflicting terms in the Agreement to the extent of such conflict, solely with respect to the processing of Personal Data. All other provisions of the Agreement remain in full force and effect.

2. Definitions

For the purposes of this DPA, the following terms have the meanings set forth below. Terms not defined in this DPA have the meanings assigned in the Agreement or in applicable Data Protection Laws.

  • “Controller” means the entity that determines the purposes and means of the processing of Personal Data. Under this DPA, you are the Controller.
  • “Processor” means the entity that processes Personal Data on behalf of the Controller. Under this DPA, Contia is the Processor.
  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
  • “Processing” (and its cognates) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • “Standard Contractual Clauses”or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as amended or replaced from time to time.

3. Roles and Responsibilities

3.1 Controller

You, as the Controller, are responsible for: (a) determining the lawful basis for processing Personal Data; (b) ensuring that any necessary consents, authorizations, or legal bases are obtained or established prior to submitting Personal Data to the Service; (c) providing any required notices to Data Subjects regarding the processing of their Personal Data; and (d) ensuring that your use of the Service complies with applicable Data Protection Laws.

3.2 Processor

We, as the Processor, will process Personal Data solely for the purpose of providing, maintaining, and improving the Service in accordance with the Agreement and your documented instructions. We will not process Personal Data for any other purpose, including for our own commercial purposes, unless required by applicable law, in which case we will inform you of such legal requirement before processing (unless prohibited by law from doing so).

4. Processing Instructions

The Processor will process Personal Data only in accordance with the Controller's documented instructions. The Agreement, including this DPA, together with your configuration and use of the Service, constitute your complete and final instructions to us for the processing of Personal Data. Any additional or alternative instructions must be agreed upon separately in writing. If we believe that an instruction from you infringes applicable Data Protection Laws, we will promptly inform you and will not be obligated to follow such instruction until the issue is resolved.

4.1 Categories of Data Subjects

The Personal Data processed under this DPA may relate to the following categories of Data Subjects, as determined by you:

  • Your employees, contractors, and agents.
  • Your end users and customers.
  • Individuals whose Personal Data is contained in content you upload to or generate through the Service.

4.2 Types of Personal Data

The categories of Personal Data processed may include:

  • Account and authentication data (email addresses, names, profile information, authentication tokens).
  • Content data (prompts, reference images, generated outputs, and associated metadata).
  • Usage and technical data (IP addresses, device identifiers, browser type, timestamps, and activity logs).
  • Billing data (payment method identifiers; note that full payment credentials are processed exclusively by our payment processors and are not stored by us).

5. Sub-processors

5.1 Authorized Sub-processors

You provide general authorization for us to engage Sub-processors to assist in providing the Service. The current list of Sub-processors is maintained at /legal/subprocessors and is incorporated herein by reference.

5.2 Notice of Changes

We will provide at least thirty (30) days' prior written notice before engaging a new Sub-processor or replacing an existing Sub-processor. Notice will be provided by updating the Sub-processor list at the URL above and, where feasible, by sending notice to the email address associated with your account.

5.3 Objection Mechanism

If you have a reasonable, good-faith objection to a new or replacement Sub-processor based on data protection grounds, you must notify us in writing within fourteen (14) days of receiving our notice. Upon receipt of your objection, we will make commercially reasonable efforts to: (a) provide you with an alternative configuration of the Service that avoids the use of the objected-to Sub-processor; or (b) recommend reasonable steps to mitigate your concerns. If we are unable to accommodate your objection within thirty (30) days, either party may terminate the affected Service by providing written notice, and we will refund any prepaid credits attributable to the terminated Service on a pro rata basis.

5.4 Sub-processor Obligations

We will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA. We remain fully liable to you for the performance of each Sub-processor's obligations.

5.5 Upstream Sub-processor Commitments

Our principal Sub-processors maintain the following data protection commitments:

  • Supabase is SOC 2 Type 2 certified and HIPAA compliant. Data is encrypted at rest (AES-256) and in transit (TLS). Supabase offers a signed DPA with Standard Contractual Clauses and operates under California law with ICC arbitration.
  • WaveSpeed (Singapore) processes prompts and reference images to generate outputs. Under their terms, WaveSpeed retains rights to aggregated resultant data and may use Customer Data to train derivative models. Their liability cap is the greater of US$100 or six months of fees.
  • Resendprovides a signed DPA, is certified under the EU-US Data Privacy Framework, and provides at least 14 days' notice before engaging new sub-processors.
  • Stripe provides a DPA with Standard Contractual Clauses, is self-certified under the Data Privacy Framework, and commits to not selling or sharing Personal Data.

6. Data Security

We will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures include, without limitation:

  • Encryption at rest. Personal Data stored in our systems is encrypted at rest using industry-standard encryption algorithms (AES-256 or equivalent).
  • Encryption in transit. All data transmitted between your devices and our Service, and between our Service and Sub-processors, is encrypted using TLS 1.2 or higher.
  • Access controls. Access to Personal Data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls, unique credentials, and multi-factor authentication.
  • Regular security reviews. We conduct periodic security assessments, including vulnerability scanning and penetration testing of our infrastructure and application layers.
  • Personnel security. All personnel with access to Personal Data are bound by confidentiality obligations and receive training on data protection and security practices.
  • Incident response. We maintain a documented incident response plan for identifying, containing, and remediating security incidents.

7. Personal Data Breach Notification

In the event of a Personal Data Breach, we will:

  1. Notify you without undue delay and in any event within seventy-two (72) hours after becoming aware of the breach, by sending notice to the email address associated with your account and, if applicable, by alternative means reasonably calculated to reach you.
  2. Provide sufficient information to enable you to meet any obligations to report the breach to supervisory authorities and Data Subjects under applicable Data Protection Laws, including: (a) the nature of the breach; (b) the categories and approximate number of Data Subjects and Personal Data records affected; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects.
  3. Cooperate with you and take commercially reasonable steps to assist in the investigation, containment, and remediation of the breach.
  4. Not inform any third party of the breach without your prior written consent, unless required by applicable law or directed by a competent supervisory authority, in which case we will inform you of such requirement to the extent permitted by law.

8. Data Subject Requests

We will, taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as practicable, in fulfilling your obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

If we receive a request directly from a Data Subject regarding Personal Data we process on your behalf, we will promptly forward the request to you and will not respond to the Data Subject directly unless instructed by you or required by applicable law.

9. International Data Transfers

To the extent that the processing of Personal Data under this DPA involves a transfer of Personal Data from the European Economic Area (“EEA”), the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the relevant authority, we will ensure that appropriate safeguards are in place as required by applicable Data Protection Laws. Such safeguards may include:

  • Standard Contractual Clauses (SCCs). Where required, we enter into SCCs as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated into this DPA by reference. For transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner) applies. For transfers subject to the Swiss FADP, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.
  • Supplementary measures. Where necessary based on the circumstances of the transfer, we implement supplementary technical and organizational measures (such as encryption, pseudonymization, and access restrictions) to ensure that the level of protection afforded to Personal Data is not undermined.

We will ensure that our Sub-processors are bound by equivalent transfer safeguards prior to any onward transfer of Personal Data.

10. Data Retention and Deletion

We will retain Personal Data only for as long as necessary to provide the Service and fulfill the purposes described in the Agreement and this DPA. Upon termination or expiration of the Agreement, or upon your written request:

  • We will delete or return all Personal Data in our possession within thirty (30) calendar days, including all copies and backups, unless applicable law requires further retention.
  • Where retention is required by applicable law (for example, for tax, accounting, or legal compliance purposes), we will isolate the retained Personal Data and protect it from further processing, and will delete it promptly upon expiration of the retention period.
  • Upon your request, we will provide written certification of deletion.

This Section does not affect your ability to export or delete your data through the Service's self-service features at any time during the term of the Agreement.

11. Audit Rights

You have the right to verify our compliance with this DPA through audits, subject to the following terms:

  • Frequency. You may conduct or commission one (1) audit per twelve-month period, unless an audit is specifically requested by a competent supervisory authority or following a Personal Data Breach.
  • Notice.You must provide at least thirty (30) days' prior written notice of an intended audit, specifying the scope, proposed date, and duration.
  • Conduct. Audits will be conducted during our regular business hours, in a manner that minimizes disruption to our operations, and subject to reasonable confidentiality obligations binding the auditor.
  • Cost. You will bear the costs of any audit initiated by you, unless the audit reveals a material breach of this DPA, in which case we will bear the reasonable costs of that audit.
  • Alternative evidence. In lieu of an on-site audit, we may, at our discretion, make available to you: (a) a summary of the results of an independent third-party audit or security assessment; (b) relevant certifications (such as SOC 2 or ISO 27001); or (c) other evidence reasonably sufficient to demonstrate compliance. You agree to accept such alternative evidence where it reasonably addresses your audit concerns.

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA limits either party's liability to Data Subjects or supervisory authorities under applicable Data Protection Laws to the extent such limitation is not permitted by law.

13. Duration and Termination

This DPA takes effect on the date you accept the Agreement (or, if later, the effective date of this DPA) and remains in effect for as long as we process Personal Data on your behalf. Upon termination of the Agreement for any reason, this DPA will automatically terminate, subject to the survival of obligations that by their nature should survive termination, including but not limited to data deletion (Section 10), audit rights (Section 11), confidentiality, and liability.

Contact

For questions or requests related to this DPA, including Data Subject requests, data breach notifications, or audit requests, contact us at privacy@contia.app.