Data Processing Agreement (DPA)

Last Updated: January 2026

Between ARTILORA PTE. LTD. (“Processor”) and Enterprise Customer (“Controller”)

1. Definitions

“Agreement” means this Data Processing Agreement.

“Controller” means the entity that determines the purposes and means of processing Personal Data.

“Processor” means ARTILORA PTE. LTD., which processes Personal Data on behalf of the Controller.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation performed on Personal Data, including collection, storage, use, and deletion.

“Subprocessor” means any third party engaged by Processor to process Personal Data.

2. Scope and Purpose

This DPA applies to all Personal Data processed by Processor on behalf of Controller in connection with the provision of Artilora services.

Purpose of Processing:

  • Providing AI-powered creative product design services
  • User account management and authentication
  • Service delivery and support
  • Analytics and service improvement (with appropriate anonymization)

3. Processor Obligations

3.1 Processing Instructions

Processor shall:

  • Process Personal Data only in accordance with Controller’s documented instructions
  • Not process Personal Data for any purpose other than those specified in this DPA
  • Immediately inform Controller if Processor believes an instruction violates applicable data protection laws

3.2 Security Measures

Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data at rest and in transit
  • Access controls and authentication mechanisms
  • Regular security assessments and audits
  • Incident response procedures
  • Staff training on data protection

3.3 Confidentiality

Processor shall ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.

3.4 Data Subject Rights

Processor shall assist Controller in responding to data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to object to processing

3.5 Data Breach Notification

Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach, providing:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

3.6 Data Retention and Deletion

Processor shall:

  • Retain Personal Data only for the duration necessary to fulfill the purposes specified in this DPA
  • Delete or return all Personal Data upon termination of services, unless retention is required by law
  • Provide confirmation of deletion upon request

4. Subprocessors

4.1 Authorization

Controller authorizes Processor to engage Subprocessors, provided that:

  • Processor maintains a list of current Subprocessors
  • Processor ensures Subprocessors are bound by equivalent data protection obligations
  • Processor remains fully liable for Subprocessor compliance

4.2 Current Subprocessors

Processor’s current Subprocessors include:

  • Amazon Web Services (AWS) - Cloud infrastructure
  • Vercel - Web hosting and CDN
  • Stripe - Payment processing
  • OpenAI - AI model services
  • Anthropic - AI model services
  • Cloudflare - CDN and DDoS protection
  • PostgreSQL - Database services
  • Resend - Email delivery
  • Sentry - Error monitoring
  • Google Analytics - Website analytics

4.3 Subprocessor Changes

Processor shall:

  • Provide 30 days’ notice of any new Subprocessor
  • Allow Controller to object to new Subprocessors
  • If objection cannot be resolved, Controller may terminate the agreement

5. International Transfers

5.1 Transfer Mechanisms

Where Personal Data is transferred outside the EEA/UK/Switzerland, Processor shall ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK Addendum where applicable
  • Adequacy decisions where available

5.2 Transfer Locations

Personal Data may be transferred to and processed in:

  • United States
  • European Union
  • Other jurisdictions where Processor or Subprocessors operate

6. Audits and Compliance

6.1 Audit Rights

Controller may:

  • Request information necessary to demonstrate Processor’s compliance
  • Conduct audits (with reasonable notice and at Controller’s expense)
  • Review Processor’s security certifications (SOC 2, ISO 27001)

6.2 Compliance Certifications

Processor maintains:

  • SOC 2 Type II certification
  • ISO 27001 certification
  • Regular third-party security assessments

7. Liability and Indemnification

Processor shall be liable for any damages caused by its breach of this DPA, subject to applicable law and the limitations set forth in the main service agreement.

8. Term and Termination

This DPA shall remain in effect for as long as Processor processes Personal Data on behalf of Controller, and shall survive termination of the main service agreement to the extent necessary for Processor to fulfill its obligations regarding data return or deletion.

9. Governing Law

This DPA shall be governed by the laws specified in the main service agreement, with due consideration for applicable data protection laws.

10. Contact Information

For questions regarding this DPA or data processing activities:

ARTILORA PTE. LTD.
Email: legal@artilora.ai
Address: 6 RAFFLES QUAY #14-02 Singapore 048580

This DPA is effective as of the date of execution and shall remain in effect until terminated in accordance with its terms.

Built for Creative Commerce

Entreprise

Ressources

Légal

© 2026 · Artilora. Tous droits réservés.

@Artilora.ai