Black Card Web Design

Legal

Data Processing Addendum

Version 1.0.0-draft · Effective 2026-06-08 · All policies

Draft — not final legal advice

This document is a working placeholder and requires legal / business review before public launch. The studio will replace this with attorney-approved text and publish a new effective version.

Outline of how this studio acts as a data processor on behalf of clients for whom it operates a portal or platform.

This Data Processing Addendum ("DPA") describes how the studio processes personal data on behalf of a client (the controller) where the studio is engaged to operate, host, or maintain a system that handles personal data. This document is a working placeholder pending legal review and should not be relied on as final legal advice.

Subject matter and purpose

Where the studio operates a system on behalf of a client, the studio acts as a processor and processes personal data only on documented instructions from the client, as set out in the engagement and this DPA.

Categories of data subjects

Depending on the engagement, this may include the client's end users, customers, members, employees, contractors, applicants, or other individuals whose data is held in the system the studio operates.

Categories of personal data

Depending on the engagement, this may include identification data (name, email, phone), account credentials, profile data, transaction and billing data, messages and files exchanged in the system, and technical data such as IP addresses and timestamps used for security and abuse prevention.

Subprocessors

The studio uses third-party subprocessors to deliver the service. The current list includes the database/auth/storage provider, the email delivery provider, and the payment processor. A current list and material changes will be made available on request.

Security measures

The studio uses access controls, row-level security, encrypted connections, signed URLs for file downloads, role-based admin permissions, audit logging, and secret management appropriate to the sensitivity of the data processed.

International transfers

Where personal data is transferred outside the client's jurisdiction, the studio and its subprocessors will rely on appropriate safeguards as required by applicable law.

Assistance and data subject rights

The studio will provide reasonable assistance to the client in responding to data subject requests, security incidents, and data protection impact assessments.

Return or deletion

On termination of the engagement and after any agreed transition period, the studio will return or delete personal data processed on behalf of the client, except where retention is required by law.

Changes

When we publish a new version of this DPA, the effective date will update and the previous version remains on file.