Data Processing Addendum

This Data Processing Addendum (DPA) supplements our Privacy Policy and governs the processing of personal data in compliance with applicable data protection laws.

1. Definitions

For the purposes of this DPA:

  • "Controller" means the entity that determines the purposes and means of processing personal data
  • "Processor" means the entity that processes personal data on behalf of the Controller
  • "Personal Data" has the meaning given in applicable Data Protection Laws
  • "Data Protection Laws" means GDPR, CCPA, LGPD, and other applicable privacy regulations
  • "Data Subject" means an identified or identifiable natural person

2. Scope and Application

This DPA applies when:

  • You engage PixelAura for design services and we process personal data on your behalf
  • Personal data is transferred from the EU/EEA, UK, California, or Brazil
  • The processing is subject to GDPR, CCPA, LGPD, or similar data protection laws
  • You act as a Controller and PixelAura acts as a Processor

3. Roles and Responsibilities

When You Are the Controller

You are responsible for:

  • Ensuring lawful basis for processing personal data
  • Providing necessary privacy notices to data subjects
  • Obtaining required consents
  • Instructing PixelAura on data processing activities
  • Responding to data subject requests

When PixelAura Acts as Processor

PixelAura will:

  • Process personal data only on your documented instructions
  • Implement appropriate technical and organizational measures
  • Assist with data subject requests when possible
  • Notify you of any data breaches
  • Delete or return data upon termination

4. Categories of Data and Processing

Categories of Personal Data

  • Contact information (names, email addresses, phone numbers)
  • Business information (company names, job titles)
  • Project-related communications and content
  • Payment and billing information
  • Technical data (IP addresses, browser information)

Categories of Data Subjects

  • Client contacts and representatives
  • End users of client products/services
  • Website visitors
  • Newsletter subscribers

Processing Activities

  • Project management and communication
  • Design development and delivery
  • Customer support and service delivery
  • Billing and payment processing
  • Website analytics and improvement

5. Security Measures

PixelAura implements appropriate technical and organizational measures including:

Technical Measures

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security updates and patches
  • Secure backup and recovery procedures
  • Network security and monitoring

Organizational Measures

  • Staff training on data protection
  • Confidentiality agreements
  • Data breach response procedures
  • Regular security assessments
  • Vendor management and due diligence

6. Sub-Processing

PixelAura may engage sub-processors for:

  • Cloud hosting and storage services
  • Email and communication platforms
  • Analytics and monitoring tools
  • Payment processing services

Sub-Processor Requirements

  • Written agreements with equivalent data protection obligations
  • Regular assessment of security measures
  • Notification of any changes to sub-processors
  • Right to object to new sub-processors

7. International Data Transfers

When transferring personal data internationally, PixelAura ensures:

  • Adequacy decisions are in place, or
  • Appropriate safeguards such as Standard Contractual Clauses
  • Compliance with local data localization requirements
  • Assessment of third country privacy laws

8. Data Subject Rights

PixelAura will assist you in responding to data subject requests for:

  • Access: Providing copies of personal data
  • Rectification: Correcting inaccurate data
  • Erasure: Deleting personal data ("right to be forgotten")
  • Restriction: Limiting processing activities
  • Portability: Providing data in structured format
  • Objection: Stopping certain processing activities

9. Data Breach Notification

In case of a personal data breach, PixelAura will:

  • Notify you without undue delay (within 72 hours when possible)
  • Provide details of the breach and affected data
  • Describe measures taken to address the breach
  • Assist with regulatory notifications if required
  • Cooperate in breach investigation and remediation

10. Data Retention and Deletion

  • Personal data is retained only as long as necessary for the specified purposes
  • Data is deleted or anonymized when no longer needed
  • Upon termination of services, data is deleted or returned as instructed
  • Backup data is deleted according to standard retention schedules
  • Legal hold requirements may extend retention periods

11. Audits and Compliance

PixelAura will:

  • Maintain records of processing activities
  • Provide information necessary for compliance audits
  • Allow for and contribute to audits by you or appointed auditors
  • Demonstrate compliance with this DPA
  • Cooperate with supervisory authorities

12. Liability and Indemnification

  • Each party is liable for damages caused by its breach of data protection laws
  • PixelAura's liability is limited to direct damages
  • You indemnify PixelAura for claims arising from your instructions
  • Both parties will cooperate in defending against third-party claims

13. Term and Termination

  • This DPA remains in effect while we process personal data on your behalf
  • Upon termination, personal data will be deleted or returned as instructed
  • Certain provisions survive termination (confidentiality, liability)
  • Data may be retained if required by law

14. Contact Information

For questions about this DPA or data processing:

Effective Date: January 1, 2024

Last Updated: January 1, 2024