Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between [Full Legal Company Name] (“Äng,” “we,” “us,” the “Processor”) and the customer using the Service on behalf of a company or other organization (“Customer,” the “Controller”), and governs our processing of personal data on the Customer's behalf under Regulation (EU) 2016/679 (“GDPR”).

To request a countersigned copy of this DPA, contact us at privacy@ang.studio.

1. Roles and scope

For personal data that the Customer and its users submit to the Service (boards, prompts, images, files, comments, and collaborator details — “Customer Data”), the Customer is the controller and Äng is the processor.

For account, billing, security, and product-analytics data that we process for our own purposes, we act as an independent controller as described in our Privacy Policy.

2. Details of processing

Subject matter and duration

Provision of the Ängservice for the duration of the Customer's agreement with us, plus the deletion periods described in section 9.

Nature and purpose

Hosting, storage, display, transformation (including AI-assisted generation and editing), sharing, and backup of Customer Data as instructed through the Customer's use of the Service.

Categories of data subjects

• the Customer's users and collaborators; and
• any individuals whose personal data appears in content uploaded to the Service.

Categories of personal data

• identification and contact data (name, email address);
• user content (boards, prompts, images, files, comments); and
• technical and usage data generated by use of the Service.

3. Instructions

We process Customer Data only on the Customer's documented instructions — including the Customer's configuration and use of the Service — unless required to do otherwise by EU or member state law, in which case we will inform the Customer before processing unless that law prohibits it. We will inform the Customer if, in our opinion, an instruction infringes the GDPR.

4. Confidentiality

We ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security

We implement appropriate technical and organizational measures pursuant to Article 32 GDPR, including encryption in transit, row-level access controls, tenant isolation, security monitoring, and the measures described on our Security page.

6. Subprocessors

The Customer grants a general authorization for us to engage the subprocessors listed at /subprocessors. We impose data protection obligations on each subprocessor that are no less protective than those in this DPA, and we remain liable for their performance.

We will update the subprocessor page before adding or replacing a subprocessor. Customers with an active DPA may object on reasonable data protection grounds within 30 days of an update; if we cannot accommodate the objection, the Customer may terminate the affected service.

7. Assistance

Taking into account the nature of the processing, we assist the Customer with appropriate technical and organizational measures in fulfilling its obligations to respond to data subject requests (Articles 12–23 GDPR), and with the Customer's obligations under Articles 32–36 GDPR, insofar as the information is available to us.

8. Personal data breach

We notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and provide the information reasonably required for the Customer to meet its obligations under Articles 33–34 GDPR, supplementing the notification as information becomes available.

9. Deletion and return

Users can delete boards and content in the product, and account deletion is available self-service (with a short grace period) — after which we delete stored content, files, and the account itself, and remove or request deletion of user-linked records held by our subprocessors where technically supported. Residual copies in error logs and backups expire automatically within fixed retention windows.

At termination, the Customer may export content before deletion. We delete remaining Customer Data unless EU or member state law requires storage.

10. Audits

We make available the information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, with reasonable notice and at most once per year unless required by a supervisory authority or following a breach.

11. International transfers

Where processing involves a transfer of personal data outside the EU/EEA, we rely on an adequacy decision (including the EU–US Data Privacy Framework where the recipient is certified), the European Commission's Standard Contractual Clauses, or another lawful transfer mechanism, as listed per provider at /subprocessors.

12. Contact

[Full Legal Company Name]
[Registered Address]
Email: privacy@ang.studio