← Back to home

Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Archiva ("Processor")
  • [Client Name] ("Controller")

together the "Parties".

This DPA forms part of the Service Agreement between the Parties.

2. Purpose of this DPA

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with website development, deployment, integration, and optional managed services.

3. Roles of the Parties

The Parties agree that:

  • The Client is the Data Controller
  • The Service Provider is the Data Processor

The Processor processes personal data only on documented instructions from the Controller.

4. Nature of Processing

The Processor may process personal data for the purpose of:

  • Building and configuring the Client's website
  • Integrating third-party services such as Supabase, Netlify, Stripe, YouTube, and Spotify
  • Assisting with content organisation and management (where applicable under Managed Services)
  • Technical support and maintenance

5. Types of Personal Data

Depending on the Client's implementation, the Processor may process:

  • User account data (e.g. names, emails, usernames)
  • Authentication data
  • Usage data (e.g. video views, interactions)
  • Content metadata (e.g. tags, relationships, classifications)
  • API credentials and access tokens (where provided)

The Processor does not intentionally collect sensitive personal data unless instructed by the Controller.

6. Categories of Data Subjects

Data subjects may include:

  • End users of the Client's website
  • Subscribers or paying users
  • Admin users of the Client's system
  • Any individuals appearing in or associated with uploaded content

7. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Not use personal data for any purpose other than providing the Services
  • Implement reasonable technical and organisational security measures
  • Ensure confidentiality of all personnel with access to data
  • Assist the Controller in fulfilling data protection obligations where reasonably possible

8. Sub-processors

The Controller authorises the Processor to use third-party service providers ("Sub-processors") where necessary, including infrastructure providers such as hosting, database, analytics, and payment processors.

These may include services such as Supabase, Netlify, Stripe, YouTube, and Spotify.

The Processor shall ensure that any Sub-processors are subject to appropriate data protection obligations.

9. International Transfers

Personal data may be transferred or stored outside the United Kingdom or European Economic Area where Sub-processors operate. In such cases, appropriate safeguards will be implemented where required by law.

10. Security Measures

The Processor shall implement appropriate technical and organisational measures to protect personal data, including:

  • Access control to systems and credentials
  • Encryption where appropriate
  • Secure handling of API keys and sensitive configuration data
  • Restricting access to authorised personnel only

11. Data Breach Notification

The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach affecting Client data.

12. Data Retention and Deletion

Upon termination of services, the Processor shall:

  • Return or delete personal data at the request of the Controller
  • Retain data only where required by law or legitimate business purposes

13. Audit and Cooperation

The Processor shall reasonably assist the Controller in demonstrating compliance with applicable data protection laws, including UK GDPR.

14. Client Responsibilities

The Controller is responsible for:

  • Ensuring a lawful basis for processing personal data
  • Providing appropriate privacy notices to end users
  • Ensuring content and data collected through the system is lawful
  • Managing end-user consent where required

15. Limitation of Liability

The Processor's liability under this DPA is subject to the limitations set out in the Service Agreement, except where such limitation is not permitted under applicable law.

16. Termination

This DPA terminates automatically upon termination of the Service Agreement, subject to any continuing obligations regarding data deletion or return.

17. Governing Law

This DPA is governed by the laws of England and Wales.

18. Contact

Charlie@archiva.tv