Data Processing Addendum.
Annex to the MSA for enterprise clients (and required for any EU/UK/Quebec client). Allocates controller/processor roles, sets security baseline, and authorizes subprocessors.
May 24, 2026 · v1.2 · Effective for all enterprise engagements signed on or after this date. Covers Florida (entity jurisdiction), EU, UK, Quebec (Law 25), and California exposure.
Background.
This Data Processing Addendum (“DPA“) supplements the Master Services Agreement between Studio Mate LLC (“Processor“) and the client identified in the MSA (“Controller“). It applies to Processor’s processing of Personal Data on behalf of Controller in the course of providing the Services.
Definitions.
Capitalized terms not defined here have the meanings given in the MSA. The following terms have the meanings given in Regulation (EU) 2016/679 (“GDPR“): “Personal Data,” “Data Subject,” “Processing,” “Controller,” “Processor,” “Sub-processor,” “Supervisory Authority,” and “Personal Data Breach.” References to GDPR include equivalent terms under Quebec Law 25, PIPEDA, the UK GDPR, and CCPA/CPRA.
Subject Matter, Duration, and Nature.
Processing of end-user conversational data and related metadata in connection with the operation of one or more Agents deployed on Controller’s properties.
For the term of the MSA, plus retention periods set in the Privacy Policy.
Conversational service delivery, security, analytics, anonymization, and (post-anonymization, as independent controller) commercial use under MSA §8.
Visitors and end-users of Controller’s properties.
Conversation transcripts, technical identifiers (IP, device, session), inferred intent and sentiment, and any voluntary identifiers (name, email, phone, project details).
Roles.
Section 4.3 is the legal mechanism that lets the anonymized dataset escape the Controller’s chain of authority and become studio-Máté.ai’s commercial asset. The mechanism is well-established under EDPB guidance, but counsel should confirm acceptability in each enterprise client’s jurisdiction.
With respect to Personal Data, Controller is the Controller and Processor is the Processor.
Processor will process Personal Data only on Controller’s documented instructions, including with regard to international transfers, except where required by applicable law (in which case Processor will inform Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
Once Personal Data has been irreversibly anonymized so that it can no longer be attributed to a specific Data Subject without additional information that is kept separately and subject to technical and organizational measures, the resulting Anonymized Data ceases to be Personal Data, and Processor processes such Anonymized Data and any Aggregated Data derived from it as an independent controller for its own purposes as described in MSA §8.3.
Confidentiality.
Processor ensures that persons authorized to process Personal Data are bound by appropriate obligations of confidentiality.
Security Measures.
Processor implements appropriate technical and organizational measures, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
- Role-based access controls with least-privilege principles;
- Audit logging of access to Personal Data;
- Network segmentation and firewall protection;
- Regular vulnerability scanning and dependency patching;
- Annual third-party security review (SOC 2 Type II target, in progress);
- Documented incident response procedures;
- Personnel security training on at least an annual basis;
- Background checks for personnel with access to Personal Data, where lawful.
Subprocessors.
Controller authorizes Processor to engage the Sub-processors listed in §11 of the Privacy Policy, and any successors thereto.
Processor will provide at least thirty (30) days’ notice of any new Sub-processor via the studio-mate.ai/subprocessors page or by direct notice. Controller may object in writing for reasonable data protection grounds. If the parties cannot agree on a resolution, Controller may terminate the affected Services on written notice without further liability.
Processor will impose on each Sub-processor data protection obligations no less protective than those in this DPA.
Data Subject Requests.
Processor will assist Controller, by appropriate technical and organizational measures and taking into account the nature of the processing, in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Where a Data Subject submits a request directly to Processor, Processor will forward it to Controller without undue delay and will not respond directly except to acknowledge receipt or comply with applicable law.
Personal Data Breach.
Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Personal Data Breach affecting Personal Data processed under this DPA. The notice will include, to the extent known: the nature of the breach, categories and approximate numbers of Data Subjects and records affected, likely consequences, and measures taken or proposed.
International Transfers.
Where Processor processes Personal Data of EU/EEA, UK, or Swiss Data Subjects in a third country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (2021/914) (Module Two: Controller-to-Processor) are incorporated by reference and form part of this DPA. The UK Addendum and Swiss adjustments apply as relevant.
Processor has assisted Controller in conducting any required privacy impact assessment for transfers of Quebec residents’ Personal Data outside Quebec. Both parties cooperate with the Commission d’accès à l’information as required.
Audit.
Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA, including the most recent third-party audit report (e.g., SOC 2, ISO 27001) when available.
Once per calendar year, on at least thirty (30) days’ prior written notice, during business hours, and subject to confidentiality undertakings, Controller (or its authorized auditor, who must not be a competitor of Processor) may conduct an on-site audit. Costs are borne by Controller unless a material non-compliance is identified.
Deletion and Return.
On termination of the Services, Processor will, at Controller’s election and within ninety (90) days, return or delete all Personal Data, except (a) Anonymized Data and Aggregated Data, which Processor may retain indefinitely under MSA §8.3, and (b) data Processor is required to retain by applicable law.
Conflict.
In the event of conflict between this DPA and the MSA, this DPA controls with respect to data protection matters. In the event of conflict between this DPA and the Standard Contractual Clauses, the SCCs control.
— End of Data Processing Addendum · Legal Stack v1.2 —
Document URL: studio-mate.ai/legal/dpa · Annexed to