Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between CM Studio, LLC (“Data Processor”) and the business entity utilizing the Services (“Data Controller”).
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679.
2. Roles and Scope
The customer is the Data Controller, and CM Studio, LLC is the Data Processor. The Processor will only process Personal Data in accordance with the Controller’s documented instructions as defined in the Terms of Service.
3. Subprocessing
The Processor’s current Subprocessors include:
- Google Cloud: Cloud hosting and data storage.
- OpenAI: Artificial Intelligence API (utilizing Zero Data Retention policy).
- Stripe: Payment processing.
4. Security Measures
The Processor shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized disclosure or access, including encryption in transit and at rest on Google Cloud infrastructure.
5. Annex 1: Details of Processing
| Subject Matter | The provision of a cosmetic formulation, production tracking, AI assistance, and client management SaaS platform. |
|---|---|
| Nature and Purpose | Hosting, storing, and analyzing data to facilitate the Controller’s cosmetic production, client relationship management, AI formulation queries, and regulatory compliance. |
| Categories of Data Subjects | The Controller’s employees, contractors, and the Controller’s clients/customers whose details are entered into the platform’s CRM or production logs. |
| Types of Personal Data | Names, contact details (email, phone, address), project briefs, AI formulation prompts and chat history, and any other personal data the Controller chooses to input into the platform’s modules. |
| Duration | For the duration of the subscription, plus a grace period prior to permanent deletion. |