Data Processing Agreement

"Controller" means the Customer who determines the purposes and means of the processing of Personal Data by using the API.

"Data Protection Law" means the GDPR, the BDSG, and any other applicable data protection legislation in the European Union, the European Economic Area, and their member states.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.

"Personal Data" means any information relating to a Data Subject that is submitted to the API by the Controller as Input, or that is otherwise processed in connection with the provision of the API.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means the Provider, who processes Personal Data on behalf of the Controller in connection with the API.

"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller, as listed in the Sub-Processor List at /Platform/API/Subprocessors.

(1) The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the API services described in the Terms. Processing occurs when the Controller submits Input containing Personal Data through the API.

(2) The subject matter and details of the Processing are specified in Annex A of this DPA.

(3) The Processor shall not process Personal Data for any purpose other than as documented in the Controller's instructions and as necessary to provide the API services. The Processor shall not sell, retain, use, or disclose Personal Data for any commercial purpose other than providing the API services.

(4) The duration of the Processing corresponds to the term of the contract under the Terms. Upon termination of the contract, the provisions of Section 10 of this DPA apply.

(1) The Controller is responsible for ensuring that the Processing of Personal Data through the API is carried out in compliance with Data Protection Law, including having a valid legal basis for Processing under Article 6 GDPR.

(2) The Controller shall ensure that Data Subjects have been informed about the Processing in accordance with Articles 13 and 14 GDPR, and that all necessary consents have been obtained where required.

(3) The Controller's instructions to the Processor are documented in and limited to the Terms, this DPA, and the API calls made by the Controller. The Controller shall ensure that its instructions comply with Data Protection Law.

(4) The Controller represents and warrants that it has all necessary rights, licenses, and consents to submit any Input containing Personal Data to the API, including consent from identifiable individuals whose images or likeness are submitted.

(5) The Controller shall promptly inform the Processor if it becomes aware of any errors or irregularities in the Processing of Personal Data.

(1) The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by European Union or member state law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest (Article 28(3)(a) GDPR).

(2) The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other applicable Data Protection Law (Article 28(3) last subparagraph GDPR).

(3) The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).

(4) The Processor shall not engage any Sub-Processor without the prior general authorisation of the Controller. The Controller grants such general authorisation under this DPA, subject to the notice and objection procedure described in Section 6 of this DPA.

(5) The Processor shall implement and maintain appropriate technical and organisational measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk, as described in Annex B of this DPA.

(1) Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (Articles 15–22), including access, rectification, erasure, restriction, data portability, and objection (Article 28(3)(e) GDPR).

(2) If a Data Subject contacts the Processor directly with a request regarding their Personal Data, the Processor shall promptly forward the request to the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller.

(3) The Processor shall provide the Controller with all information reasonably necessary to respond to Data Subject requests within a reasonable timeframe, and in any event within ten (10) business days of the Controller's request.

(1) The Controller grants the Processor general authorisation within the meaning of Article 28(2) GDPR to engage Sub-Processors for the Processing of Personal Data. The current list of authorised Sub-Processors is maintained at /Platform/API/Subprocessors.

(2) The Processor shall inform the Controller of any intended addition or replacement of Sub-Processors by email to the Controller's account email address and by updating the Sub-Processor List, at least thirty (30) days before the change takes effect. The Controller may object to the addition or replacement of a Sub-Processor on reasonable data protection grounds within the thirty (30) day notice period.

(3) If the Controller objects and the parties cannot resolve the objection within a reasonable period, the Controller may terminate the contract in accordance with Section 13 of the Terms.

(4) The Processor shall impose on each Sub-Processor, by way of a contract, data protection obligations equivalent to those set out in this DPA (Article 28(4) GDPR). The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

(5) The Processor shall make available to the Controller, upon request, relevant information regarding the data protection obligations imposed on each Sub-Processor, to the extent permitted by confidentiality obligations with the Sub-Processor.

(1) The Processor shall not transfer Personal Data to a country outside the European Economic Area ("EEA") unless appropriate safeguards are in place as required by Chapter V of the GDPR (Articles 44–49).

(2) Where Sub-Processors are located outside the EEA, the Processor relies on the following transfer mechanisms as applicable:

(a) The EU-US Data Privacy Framework, where the Sub-Processor is certified under the framework;

(b) EU Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914, supplemented by appropriate technical and organisational measures;

(c) An adequacy decision by the European Commission pursuant to Article 45 GDPR, where available for the recipient country.

(3) The applicable transfer mechanism for each Sub-Processor is specified in the Sub-Processor List. The Processor shall conduct and document a transfer impact assessment where required, and implement supplementary measures where the transfer mechanism alone does not provide an essentially equivalent level of protection.

(4) The Processor shall promptly inform the Controller if the Processor becomes aware of any change in circumstances that may affect the validity or adequacy of the applicable transfer mechanism.

(1) The Processor shall implement and maintain the technical and organisational measures described in Annex B of this DPA to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (Article 32 GDPR).

(2) The Processor shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons when determining the appropriate level of security.

(3) The Processor shall regularly test, assess, and evaluate the effectiveness of the technical and organisational measures to ensure the security of Processing.

(4) The Processor shall ensure that any natural person acting under its authority who has access to Personal Data does not process them except on instructions from the Controller, unless required to do so by European Union or member state law.

(1) The Processor shall notify the Controller without undue delay, and where feasible within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller (Article 28(3)(f), Article 33(2) GDPR).

(2) The notification shall include, to the extent available:

(a) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) the name and contact details of the Processor's point of contact from whom more information can be obtained;

(c) a description of the likely consequences of the Personal Data Breach;

(d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

(3) Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without undue further delay.

(4) The Processor shall cooperate with and assist the Controller in investigating, mitigating, and remediating the Personal Data Breach, and in complying with the Controller's notification obligations under Articles 33 and 34 GDPR.

(5) The Processor shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

(1) Upon termination of the contract, the Processor shall delete all Personal Data processed on behalf of the Controller, and delete existing copies, unless European Union or member state law requires storage of the Personal Data (Article 28(3)(g) GDPR). The Processor shall return Personal Data to the Controller upon request, to the extent technically feasible and provided the request is made before automatic deletion occurs.

(2) Generated Output files containing or derived from Personal Data are automatically and permanently deleted twenty-four (24) hours after generation, as described in the Terms.

(3) API request logs (containing metadata such as endpoint called, timestamp, status code, and credits consumed, but not the substance of Input or Output) are retained for up to twenty-four (24) months for billing, security, and troubleshooting purposes. Billing and financial records are retained for ten (10) years in accordance with German tax law (AO §147, HGB §257). Security logs (authentication failures, rate limit events) are retained for twelve (12) months.

(4) The Processor shall provide the Controller with written confirmation of deletion upon request.

(1) The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA (Article 28(3)(h) GDPR).

(2) The Processor shall primarily satisfy its audit obligations by providing the Controller, upon written request, with relevant third-party certifications (e.g., ISO 27001, if available), audit reports (e.g., SOC 2, if available), completed security questionnaires, or other documented evidence of compliance. Such requests may be made no more than once per twelve (12) month period.

(3) If the documentation provided under paragraph (2) is reasonably insufficient to verify compliance, the Controller may request an audit. Such audit shall be conducted remotely (e.g., by video conference and document review). An on-site inspection may only be conducted if a remote audit is demonstrably insufficient to verify compliance, or if required by a competent supervisory authority.

(4) The Controller shall give the Processor at least thirty (30) business days' prior written notice of any audit, except in the case of an audit required by a supervisory authority or following a Personal Data Breach, in which case reasonable notice shall suffice. No more than one audit may be conducted per twelve (12) month period, unless required by a supervisory authority or triggered by a Personal Data Breach.

(5) Any auditor mandated by the Controller must enter into a confidentiality agreement acceptable to the Processor before the audit commences. Audits shall not include access to other customers' data, systems, or environments, nor to the Processor's source code, proprietary algorithms, or trade secrets.

(6) Audits shall be conducted during normal business hours with minimal disruption to the Processor's operations. The Controller shall bear its own costs of any audit. If the audit reveals a material non-compliance by the Processor, the Processor shall bear the reasonable costs of the audit.

(1) The Processor shall assist the Controller in carrying out data protection impact assessments (Article 35 GDPR) and prior consultations with supervisory authorities (Article 36 GDPR), to the extent that the Processor's assistance is required and relates to the Processing carried out under this DPA.

(2) The Processor shall provide the Controller with all information reasonably necessary for the Controller to conduct a data protection impact assessment, including information about the Processor's technical and organisational measures, Sub-Processors, and data flows.

(1) The liability of the parties under this DPA is subject to the limitations and exclusions set out in Section 11 of the Terms.

(2) The Processor shall be liable for damages caused by Processing that does not comply with the obligations of the GDPR specifically directed to processors, or that is outside of or contrary to the Controller's lawful instructions (Article 82(2) GDPR).

(3) The Processor shall be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage (Article 82(3) GDPR).

(1) This DPA is governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction is as specified in the Terms.

(2) This DPA shall remain in effect for the duration of the contract under the Terms and for as long as the Processor processes Personal Data on behalf of the Controller.

(3) Amendments to this DPA must follow the amendment procedure specified in Section 17 of the Terms.

(4) If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced by a valid provision that most closely achieves the intended data protection purpose.

(5) For questions regarding this DPA or data processing, the Controller may contact the Processor at: Jan@3DAIStudio.com.

Subject Matter of Processing:

Processing of Personal Data submitted by the Controller through the 3D AI Studio API for the purpose of AI-powered image generation, 3D model generation, and 3D file processing.

Duration of Processing:

For the duration of the contract under the Terms. Output files are deleted 24 hours after generation. Metadata logs are retained as specified in Section 10 of this DPA.

Nature and Purpose of Processing:

The Processor receives Input from the Controller via API requests and transmits it to Sub-Processors for AI model inference. The resulting Output is stored temporarily and made available to the Controller for download. Processing includes: transmission, temporary storage, AI inference, format conversion, and deletion.

Types of Personal Data:

The Personal Data processed may include, depending on the Input submitted by the Controller: images containing identifiable individuals (facial features, likeness); text prompts that may reference identifiable individuals; email addresses (for account management and notifications); IP addresses (for security, rate limiting, and logging); API usage metadata (endpoints called, timestamps, status codes).

Categories of Data Subjects:

Data Subjects may include: individuals whose images or likeness are submitted by the Controller as Input; the Controller's employees, contractors, or agents who operate the API; end users of the Controller's products or services who are depicted in Input.

The Processor implements the following technical and organisational measures pursuant to Article 32 GDPR:

Encryption:

All data in transit is protected using TLS 1.2 or higher. Stored assets (Output files) are encrypted at rest using AES-256 via the storage Sub-Processor (Cloudflare R2). API Keys are stored as cryptographic hashes and are never stored in plain text.

Access Control:

Access to the API requires authentication via API Keys transmitted as Bearer tokens. Dashboard access requires two-factor authentication (TOTP). Administrative access to production systems is restricted to authorised personnel and protected by SSH key-based authentication. Role-based access control is enforced at the infrastructure level.

Data Minimisation and Retention:

Generated Output files are automatically and permanently deleted 24 hours after generation. Input data is not persistently stored; it is held transiently in memory and processing queues only for the duration necessary to complete the API request and is not retained thereafter. API request logs retain only metadata (endpoint, timestamp, status code, credits consumed) and do not retain the substance of Input or Output.

Availability and Resilience:

Production infrastructure is hosted on dedicated servers with redundant components. Application monitoring (Sentry, New Relic) provides real-time alerting for system failures. Database backups are performed regularly. Celery task queues provide fault-tolerant asynchronous processing.

Incident Response:

The Processor maintains an incident response process for detecting, investigating, and responding to Personal Data Breaches. Breach notification to the Controller occurs within 48 hours as specified in Section 9 of this DPA.

Sub-Processor Security:

Sub-Processors are selected based on their ability to provide appropriate security guarantees. Data processing agreements are in place with Sub-Processors that impose obligations equivalent to this DPA. The Processor regularly reviews Sub-Processor compliance.

Authentication Security:

API Key authentication includes brute-force protection via IP-based rate limiting of failed authentication attempts (configurable threshold with 15-minute lockout window). Auth tokens expire after 90 days. API Keys expire after 90 days.

Personnel:

All personnel with access to Personal Data are bound by confidentiality obligations. Access is granted on a need-to-know basis.

The current list of authorised Sub-Processors, including their purposes, categories of data processed, processing locations, and applicable transfer mechanisms, is maintained at: /Platform/API/Subprocessors.

Changes to the Sub-Processor List are subject to the notice and objection procedure described in Section 6 of this DPA. A change log is maintained on the Sub-Processor List page.