EpicMindArt
Creating with soul!
Data Processing Addendum (DPA)
Last updated: 2025-10-21
Summary
This Data Processing Addendum (DPA) summary explains how EpicMindArt processes personal data on behalf of its customers and in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
1. Roles and responsibilities
Data Controller
EpicMindArt acts as a Data Controller for personal data collected directly from users of our Services (e.g., account information, billing details, usage data). This data is processed in accordance with our Privacy Policy.
Data Processor
For customers who use our Services to process their own end-users' personal data (e.g., B2B SaaS customers), EpicMindArt may act as a Data Processor on behalf of the customer (the Controller). In such cases, this DPA applies, and processing is governed by our agreements with those customers.
2. Scope of processing
When EpicMindArt acts as a Processor, we process personal data only:
- As instructed by the Controller (our customer)
- For the purposes described in the applicable service agreement
- To provide, maintain, and improve the Services
- To comply with legal obligations
Types of personal data processed: Depends on customer use case, but may include names, email addresses, user-generated content, usage logs, and technical metadata.
Data subjects: End-users of our customers' applications or services.
3. Subprocessors
EpicMindArt engages the following third-party subprocessors to assist in providing the Services:
- Paddle — Payment processing and subscription management
- Supabase — Database, authentication, and file storage
- Vercel — Hosting and deployment infrastructure
- Resend — Transactional email delivery
- Google Analytics / Microsoft Clarity — Analytics providers
A full and current list of subprocessors is available upon request at EpicMindArt@gmail.com. We will notify customers of any changes to our subprocessors in accordance with GDPR requirements.
4. Security measures
EpicMindArt implements appropriate technical and organizational measures to protect personal data, including:
- Access controls: Role-based access, multi-factor authentication where applicable
- Encryption: Data encrypted in transit (TLS/SSL) and at rest where feasible
- Secure hosting: Infrastructure hosted with reputable cloud providers (Vercel, Supabase)
- Regular updates: Software and dependencies kept up-to-date with security patches
- Incident response: Procedures in place to detect, respond to, and report security incidents
Detailed security documentation is available upon request for enterprise customers.
5. Cross-border data transfers
Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When such transfers occur, we rely on:
- Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with subprocessors located outside the EEA
- Adequacy decisions: We may rely on adequacy decisions adopted by the European Commission
- Data processing agreements: Contracts with subprocessors include appropriate data protection obligations
You can request details of international transfers and safeguards by contacting EpicMindArt@gmail.com
6. Data subject rights
When EpicMindArt acts as a Processor, we assist Controllers (our customers) in responding to data subject requests, including:
- Access to personal data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Objection to processing
If you receive a data subject request related to data processed by EpicMindArt on your behalf, contact us at EpicMindArt@gmail.com and we will assist in fulfilling the request.
7. Data retention and deletion
We retain personal data only for as long as necessary to provide the Services and comply with legal obligations. Upon termination of services or upon customer request, we will:
- Delete or return personal data within 30 days, unless legally required to retain it
- Provide customers with the ability to export their data before deletion
Backup copies may be retained for up to 90 days for disaster recovery purposes, after which they are securely deleted.
8. Data breach notification
In the event of a personal data breach, we will:
- Notify affected customers (Controllers) without undue delay and, where feasible, within 72 hours of becoming aware of the breach
- Provide details of the breach, including the nature, categories of data affected, and measures taken
- Cooperate with customers in their notification obligations to supervisory authorities and data subjects
9. Audits and compliance
Upon reasonable written request and subject to confidentiality obligations, EpicMindArt will:
- Provide information necessary to demonstrate compliance with this DPA
- Make available relevant records and documentation
- Cooperate with audits conducted by customers or their appointed auditors (costs may apply for extensive audits)
10. Signing a formal DPA
If you require a fully executed Data Processing Addendum (DPA) for your organization, please contact us at EpicMindArt@gmail.com with:
- Your company name and contact details
- The services you are using or plan to use
- Any specific requirements or clauses needed
We will provide a formal DPA document for review and signature. This summary serves as a good-faith representation of our data processing practices, but a signed DPA provides the most comprehensive legal protections.
11. Contact
For questions about this DPA or to request a formal signed agreement:
Email: EpicMindArt@gmail.com
Subject line: "DPA Request" or "Data Processing Agreement"