DATA PROCESSING AGREEMENT
PURPOSE
This Data Processing Agreement governs the processing of personal data by Disruptive Studio, Inc. in connection with the provision of its Software-as-a-Service platform.
This DPA is designed to ensure compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), and to define the responsibilities of the parties with respect to personal data.
ROLES OF THE PARTIES
Client acts as the Data Controller and determines the purposes and means of processing personal data.
Disruptive Studio acts as the Data Processor and processes personal data solely on behalf of the Client and in accordance with documented instructions.
Disruptive Studio does not determine the purposes of processing and does not act as a joint controller.
NATURE AND PURPOSE OF PROCESSING
Disruptive Studio processes personal data for the purpose of providing, maintaining, securing, and improving the Software.
Processing activities may include collection, storage, organization, retrieval, analysis, transmission, and deletion of data as required for system functionality.
Processing is limited to what is necessary to deliver the services.
TYPES OF DATA AND DATA SUBJECTS
Personal data processed may include, without limitation:
identification data such as names and usernames
contact data such as email addresses
technical data such as IP addresses and device information
transactional data generated within the platform
any additional data input by the Client
Data subjects may include:
end users of the Client
customers
affiliates or distributors
employees or contractors
PROCESSOR OBLIGATIONS
Disruptive Studio shall:
process personal data only on documented instructions from the Client
ensure all personnel with access to personal data are bound by confidentiality obligations
implement appropriate technical and organizational security measures
not sell, rent, or exploit personal data for its own purposes
limit access to personal data to authorized personnel only
SECURITY MEASURES
Disruptive Studio implements a multi-layered security architecture designed to protect personal data, including:
segmented cloud infrastructure with private virtual networks
restricted internal access through corporate VPN
web application firewall (WAF) and CDN protection against DDoS attacks
continuous monitoring using tools such as Prometheus, Grafana, and Zabbix
centralized logging systems for audit and traceability
real-time error tracking and alerting systems
security monitoring and threat detection through SIEM tools
file integrity monitoring and vulnerability detection
These measures are designed to ensure confidentiality, integrity, and availability of data in accordance with industry standards
Disruptive Studio aligns its practices with recognized frameworks including GDPR, PCI DSS, HIPAA, and NIST standards
SUBPROCESSORS
Disruptive Studio may engage subprocessors to support service delivery, including:
cloud hosting providers
infrastructure services
monitoring and logging systems
communication services
Disruptive Studio shall ensure that such subprocessors are subject to appropriate contractual and security obligations.
Client authorizes the use of subprocessors as necessary for the operation of the Software.
INTERNATIONAL DATA TRANSFERS
Personal data may be transferred to and processed in jurisdictions outside the Client’s country.
Disruptive Studio implements reasonable safeguards to protect such transfers; however, Client is responsible for ensuring compliance with applicable cross-border data transfer regulations.
DATA SUBJECT RIGHTS
Disruptive Studio shall provide reasonable assistance to enable Client to respond to data subject requests, including:
access
correction
deletion
restriction
Client remains solely responsible for fulfilling such requests.
DATA BREACH RESPONSE
In the event of a confirmed data breach affecting personal data, Disruptive Studio shall:
take reasonable steps to contain and mitigate the incident
investigate the cause and impact
notify Client where appropriate and legally permitted
Client is responsible for any required notifications to authorities or individuals.
DATA RETENTION AND DELETION
Personal data shall be retained only as long as necessary to provide the Software and in accordance with operational and legal requirements.
Upon termination of services, data may be deleted or made inaccessible in accordance with the Terms.
Client is responsible for exporting or retaining any required data prior to termination.
AUDIT AND COMPLIANCE
Disruptive Studio maintains internal monitoring and security practices designed to ensure compliance with this DPA.
This DPA does not grant Client the right to conduct intrusive audits or access internal systems beyond reasonable verification requests.
LIABILITY
Each party is responsible for its own compliance with applicable data protection laws.
Disruptive Studio shall not be liable for:
Client’s misuse of the Software
Client’s failure to obtain proper consent
Client’s non-compliance with applicable laws
GOVERNING TERMS
This DPA forms part of the Terms and Conditions.
In the event of conflict, the Terms shall prevail.