Data Processing Agreement
Last updated: June 20, 2026
This DPA is incorporated into and forms part of the Terms of Servicebetween Creofy ("Processor") and the customer ("Controller"). It applies where the customer uses Creofy to process personal data of individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland.
1. Definitions
In this DPA:
- "Controller" means the Creofy customer who determines the purposes and means of processing personal data — typically the business or agency using Creofy.
- "Processor" means Creofy, acting on the Controller's instructions.
- "Data Protection Law" means the UK GDPR, the EU GDPR (Regulation (EU) 2016/679), and the UK Data Protection Act 2018, as applicable.
- "Personal Data" has the meaning given in Data Protection Law.
- "Processing" has the meaning given in Data Protection Law.
- "Sub-processor" means any third party engaged by Creofy to process Personal Data on behalf of the Controller.
- "Standard Contractual Clauses" or "SCCs" means the EU Commission Implementing Decision (EU) 2021/914 (Controller-to-Processor) for EEA transfers, and the UK IDTA or UK Addendum to the SCCs for UK transfers.
- "Special Category Data" has the meaning given in Article 9 GDPR / UK GDPR, including biometric data used for identification purposes.
2. Scope and Roles
This DPA applies to the Processing of Personal Data by Creofy on behalf of the Controller in connection with the Creofy platform. The subject-matter, nature, purpose, and duration of Processing, the categories of data subjects, and the types of Personal Data processed are as follows:
| Subject-matter | AI content generation, influencer management, campaign scheduling, and analytics services |
| Nature | Collection, storage, use, transmission to sub-processors, and deletion |
| Purpose | Provision of the Creofy platform as instructed by the Controller |
| Duration | For the term of the Controller's subscription, plus the retention period in our Privacy Policy |
| Data subjects | Workspace users, brand contacts, and individuals whose data the Controller uploads (e.g., talent reference images) |
| Data types | Name, email, profile data, uploaded images (which may contain biometric data), voice samples, usage data, and content generated on the platform |
3. Controller Obligations
The Controller:
- Remains the Controller for all Personal Data processed through Creofy and is responsible for ensuring it has a valid lawful basis for each processing activity.
- Must ensure all Personal Data provided to Creofy was collected lawfully, including obtaining any necessary consents (e.g., consent for biometric data under Article 9 GDPR and the Illinois BIPA).
- Is responsible for responding to data subject requests (DSARs) relating to Personal Data it has uploaded, except where the request directly concerns Creofy's own processing — in which case Creofy will assist as described in Section 7.
- Must implement appropriate measures on its own systems and access points to protect the Personal Data it processes via Creofy.
4. Processor Obligations
Creofy will:
- Process only on instruction: Process Personal Data only on the documented instructions of the Controller (as set out in the Terms of Service and this DPA), unless required to do otherwise by applicable law, in which case Creofy will notify the Controller before processing (to the extent permitted by law).
- Confidentiality: Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
- Security: Implement the technical and organisational measures described in Section 5.
- Sub-processors: Engage sub-processors only in accordance with Section 6.
- Assist with data subject rights: Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests from data subjects — see Section 7.
- Assist with security obligations: Assist the Controller in ensuring compliance with Articles 32–36 of GDPR (security, breach notification, DPIAs, prior consultation).
- Deletion or return: At the Controller's choice, delete or return all Personal Data upon termination of the Terms of Service and delete existing copies, unless applicable law requires continued retention — see Section 8.
- Audit: Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits in accordance with Section 9.
- Not process for own purposes: Not process Personal Data for Creofy's own purposes (including model training) beyond what is described in our Privacy Policy.
5. Technical and Organisational Security Measures
Creofy implements the following measures (Article 32 GDPR):
- Encryption in transit: TLS 1.2+ for all data in transit between the platform and users and between Creofy and sub-processors.
- Encryption at rest: Server-side AES-256 encryption for stored data (Neon PostgreSQL, Cloudflare R2).
- Access control: Role-based access control; workspace data isolation so no workspace can access another workspace's data; authentication via Clerk.
- Pseudonymisation: Internal job and content IDs are pseudonymous; personal identifiers are not included in AI generation payloads where avoidable.
- Availability and resilience: Hosted on Vercel (web) and Railway (API + AI service) with provider-level redundancy.
- Breach detection and response: Error monitoring via Sentry; structured logging for security events; incident response plan in place.
- Vendor assessment: Material sub-processors are assessed for their own security posture and DPA terms before onboarding.
6. Sub-processors
The Controller provides general authorisation to Creofy to engage sub-processors. Creofy will maintain an up-to-date list of sub-processors and will provide the Controller with at least 14 days' prior written notice (email to the registered account address) before adding or replacing a material sub-processor. The Controller may object to such changes within the notice period by emailing support@creofy.io. If the parties cannot agree, either party may terminate the relevant service on reasonable notice.
Current material sub-processors include:
| Sub-processor | Location | Purpose |
|---|---|---|
| Neon (Neon Inc.) | USA | Managed PostgreSQL database |
| Vercel Inc. | USA | Web application hosting |
| Railway Corp. | USA | API and AI service hosting |
| Cloudflare (R2 / Workers) | USA / Global CDN | Object storage, media delivery |
| Clerk Inc. | USA | Authentication and user management |
| Upstash Inc. | USA | Redis queue (BullMQ job queue) |
| Fal.ai | USA | AI image generation |
| ElevenLabs Inc. | USA | AI voice cloning and audio generation |
| HeyGen Inc. | USA | AI avatar video generation |
| Runway ML Inc. | USA | AI video generation |
| OpenAI Inc. | USA | AI audit and quality scoring (GPT-4o) |
| PostHog Inc. | USA | Product analytics |
| Sentry (Functional Software) | USA | Error monitoring |
| Stripe Inc. | USA / Ireland (EU) | Payment processing and billing |
7. Assistance with Data Subject Rights
Creofy will assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, and objection) to the extent technically feasible and within our role as Processor. Where a data subject contacts Creofy directly regarding data processed on behalf of a Controller, we will promptly forward the request to the Controller. Creofy will delete or return Personal Data on instruction from the Controller in response to a valid erasure request within 30 days.
8. Data Retention and Deletion on Termination
Upon termination or expiry of the Controller's subscription, Creofy will, at the Controller's written request, either return all Personal Data in a machine-readable format or securely delete it, within 60 days. After this period, we may delete all Personal Data unless retention is required by applicable law (e.g., financial records required by HMRC or accounting obligations). Backups containing Personal Data are deleted in the ordinary course within 90 days.
9. Audit Rights
Creofy will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA (Article 28(3)(h) GDPR). The Controller may, with 30 days' prior written notice and at its own cost, conduct or commission an audit of Creofy's processing activities relevant to this DPA, no more than once per year, provided the Controller signs a confidentiality agreement acceptable to Creofy and the audit does not interfere with Creofy's operations or other customers' data.
10. Data Breach Notification
Creofy will notify the Controller without undue delay (and where feasible within 72 hours) after becoming aware of a personal data breach affecting Personal Data processed under this DPA. Notification will be sent to the registered account email address and will include, to the extent then known: the nature of the breach; categories and approximate number of data subjects affected; likely consequences; and measures taken or proposed. The Controller remains responsible for notifying the relevant supervisory authority and, where required, affected data subjects.
11. International Data Transfers
Personal Data processed under this DPA may be transferred to, and processed in, countries outside the EEA and UK. Creofy relies on the following transfer mechanisms:
- EU Standard Contractual Clauses (SCCs): For transfers from the EEA to Creofy and onward to US-based sub-processors, we rely on the EU Commission SCCs (2021/914) Controller-to-Processor module.
- UK International Data Transfer Agreement (IDTA): For transfers from the UK, we rely on the UK IDTA (or the UK Addendum to the EU SCCs), as adopted by the ICO.
- Adequacy decisions: Where available (e.g., transfers to countries with UK adequacy decisions), we rely on the relevant adequacy decision in preference to SCCs.
By accepting the Terms of Service and this DPA, the Controller agrees to the SCCs and IDTA (as applicable) being incorporated by reference into this agreement, with Creofy acting as data importer and the Controller as data exporter in each applicable module.
12. Data Protection Impact Assessments
Where the Controller intends to use Creofy for processing activities that are likely to result in a high risk to data subjects (e.g., large-scale processing of Special Category Data including biometrics), the Controller must conduct a Data Protection Impact Assessment (DPIA) as required by Article 35 GDPR. Creofy will provide such information as is reasonably necessary to assist the Controller in completing the DPIA, upon written request to support@creofy.io.
13. Governing Law
This DPA is governed by the laws of England and Wales, consistent with our Terms of Service, except where mandatory provisions of EU Data Protection Law require otherwise. For customers subject to EU GDPR only, mandatory EU law provisions take precedence over English law to the extent of any conflict in matters governed solely by EU Data Protection Law.
14. Execution
This DPA is incorporated into the Terms of Service and comes into effect when the Controller accepts the Terms of Service. No separate signature is required. If your organisation requires a countersigned DPA (for example, for enterprise compliance purposes), please email support@creofy.io (subject: DPA Request) and we will provide a signed copy.
15. Contact
DPA enquiries: support@creofy.io (subject: DPA).