AdAngel

Legal

Data Processing Agreement

Last updated: May 26, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between UTOPMED STUDIOS SRL ("Processor") and the customer ("Controller") and applies when UTOPMED STUDIOS SRL processes Personal Data on behalf of the Controller in connection with the Service.

1. Subject matter and duration

Processor processes Personal Data for the duration of the Service subscription, solely to deliver the Service in accordance with the Controller's documented instructions.

2. Nature & purpose

Hosting, storing, and processing user-submitted content to operate the AdAngel platform.

3. Types of data & data subjects

  • Identification: name, email, account ID.
  • Content: briefs, prompts, generated assets, uploads.
  • Usage: log data, IP address, device data.

4. Processor obligations

  • Process only on documented instructions from the Controller.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Annex II).
  • Assist the Controller with data-subject requests and DPIAs.
  • Notify the Controller of a personal-data breach without undue delay (within 72h).
  • Delete or return Personal Data at the end of the Service.

5. Sub-processors

Controller authorizes the sub-processors listed in our Privacy Policy §5 (currently: Supabase, Stripe, Cloudflare, OpenAI, Google, ElevenLabs, kie.ai, Kling AI, Firecrawl, Resend). We give at least 30 days' notice of new sub-processors via email or in-app notice; the Controller may object on reasonable grounds.

6. International transfers

Transfers of Personal Data outside the EEA/UK to non-adequate jurisdictions are protected by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914 — Module 2, controller-to-processor, and Module 3, processor-to-processor where applicable) and the UK International Data Transfer Addendum, incorporated by reference into this DPA.

7. Audits

Processor provides, on request, the latest third-party audit reports (SOC 2 / ISO 27001) of its sub-processors. On-site audits are subject to mutually agreed scope and confidentiality.

8. Annex II — security measures (summary)

  • Encryption at rest (AES-256) and in transit (TLS 1.2+).
  • Role-based access; MFA on all admin accounts.
  • Row-level security in the database.
  • Centralized logging and intrusion detection.
  • Daily backups with 30-day retention.
  • Vendor and personnel security reviews.

9. Signing

Use of the Service constitutes acceptance of this DPA. For a countersigned copy, email privacy@adangel.app.