This Data Processing Agreement ("DPA") supplements our Terms of Serviceand forms part of the contract between you ("Customer", the data controller) and ASOshots ("Processor") when ASOshots processes personal data on your behalf in the course of providing the service. It is offered for B2B customers who need an Article 28 GDPR processor contract.
For consumer / individual users, the Privacy Policy alone governs the relationship; this DPA does not need to be executed.
1. Subject matter and duration
ASOshots processes Customer Personal Data only as necessary to provide the screenshot-generation service described in the Terms. This DPA remains in force for as long as Customer maintains an active account with ASOshots.
2. Nature and purpose of processing
- Nature: storage, transmission, and processing of uploaded screenshots and account data through AI image-generation pipelines.
- Purpose: producing localized App Store screenshots that the Customer commissions.
3. Categories of data subjects and personal data
- Data subjects:Customer's authorized users (typically: individual developers, designers, marketing personnel) and, indirectly, end-users whose information may appear in uploaded screenshots (e.g. test-account avatars, sample profile names).
- Categories: identification data (name, email), professional data (role, company), and any personal data incidentally present in uploaded screenshots.
Customer is responsible for ensuring uploaded screenshots do not contain personal data of real end-users without lawful basis.
4. Processor obligations
ASOshots commits to:
- Process Customer Personal Data only on documented Customer instructions, including transfers outside the EEA where applicable.
- Ensure that personnel with access to Personal Data are bound by confidentiality.
- Implement appropriate technical and organisational measures to ensure security (Annex A below).
- Engage subprocessors only with Customer's prior written authorisation (a flat list with notice of changes is authorisation; see Section 5).
- Assist Customer in responding to data-subject requests (access, rectification, erasure, portability) within 7 business days of request.
- Notify Customer without undue delay (and within 72 hours where feasible) of any Personal Data breach affecting Customer Data.
- On termination, return or delete all Personal Data within 30 days, except where retention is required by applicable law.
5. Subprocessors
Customer authorises ASOshots to engage the following subprocessors. Items marked (planned) are not yet active in production — they will be added once the corresponding feature ships, and we will treat that addition as a regular subprocessor change under Section 5 below.
- Google LLC — Gemini AI image generation (Ireland / United States). Active.
- Supabase Inc. — managed Postgres + object storage. Hosting region is configurable per-deployment; contact us for the current region. Active.
- Vercel Inc. — application hosting and edge delivery (multi-region). Active.
- Cloudflare, Inc. — DNS, TLS, email-routing, and DDoS protection (multi-region). Active.
- Stripe, Inc. — subscription billing (United States). Planned — wires up when paid checkout ships.
- Resend, Inc. (or equivalent) — transactional email (United States). Planned — wires up when the email pipeline ships.
ASOshots will provide at least 30 days' notice before adding a new subprocessor and will give Customer a reasonable opportunity to object. Each subprocessor is bound by data-protection terms substantially equivalent to those in this DPA.
6. International transfers
Where Personal Data is transferred outside the EEA / UK, ASOshots relies on the European Commission's Standard Contractual Clauses (2021/914) and / or the UK International Data Transfer Addendum (2022) as applicable. Copies are available on request to legal@asoshots.com.
7. Audits
Customer may, no more than once per twelve-month period and on reasonable advance notice, request information demonstrating ASOshots' compliance with this DPA. We will respond with documented security and compliance information; on-site audits are available for enterprise contracts at Customer's expense.
8. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations set out in the underlying Terms of Service.
9. Annex A — Security measures
- Encryption in transit: TLS 1.2+ for all client and inter-service traffic.
- Encryption at rest: AES-256 at the storage layer for both Postgres and object storage.
- Access control: least-privilege service-role keys, rotated quarterly. Production database access requires MFA.
- Logging and monitoring: access to Customer Personal Data is logged and retained for 90 days. Anomalies trigger on-call alerts.
- Backups:Postgres point-in-time recovery where the storage tier supports it (currently up to 7 days on our managed-Postgres provider's paid tier). Object storage versioning enabled where supported.
- Personnel: all individuals with access to Personal Data are bound by written confidentiality obligations.
- Incident response: documented runbook; notification of a confirmed Personal Data breach within 72 hours, as required by GDPR Article 33. We monitor production via error-tracking and access logs; if monitoring fails, we treat that as the breach window starting on first internal knowledge.
10. Signing this DPA
By executing the underlying Terms of Service and using the service in a professional capacity, Customer is deemed to have agreed to this DPA. For an executed counterparty copy on company letterhead, email legal@asoshots.com with company name and signatory details.