Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Art Unlock Terms & Conditions (“Agreement”) between:

Client / Data Controller:
Any User, Artist, institution, or entity that provides personal data through the Art Unlock Platform.

Processor:
Art Unlock Inc., a U.S.-based company (“Art Unlock”, “we”, “us”, “our”).

This DPA governs the processing of personal data in accordance with:

  • Regulation (EU) 2016/679 (GDPR)
  • UK GDPR
  • California Consumer Privacy Act (CCPA)
  • Industry-standard security and international data protection principles

1. Definitions

1.1 “Personal Data”

Any information relating to an identified or identifiable natural person processed through the Platform.

1.2 “Processing”

Any operation performed on personal data, including collection, storage, transmission, deletion, or analysis.

1.3 “Controller”

The entity that determines the purposes and means of processing personal data — typically the User or Artist.

1.4 “Processor”

Art Unlock Inc., when processing personal data on behalf of the Controller.

1.5 “Sub-Processor”

Any third-party service used by Art Unlock to process personal data (e.g., hosting providers, payment processors).

1.6 “SCCs”

EU Standard Contractual Clauses for data transfers outside the EEA (2021 versions).

2. Purpose of Processing

Art Unlock shall process personal data solely to:

  • Provide the Platform and related services
  • Facilitate profiles, listings, and bookings
  • Provide support, analytics, and system performance
  • Ensure security and compliance
  • Fulfill obligations stated in the Agreement

No processing will occur beyond documented instructions from the Controller.

3. Obligations of Art Unlock (Processor)

Art Unlock agrees to:

3.1 Process data only on documented instructions

The Processor may not:

  • Sell personal data
  • Use it for advertising purposes
  • Share it with unauthorized third parties

3.2 Maintain strict confidentiality

Employees and contractors with access to data must sign confidentiality agreements.

3.3 Implement industry-standard security measures

Including, but not limited to:

  • Encryption (in transit and at rest)
  • Access controls
  • Secure authentication
  • Incident monitoring
  • Data minimization
  • Regular penetration tests (when applicable)

3.4 Notify breaches

Art Unlock will notify the Controller without undue delay (max 72 hours under GDPR) in the event of a data breach.

3.5 Assist the Controller

Support in responding to:

  • Data access requests
  • Corrections
  • Deletion
  • Portability
  • Objections
  • Restriction requests

3.6 Data deletion

Upon termination, Art Unlock will delete or return all personal data within 30 business days, unless law requires retention.

4. Sub-Processors

Art Unlock may use third-party providers to support Platform services.

4.1 Approved Sub-Processors include (examples):

  • Hosting and cloud storage providers
  • Payment processors (e.g., Stripe, PayPal)
  • Email delivery systems
  • Analytics tools
  • Security monitoring services

4.2 Requirements for Sub-Processors

All must:

  • Sign data protection agreements with Art Unlock
  • Use appropriate security measures
  • Process data only as instructed
  • Be GDPR-compliant (for EU data subjects)

4.3 Controller Rights

The Controller may:

  • Request a list of Sub-Processors
  • Object to specific Sub-Processors when reasonable

5. International Transfers

Because Art Unlock operates globally, personal data may be transferred outside the EEA, including to the United States.

Art Unlock ensures:

5.1 SCC Implementation

Transfers rely on EU Standard Contractual Clauses (2021).

5.2 Adequate Safeguards:

  • Encrypted transit
  • Encrypted storage
  • Privacy-Shield–successor commitments where applicable
  • Supplementary technical and organizational measures

6. Rights of Data Subjects

Art Unlock will assist Controllers in fulfilling legal requests regarding:

  • Access to personal data
  • Correction of inaccurate data
  • Request for deletion (“right to be forgotten”)
  • Restriction of processing
  • Portability of data
  • Objections to processing
  • Opt-out rights (CCPA)

Requests must be submitted to: 📧 legal@artunlock.art

7. Security Measures

Art Unlock implements organizational and technical safeguards including:

7.1 Technical Security

  • SSL/TLS encryption
  • Encrypted backups
  • Access logging
  • Multi-factor authentication
  • Firewalls and intrusion detection
  • Secure coding practices

7.2 Organizational Security

  • Restricted employee access
  • Confidentiality agreements
  • Staff training
  • Security audits
  • Vendor due diligence

8. Data Breach Notification

Art Unlock will:

  • Notify the Controller within 72 hours, or sooner when feasible
  • Provide details of the breach, scope, impact, and mitigation measures
  • Assist in fulfilling regulatory reporting obligations

9. Termination

Upon termination of the Agreement:

  • Art Unlock will return or delete all personal data
  • Logs may be retained for security, auditing, or legal compliance
  • Sub-Processors will also comply with deletion requirements

10. Liability

The Processor’s liability is subject to the limitations set forth in the main Agreement, except where GDPR mandates otherwise.

Art Unlock shall not be liable for Controller misuse, improper configuration, or unauthorized sharing of personal data.

11. Governing Law

  • For EU data subjects: GDPR applies.
  • For UK data subjects: UK GDPR applies.
  • For U.S. matters: State of New York law applies.
  • SCCs shall govern cross-border transfers.

Art Unlock Inc.
New York, United States of America