This Data Processing Agreement ("DPA") forms part of the agreement between StudioLM ("Processor," "we," "us," or "our") and you, the individual or entity using our Services ("Controller," "Customer," "you," or "your").
This DPA governs the processing of personal data by StudioLM on behalf of the Customer in connection with the provision of our AI image generation, text generation, and API services (the "Services") as described in our Terms of Service.
1. Definitions
In this DPA, the following terms have the meanings set out below:
- "Applicable Data Protection Laws" means all laws and regulations relating to the processing of personal data that apply to the parties, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other similar laws.
- "Controller" means the entity that determines the purposes and means of processing personal data (typically, you as the Customer).
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed in connection with the Services.
- "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- "Processor" means the entity that processes personal data on behalf of the Controller (StudioLM).
- "Security Incident" means any unauthorized access, acquisition, or disclosure of personal data.
- "Sub-processor" means any third party engaged by StudioLM to process personal data on behalf of the Customer.
2. Scope and Roles
2.1 Roles of the Parties
- Customer as Controller: When you use our Services to process data relating to your own customers, users, or other individuals, you act as the Controller of that personal data.
- StudioLM as Processor: StudioLM processes personal data solely on your behalf and according to your instructions as described in this DPA and the Terms of Service.
2.2 Customer Responsibilities
As the Controller, you are responsible for:
- Ensuring you have a lawful basis to process personal data through our Services
- Providing any required notices to Data Subjects
- Obtaining any necessary consents from Data Subjects
- Ensuring your use of the Services complies with Applicable Data Protection Laws
3. Processing of Personal Data
3.1 Processing Instructions
StudioLM will process personal data only:
- In accordance with your documented instructions as set out in this DPA, the Terms of Service, and your use of the Services
- As necessary to provide the Services you have requested
- As required by Applicable Data Protection Laws (in which case we will inform you of the legal requirement unless prohibited by law)
3.2 Nature and Purpose of Processing
We process personal data to provide the Services, which may include:
- Processing text prompts to generate AI-generated content
- Processing images for image-to-image generation
- Storing and retrieving generated content
- Managing user accounts and authentication
- Processing payments and managing billing
3.3 Duration of Processing
We will process personal data for the duration of your use of the Services and as required to fulfill our obligations under this DPA. Upon termination of your account, all personal data will be deleted immediately as described in our Privacy Policy.
4. Details of Processing
| Subject Matter | Provision of AI generation and API services |
|---|---|
| Duration | For the term of your account or until you request deletion |
| Nature of Processing | Collection, storage, use, and deletion of personal data to provide the Services |
| Purpose of Processing | To provide AI image generation, text generation, and related API services |
| Categories of Data Subjects | Users of the Services, customers of the Customer who interact with the Services |
| Types of Personal Data | Account information (email, username), usage data, prompts, generated content, IP addresses |
| Sensitive Data | We do not intentionally process sensitive personal data (health, religion, etc.) |
5. Security Measures
StudioLM implements appropriate technical and organizational measures to protect personal data, including:
- Encryption: HTTPS/TLS encryption for all data in transit
- Access Controls: Role-based access controls limiting who can access personal data
- Authentication: Secure password hashing and optional two-factor authentication
- Monitoring: Security monitoring and logging to detect unauthorized access
- Rate Limiting: Protection against abuse and automated attacks
- Data Minimization: Collection of only data necessary to provide the Services
6. Confidentiality
StudioLM ensures that:
- All personnel authorized to process personal data are bound by confidentiality obligations
- Personal data is treated as confidential and protected from unauthorized disclosure
- Confidentiality obligations survive the termination of this DPA
7. Sub-processors
7.1 Authorization
You authorize StudioLM to engage the following categories of Sub-processors to assist in providing the Services:
- Cloud Infrastructure Providers: For hosting and data storage
- Payment Processors: For processing payments (Coinbase Commerce)
- Security Services: For DDoS protection and security (Cloudflare)
- Email Services: For sending transactional emails
7.2 Sub-processor Obligations
When engaging Sub-processors, StudioLM will:
- Ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA
- Remain liable for the acts and omissions of Sub-processors
- Provide information about Sub-processors upon request
7.3 Objection to Sub-processors
If we engage a new Sub-processor, we will notify you with reasonable advance notice. You may object to a new Sub-processor on reasonable data protection grounds by contacting us within 14 days of notification. If we cannot accommodate your objection, you may terminate the affected Services.
8. Data Subject Rights
StudioLM will assist you in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
If we receive a Data Subject request directly, we will promptly notify you and await your instructions (unless required by law to respond directly).
9. Security Incidents
In the event of a Security Incident affecting personal data processed on your behalf, StudioLM will:
- Notify you without undue delay (and in any event within 72 hours of becoming aware)
- Provide information about the nature of the incident, affected data, and measures taken
- Cooperate with you to investigate and mitigate the incident
- Document the incident and our response
10. Data Deletion
Upon termination of your account or upon your written request:
- We will delete all personal data processed on your behalf immediately
- We will not retain copies of personal data except as required by law
- We will provide confirmation of deletion upon request
11. International Data Transfers
If personal data is transferred outside your jurisdiction, StudioLM will ensure:
- Transfers are made only to countries with adequate data protection laws, or
- Appropriate safeguards are in place (such as Standard Contractual Clauses), or
- An exception under Applicable Data Protection Laws applies
12. Audits and Compliance
Upon reasonable request and subject to confidentiality obligations:
- We will provide information necessary to demonstrate compliance with this DPA
- We will allow for and contribute to audits conducted by you or an auditor mandated by you
- Audits will be conducted during normal business hours with reasonable advance notice
13. Liability
The liability of each party under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability for:
- Death or personal injury caused by negligence
- Fraud or fraudulent misrepresentation
- Any liability that cannot be limited by law
14. General Provisions
14.1 Conflicts
In the event of any conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data protection matters.
14.2 Amendments
We may update this DPA to reflect changes in Applicable Data Protection Laws or our data processing practices. Material changes will be notified to you with reasonable advance notice.
14.3 Governing Law
This DPA shall be governed by the same laws that govern the Terms of Service, unless Applicable Data Protection Laws require otherwise.
15. Contact
For questions about this DPA or to exercise any rights under it, please contact:
- Email: [email protected]
- Website: studiolm.dev