Schedule a Call
Login
727-219-2132info@studio98.com

Data Processing Addendum (DPA)

Last updated: September 4, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other written agreement (“Agreement”) between Studio98 Inc (“Provider”, “we”, “us”) and the customer (“Customer”, “you”) who uses the Studio98.ai platform and related services (the “Services”).

This DPA reflects the parties’ agreement with respect to the Processing of Personal Data in accordance with the EU/UK General Data Protection Regulation (GDPR), and where applicable, similar laws in other jurisdictions.

1. Roles of the Parties

  • Customer acts as the Data Controller.

  • Provider (Studio98.ai) acts as the Data Processor when processing Personal Data on behalf of the Customer through the Services.

  • For certain processing activities (e.g., direct marketing to leads, our own analytics), Provider may act as an independent Data Controller.

2. Subject Matter and Duration

  • Subject matter: Provider processes Personal Data as necessary to provide the Services, including enabling AI employees/agents and connected integrations.

  • Duration: This DPA remains in effect as long as Provider processes Personal Data on behalf of Customer.

3. Nature and Purpose of Processing

Processing includes:

  • Running Customer-selected AI employees/agents.

  • Storing and transmitting data through integrations (e.g., Google, Microsoft, HubSpot).

  • Hosting, backup, and support.

  • Security monitoring and incident detection.

The purpose is to provide the Services according to the Agreement.

4. Categories of Data Subjects

Customer may submit Personal Data relating to:

  • Customer’s employees, contractors, and users

  • Customer’s clients, leads, or other end users whose data is connected to the Services

5. Categories of Personal Data

May include:

  • Contact information (name, email, phone, company)

  • Login identifiers (OAuth tokens, user IDs)

  • Business data provided to or generated by AI agents

  • Uploaded files, text, and communications

  • Usage logs, IP addresses, device/browser metadata

Provider does not intentionally process special category data (sensitive data) unless Customer chooses to submit it.

6. Processor Obligations

Provider will:

  • Process Personal Data only on documented instructions from Customer.

  • Not sell or use Personal Data for advertising.

  • Ensure personnel with access are bound by confidentiality.

  • Implement technical and organizational security measures (see Annex 2).

  • Assist the Customer in responding to data subject requests (access, deletion, etc.).

  • Notify Customer without undue delay of any Personal Data Breach.

  • Delete or return Personal Data upon termination (subject to legal retention requirements).

7. Sub-processors

Customer authorizes Provider to use third-party sub-processors to provide the Services (e.g., cloud hosting, payment processors, analytics, AI infrastructure, MCP/API integrations).

  • Provider maintains a list of sub-processors [link to online list].

  • Provider will give Customer prior notice of changes to sub-processors and allow objection for reasonable grounds.

8. International Transfers

Where Personal Data is transferred outside the EEA/UK to a country without adequacy status, Provider ensures appropriate safeguards under GDPR Chapter V, including Standard Contractual Clauses (SCCs) or participation in the EU–US Data Privacy Framework (where applicable).

9. Data Subject Rights

Provider will, to the extent legally permitted, assist Customer in fulfilling obligations to respond to requests from data subjects (access, correction, erasure, portability, objection, restriction).

10. Security

Provider implements appropriate technical and organizational measures to protect Personal Data (see Annex 2).

11. Audit Rights

Upon request, Provider will provide documentation demonstrating compliance with this DPA. Audits by Customer or an independent auditor may be conducted subject to reasonable notice and confidentiality obligations.

12. Liability

Each party’s liability under this DPA is subject to the limitations of liability in the Agreement.

13. Termination

This DPA terminates automatically upon termination of the Agreement. Upon termination, Provider will delete or return all Personal Data, unless retention is required by law.

Annex 1: Details of Processing

Subject matter: Processing Personal Data through Studio98.ai platform and connected integrations.
 Duration: For the term of the Agreement.
 Purpose: Provision of Services, including AI employee/agent execution, storage, support, and billing.
 Data categories: Contact info, business data, integrations data, usage logs.
 Data subjects: Customer’s staff, end users, clients.