Legal
Acuerdo de Tratamiento de Datos (DPA)
Version 1.1 Β· Effective date: April 17, 2026
Last updated: April 18, 2026
This Data Processing Agreement ("DPA") supplements CoreLab Creative's Terms and Conditions of Service and applies when the Client (as Data Controller) uses the Platform to process personal data of their own users, employees, or other natural persons, and CoreLab Creative acts as Data Processor on behalf of the Client. This DPA is particularly relevant where GDPR, UK GDPR, LGPD, DPDPA 2023, or equivalent regulations apply.
CoreLab Creative processes personal data on behalf of the Client solely for the purpose of providing the services described in the Terms and Conditions of Service.
Processing operations include: collection and receipt of data uploaded or generated through Platform use; storage and organization within the multi-tenant model; querying and retrieval to display the interface and respond to user actions; modification by authorized Client users; transmission to sub-processors for billing and communications; deletion upon request or upon expiry of retention periods; and activity logging for security and traceability.
Processed data may correspond to the Client's employees, collaborators, or contractors; the Client's end users (if they introduce data of their own clients into the Platform β not recommended except in support tickets); and the Client's suppliers or partners.
CoreLab is not designed to process special categories of personal data (health, ethnic origin, political opinions, biometric data, etc.). The Client must not upload such data. If they do, they assume full responsibility for applicable regulatory compliance.
Processing extends throughout the duration of the subscription contract, plus the post-cancellation retention period (maximum 90 days for client data, with the exception of billing data subject to accounting obligations).
CoreLab processes data solely in accordance with the Controller's documented instructions, defined by this DPA, the Terms and Conditions, and the actions of the Client's authorized users on the Platform.
If CoreLab believes that a Client instruction infringes Applicable Regulation, it will notify the Client in writing.
Purpose restriction: CoreLab will not use the Client's personal data for any purpose of its own, including business analysis, marketing, advertising, or training artificial intelligence models.
CoreLab ensures that personnel with access to Client data are subject to contractual or legal confidentiality obligations. Only personnel with administration or client service roles may access request data, and solely in the context of service delivery.
CoreLab implements technical and organizational measures appropriate to the risk, including:
CoreLab will assist the Client with: responding to data subject rights (access, rectification, erasure, portability); impact assessments (DPIA); security incident notification; and regulatory compliance with supervisory authorities.
Upon termination of the service, CoreLab will delete Client data within the established post-cancellation period (90 days). At the Client's request, it may facilitate data export in a standard format prior to deletion.
CoreLab will notify the Client of any Security Incident without undue delay and, where possible, within 72 hours of becoming aware of the incident.
The notification will include: description of the nature of the incident, categories and approximate number of data subjects affected, contact details of CoreLab's internal responsible party, possible consequences, and measures taken or proposed.
Notification will be sent to the email of the workspace owner affected. It is the Client's responsibility to notify the incident to the competent supervisory authority when required by applicable regulation.
| Sub-processor | Purpose | Data Transferred | Location |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | All application data | AWS (configurable region) |
| Stripe Inc. | Payment and subscription processing | Client's email, organization name, subscription metadata | United States (SCCs) |
| Resend Inc. | Transactional email delivery | Recipient email, email content (name, ticket data, invitation URLs) | United States |
CoreLab will notify the Client at least 30 days in advance before adding or replacing a sub-processor. The Client may object to the change within that period. If no agreement is reached, the Client may cancel their subscription without penalty.
CoreLab imposes data protection obligations on its sub-processors equivalent to those in this DPA through written agreements. CoreLab will be liable to the Client for the acts of its sub-processors to the same extent as if it had performed the processing directly.
Transfers of data to sub-processors located outside the European Economic Area are carried out under appropriate mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission and specific Data Processing Agreements with each sub-processor.
If the Client has specific data residency requirements (e.g., that data remain in the EU or LATAM), they must communicate this to CoreLab before or during contracting.
The Client has the right to audit CoreLab's compliance with this DPA, directly or through a designated auditor, with reasonable prior notice (at least 30 days) and without interfering with CoreLab's normal operations.
Alternatively, CoreLab may provide security reports conducted by independent third parties when available. CoreLab maintains internal records of processing activities carried out on behalf of the Client, available upon request from supervisory authorities.
CoreLab Creative β Data Protection Officer
Email: info@corelabcreative.com
Suggested subject: [DPA] - brief description
In the event of conflict between this DPA and the Terms and Conditions on data protection matters, this DPA will prevail.
By accepting the Terms and Conditions of Service, the Client also accepts the terms of this DPA, which forms an integral part of the agreement.
CoreLab acts as a Service Provider with respect to personal data of California consumers processed on behalf of the Client.
CoreLab commits to: not selling Client data to any third party; not sharing it for behavioral advertising; not retaining, using, or disclosing it for purposes other than the contracted service; and not combining it with data from other sources or other clients except for security or compliance purposes.
CoreLab will assist the Client in responding to California consumer rights requests within timelines that enable compliance with legal deadlines (45 days).
This appendix supplements the DPA for processing of data of persons located in the United Kingdom, governed by UK GDPR (Data Protection Act 2018).
Transfers of personal data from the United Kingdom will use the ICO's International Data Transfer Addendum (UK IDTA), or the EU SCCs with the ICO Addendum, as applicable.
Competent supervisory authority: Information Commissioner's Office (ICO) β ico.org.uk.
Applicable to the processing of Client data by CoreLab Creative, pursuant to Art. 32 GDPR and Annex II of the applicable SCCs.
CoreLab operates entirely in the cloud without its own physical server facilities. Physical infrastructure security is the responsibility of cloud sub-processors. CoreLab verifies that they maintain adequate physical security certifications.
Personnel with access to client data are aware of their confidentiality and data protection obligations. Internal policies define proper handling and the consequences of non-compliance.
| Sub-processor | Purpose | Data Transferred | Location | Reference |
|---|---|---|---|---|
| Supabase Inc. | Database, authentication, storage | All application data | AWS (configurable region) | supabase.com/privacy |
| Stripe Inc. | Payments and subscriptions | Email, organization name, subscription metadata | USA (SCCs) | stripe.com/privacy |
| Resend Inc. | Transactional emails | Recipient email, email content | USA | resend.com/legal/privacy-policy |