Data Processing Addendum (DPA)

Embers Studio
Last updated: 01.03.2026

1. Purpose

This Data Processing Addendum (“DPA”) forms part of the agreement between:

Embers Studio (“Processor”)
and
The Client (“Controller”)

where Embers Studio processes personal data on behalf of the Client in the course of providing services.

This DPA ensures compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Roles of the Parties

  • The Client is the Data Controller.

  • Embers Studio acts as a Data Processor.

The Client determines the purpose and means of processing personal data.
Embers Studio processes data solely on documented instructions from the Client.

3. Subject Matter & Duration

Subject Matter

Processing of personal data in connection with services such as:

  • Website development

  • Hosting configuration

  • Analytics setup

  • Form integrations

  • Marketing tools

  • Technical support

Duration

Processing continues for the duration of the service agreement and until data is deleted or returned upon termination.

4. Nature & Purpose of Processing

Processing may include:

  • Collection (via forms or integrations)

  • Storage

  • Organization

  • Structuring

  • Retrieval

  • Consultation

  • Limited modification

  • Deletion

The purpose of processing is to deliver contracted services.

5. Categories of Data Subjects

Personal data may relate to:

  • Website visitors

  • Customers of the Client

  • Leads and prospects

  • Employees (if applicable)

6. Categories of Personal Data

Depending on the services provided, data may include:

  • Names

  • Email addresses

  • Phone numbers

  • IP addresses

  • Technical device data

  • Contact form submissions

  • Account credentials (if provided by Client)

Embers Studio does not intentionally process special categories of data unless explicitly instructed.

7. Processor Obligations

Embers Studio agrees to:

  1. Process personal data only on documented instructions from the Client.

  2. Ensure confidentiality of persons authorized to process data.

  3. Implement appropriate technical and organizational security measures.

  4. Not sell, share, or use personal data for its own purposes.

  5. Assist the Client in fulfilling GDPR obligations where reasonably possible.

  6. Notify the Client without undue delay of any data breach.

8. Security Measures

Embers Studio implements reasonable safeguards including:

  • Secure password management

  • Access control

  • Use of secure hosting providers

  • SSL encryption

  • Regular software updates

  • Limitation of internal access

Absolute security cannot be guaranteed, but reasonable industry standards are applied.

9. Subprocessors

The Client authorizes the use of subprocessors as necessary to deliver services, including but not limited to:

  • Hosting providers

  • Analytics providers

  • Cloud storage services

  • Email service providers

  • Security services

Embers Studio ensures that subprocessors are contractually bound to comply with applicable data protection laws.

A list of subprocessors can be provided upon request.

10. International Transfers

Where personal data is transferred outside the EU/EEA, appropriate safeguards shall be implemented, such as:

  • Standard Contractual Clauses (SCCs)

  • Adequacy decisions

  • Other lawful transfer mechanisms

11. Data Subject Rights

Embers Studio will assist the Client, where reasonably possible, in responding to requests related to:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Portability

  • Objection

The Client remains responsible for handling such requests.

12. Data Breach Notification

In the event of a personal data breach, Embers Studio shall:

  • Notify the Client without undue delay

  • Provide available information regarding the breach

  • Assist in mitigation where applicable

13. Data Return or Deletion

Upon termination of services, Embers Studio shall:

  • Return personal data to the Client, or

  • Delete personal data, unless legally required to retain it.

14. Audit Rights

The Client may request reasonable information to verify compliance with this DPA.
Formal audits must be agreed upon in advance and not disrupt operations.

15. Liability

Each party remains responsible for compliance with applicable data protection laws.

Liability limitations are governed by the main service agreement.

16. Governing Law

This DPA shall be governed by the laws of:

North Macedonia

17. Acceptance

This DPA becomes effective when:

  • Referenced and incorporated into a service agreement.