Data Processing Agreement

Preamble

This Data Processing Agreement (“DPA”) forms part of the Ava-Twin Terms of Service between ZedStack LLC (“Processor”, “we”) and the customer identified in a signed agreement (“Controller”, “You”). It applies when You process Personal Data of individuals in the European Economic Area (EEA), United Kingdom, or Switzerland using the Ava-Twin Service.

By continuing to use the Service after 1 May 2026 on an Agency, Business, or Enterprise plan, You are deemed to have accepted this DPA. Customers on Indie or Studio plans may request a signed DPA by contacting legal@ava-twin.me.

1. Definitions

• Personal Data: any information relating to an identified or identifiable natural person, as defined under GDPR Article 4.
• Processing: any operation performed on Personal Data as defined under GDPR Article 4.
• Controller: You, the Ava-Twin customer, who determines the purposes and means of Processing.
• Processor: ZedStack LLC, processing Personal Data on Your behalf.
• Sub-processor: a third party engaged by Processor to process Personal Data.
• EEA/UK/CH Personal Data: Personal Data of data subjects located in those regions.

2. Subject Matter, Duration, Nature, and Purpose

Subject matter: Processing of end-user data transmitted through the Ava-Twin Service (avatar IDs, skin tones, persistence data) as part of Your use of the Service.

Duration: For as long as You maintain an active subscription, plus retention periods required by law.

Nature: Storage, transmission, retrieval, and delivery of avatar customization data.

Purpose: Enabling Your Application to provide avatar customization and persistence to end users.

Types of Personal Data: Pseudonymous player identifiers (You choose what to submit), avatar customization selections, technical metadata (IP, timestamps, request metadata).

Categories of data subjects: End users of Your Application.

3. Controller Obligations

You warrant that:

• (a) You have a lawful basis under GDPR Article 6 for Processing Personal Data through the Service;
• (b) You have provided data subjects with appropriate notice under GDPR Articles 13/14;
• (c) You will respond to data subject requests (access, erasure, etc.) addressed to You; and
• (d) You comply with all applicable data protection laws.

4. Processor Obligations

We will:

• (a) Process Personal Data only on Your documented instructions (including those in the Terms and this DPA);
• (b) Ensure personnel authorized to process Personal Data are subject to confidentiality;
• (c) Implement appropriate technical and organizational measures (see Section 8);
• (d) Assist You in responding to data subject requests;
• (e) Assist You with security, data breach notifications, and Data Protection Impact Assessments;
• (f) Delete or return Personal Data upon termination (except where law requires retention);
• (g) Make available information necessary to demonstrate compliance; and
• (h) Immediately inform You if we believe Your instructions violate applicable law.

5. Sub-processors

You authorize us to engage the following sub-processors:

We will notify You of new sub-processors with at least 30 days' notice. You may object to a new sub-processor in writing. If we cannot address Your objection, You may terminate the affected portion of the Service.

Each sub-processor is bound by data protection obligations substantially equivalent to those in this DPA.

6. International Data Transfers

Personal Data may be transferred outside the EEA/UK/CH to the United States. We rely on:

• (a) Standard Contractual Clauses (2021/914 EU, UK IDTA) with each sub-processor;
• (b) Appropriate supplementary measures where required; and
• (c) Your explicit authorization of transfers where appropriate.

7. Data Subject Rights Assistance

We will assist You, taking into account the nature of Processing, by appropriate technical and organizational measures, for fulfilling Your obligations to respond to data subject requests. Specifically:

• (a) Access, rectification, erasure, restriction, and portability: handled via dashboard controls or by emailing privacy@ava-twin.me; and
• (b) We will respond to Your assistance requests within 14 days.

8. Security Measures

We implement:

• (a) Encryption in transit (TLS 1.2+);
• (b) Encryption at rest for sensitive fields (API keys hashed, passwords stored as bcrypt hashes via Supabase Auth);
• (c) Access controls and least-privilege principles;
• (d) Audit logging of sensitive operations;
• (e) Regular security reviews;
• (f) Secure software development practices; and
• (g) Vendor security reviews for sub-processors.

9. Data Breach Notification

We will notify You without undue delay (and in any case within 72 hours) of becoming aware of a Personal Data breach. Notification will include:

• (a) Nature of the breach;
• (b) Categories and approximate number of affected data subjects;
• (c) Contact point for further information; and
• (d) Measures taken or proposed.

Notifications are sent to the email address on record for Your account.

10. Deletion and Return

Upon termination, we will, at Your choice:

• (a) Delete Personal Data within 30 days; or
• (b) Return Personal Data via export tool.

Unless law requires retention (e.g., billing records, 7-year tax retention).

11. Audits

You or Your designated auditor may audit our compliance once per year at Your expense, subject to 30 days' written notice and mutually agreed scope. As an alternative, we will provide annual independent audit reports (SOC 2 when available) that typically satisfy audit rights.

12. Liability

Liability under this DPA is subject to the liability cap in Your Terms of Service.

13. Order of Precedence

If there is conflict between this DPA and the Terms of Service, this DPA prevails for matters related to Personal Data Processing.

14. Contact

• Privacy / Data protection: privacy@ava-twin.me
• Legal: legal@ava-twin.me

Related Policies

• Terms of Service
• Privacy Policy
• Acceptable Use Policy