DATA PROCESSING ADDENDUM (DPA): RATIO READY
Last updated: March 3, 2026
Status: 2026 Compliant (GDPR, EU AI Act, UK GDPR, CCPA/CPRA)
This Data Processing Addendum ("DPA") is incorporated into and forms part of the Master Terms of Service between Your Brand Assistant LLC ("Processor") and the User or Entity ("Controller") accessing the RatioReady Service.
1. Nature and Purpose of Processing
1.1 Subject Matter
The subject matter of the processing is the automated transformation, upscaling, and metadata enhancement of image assets and e-commerce data provided by the Controller.
1.2 Purpose
The purpose is to provide professional-grade image processing and print-on-demand asset generation as requested by the Controller.
1.3 Duration
Processing is transient. Personal Data (images) is retained only for the volatile duration required to deliver the service (30 minutes for single assets; 24 hours for batch archives).
2. Technical and Organizational Measures (TOMs)
The Processor warrants that it has implemented the following industry-standard safeguards to protect Controller data:
- Infrastructure Security: Primary application logic and web gateways are hosted in ISO 27001-certified data centers in Germany (EU).
- Volatile Processing: The AI production pipeline operates in a stateless environment. No image data is retained for AI model training or long-term storage.
- Encryption Standards: All data in transit is secured via TLS 1.3. Temporary data at rest is protected via AES-256 encryption.
- Access Governance: Internal access to production environments is strictly limited to authorized engineering staff via Multi-Factor Authentication (MFA) and the "Principle of Least Privilege" (PoLP).
3. Authorized Sub-Processors
The Controller provides general written authorization for the Processor to engage the following categories of sub-processors. These entities are described by their technical function to maintain the security and proprietary integrity of the Service:
| Functional Category | Data Processed | Processing Location |
|---|---|---|
| Primary App Infrastructure | Core API logic and web hosting. | Germany (EU) |
| Serverless Database Provider | Account metadata and credit balances. | United States / Germany (EU) |
| AI Inference Pipeline | GPU-accelerated upscaling and logic. | United States / Global |
| Merchant of Record | Payment processing and tax compliance. | United States / Global |
| Transient Edge Storage | Temporary batch ZIP delivery and CDN. | Global (Edge) |
3.1 Changes
Processor shall notify Controller of any intended changes to this list via the User Dashboard. Controller may object to such changes on reasonable data protection grounds within 10 business days.
4. International Data Transfers
4.1 Standard Contractual Clauses (SCCs)
For transfers of data from the EEA/UK to the Processor's LLC in the United States, the Standard Contractual Clauses (2021/914, Module 2: Controller to Processor) are hereby incorporated by reference.
4.2 Adequacy
Where applicable, the Processor utilizes sub-processors that participate in the EU-U.S. Data Privacy Framework to ensure a level of protection equivalent to the GDPR.
5. AI Act Compliance (Annex)
5.1 Synthetic Transparency
In accordance with Article 50 of the EU AI Act, Processor shall ensure that all AI-enhanced outputs include technical markers or metadata indicating the use of AI, assisting the Controller in fulfilling their legal transparency obligations.
5.2 Human Oversight
While processing is automated, Controller maintains the right to request a manual review of any account-level automated decisions (e.g., security-related account bans).
6. Data Subject Rights & Breach Notification
6.1 Assistance
Processor shall assist Controller in responding to requests from data subjects exercising their rights (access, erasure, portability) under applicable law.
6.2 Breach Notification
Processor shall notify Controller via the account email of record without undue delay, and in no event later than 48 hours, after becoming aware of a confirmed Personal Data Breach.
7. Audit and Termination
7.1 Audit Rights
Processor shall provide Controller with all information necessary to demonstrate compliance with Article 28 of the GDPR.
7.2 Deletion upon Termination
Upon termination of the Service or the expiration of the temporary storage window, Processor shall permanently and irretrievably delete all processed assets.
8. Execution
By accessing the RatioReady Dashboard or utilizing the RatioReady API, the Controller is deemed to have accepted and executed this DPA in its entirety.