Backbone Studio
Book Audit →

Legal

Data Processing Agreement

Effective May 29, 2026.

This Data Processing Agreement ("DPA") supplements the master Service Agreement between Backbone Studio LLC ("Processor") and the client engaging Backbone for a build ("Controller"). It governs the processing of personal data Backbone performs on the Controller's behalf during the build engagement.

1. Definitions

Terms used here have the meanings given in the EU General Data Protection Regulation (GDPR) and, where applicable, the California Consumer Privacy Act (CCPA) as amended by CPRA. "Personal Data", "Data Subject", "Processing", "Controller", and "Processor" carry their GDPR meanings.

2. Subject matter, duration, nature, and purpose

  • Subject matter: Processing performed by Backbone in the course of designing, building, and delivering the operational platform engaged for under the Service Agreement.
  • Duration: From kickoff through 90 days post-launch, unless extended by a Care plan or further engagement.
  • Nature: Software design, implementation, deployment, and operational handover.
  • Purpose: To enable the Controller to operate the delivered platform on its own infrastructure.

3. Categories of Data Subjects and Personal Data

Categories of Data Subjects may include the Controller's employees, contractors, creators, talent, and end customers. Categories of Personal Data may include name, email address, phone number, payout details, business identifiers, and any other data the Controller chooses to store in the platform.

4. Obligations of the Processor

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure personnel processing Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures, including Row Level Security on Supabase, HTTPS-only transport, secrets in Vault or Vercel env, audit logging on admin actions, and least-privilege collaborator access.
  • Assist the Controller in fulfilling Data Subject rights requests (access, rectification, erasure, restriction, portability, objection).
  • Notify the Controller without undue delay (and within 72 hours) of becoming aware of a Personal Data breach.
  • On termination or at the Controller's written request, delete or return all Personal Data unless retention is required by law.

5. Sub-processors

Backbone uses the following sub-processors during a build engagement. The Controller consents to these by signing this DPA. Backbone will give 30 days' notice of any intended changes and the Controller may object on reasonable grounds.

  • Vercel Inc. — hosting and Edge Functions
  • Supabase Inc. — database and authentication
  • Stripe Inc. — payment processing
  • Resend Inc. — transactional email + audience management
  • Upstash Inc. — rate-limiting metadata
  • Cloudflare Inc. — Turnstile bot protection
  • Sentry (Functional Software, Inc.) — error monitoring
  • GitHub Inc. — source control

Each sub-processor is bound by a DPA with equivalent obligations. The current list lives on the public security page.

6. International transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Backbone relies on the EU Standard Contractual Clauses (2021/914) and supplementary measures as appropriate. The UK International Data Transfer Addendum applies for UK transfers.

7. Audit rights

The Controller may, on 30 days' written notice and not more than once per year (or in response to a specific incident), audit Backbone's compliance with this DPA. Audits are conducted during business hours and at the Controller's expense.

8. Liability

Liability arising from this DPA is subject to the limitation-of-liability provisions of the master Service Agreement.

9. Term and termination

This DPA takes effect when the Service Agreement is signed and continues for the duration of the Processing. Termination of the Service Agreement terminates this DPA.

10. Contact

Privacy and DPA inquiries should be sent to privacy@backbonestudio.co.

Important

This template is provided for reference and is not legal advice. Enterprise Controllers should have their own counsel review this DPA, redline if appropriate, and execute via their preferred contracting platform before kickoff. Backbone is happy to align on reasonable redlines.

Questions? hello@backbonestudio.co.