Data Processing Agreement
Last updated: March 04, 2025
This Data Processing Agreement (“DPA”) forms part of the Terms of Service available at https://templated.io/terms (the “Agreement”) between Templated, operated by Edithor Ltda., a company incorporated under the laws of Brazil (“Processor”, “we”, “us”), and the entity or person agreeing to these terms (“Controller”, “Customer”, “you”), collectively referred to as the “Parties”.
This DPA applies where and only to the extent that Templated processes Personal Data on behalf of the Customer in the course of providing the Service, and such Personal Data is subject to data protection laws of the European Union, the European Economic Area, or their member states, the United Kingdom, or Switzerland (collectively, “European Data Protection Law”).
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller pursuant to the Agreement.
- “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
- “Sub-processor” means any third-party data processor engaged by the Processor to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor provides a template-based image, video, and PDF generation API service. In the course of providing this Service, the Processor may process Personal Data on behalf of the Controller.
2.2 Nature and Purpose of Processing
The processing is carried out for the purpose of providing the Service as described in the Agreement, which includes:
- Rendering images, videos, and PDFs from templates via API
- Storing and managing templates created by the Controller
- Processing template data provided by the Controller through the API
- Account management and authentication
2.3 Duration of Processing
The Processor will process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
2.4 Types of Personal Data
The Personal Data processed may include, but is not limited to:
- Names, email addresses, and contact information embedded in templates
- Images containing identifiable individuals
- Any other personal data included by the Controller in template content or API requests
2.5 Categories of Data Subjects
Data subjects may include:
- The Controller’s employees and contractors
- The Controller’s end-users and customers
- Any individuals whose Personal Data is included in template content
3. Obligations of the Processor
3.1 Compliance
The Processor shall process Personal Data only in accordance with the Controller’s documented instructions, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
3.2 Confidentiality
The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
- Encryption of Personal Data in transit (TLS/SSL) and at rest
- Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Measures to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
- Regular testing and evaluation of the effectiveness of technical and organizational measures
- Access controls and authentication mechanisms
- Regular security updates and patch management
3.4 Sub-processing
The Processor shall not engage another processor without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
The Controller hereby provides general authorization for the Processor to engage sub-processors as listed in Annex B of this DPA. The Processor shall notify the Controller of any changes to its sub-processors by updating Annex B. The Controller may object to a new sub-processor within 30 days of being notified.
3.5 Data Subject Rights
The Processor shall assist the Controller, by appropriate technical and organizational measures and taking into account the nature of the processing, in fulfilling the Controller’s obligation to respond to requests for exercising the Data Subject’s rights under the GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
3.6 Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of the Processor’s contact point for more information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
3.7 Data Protection Impact Assessment
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under Article 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to the Processor.
3.8 Deletion or Return of Data
Upon termination of the Agreement or upon the Controller’s request, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires storage of the Personal Data. The Processor shall certify in writing that it has complied with this obligation upon request.
4. Obligations of the Controller
The Controller shall:
- Ensure that it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf
- Provide documented instructions to the Processor regarding the processing of Personal Data
- Ensure compliance with applicable data protection laws with respect to its use of the Service
- Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor
5. International Data Transfers
5.1 Data Location
The Processor is based in Brazil and processes data through cloud infrastructure provided by Amazon Web Services (AWS), located in the United States. Brazil’s data protection law (Lei Geral de Proteção de Dados — LGPD) provides a comprehensive framework for data protection that is closely aligned with the GDPR.
5.2 Transfer Mechanisms
To the extent that the processing of Personal Data involves a transfer of Personal Data outside of the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, such transfers shall be governed by the Standard Contractual Clauses (SCCs) as adopted by the European Commission, which are hereby incorporated by reference into this DPA.
5.3 Additional Safeguards
In addition to the SCCs, the Processor implements the following supplementary measures to protect transferred data:
- Encryption of data in transit and at rest
- Access controls limiting data access to authorized personnel
- Regular security assessments and audits
6. Audit Rights
6.1 Audit
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
6.2 Audit Process
Audits shall be conducted with reasonable prior written notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor’s business activities. The Controller shall bear all costs related to such audits. The Processor may charge a reasonable fee for time spent assisting with audits.
7. Liability
Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.
8. Term and Termination
This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, the Processor shall comply with the obligations set forth in Section 3.8 regarding deletion or return of data.
9. Governing Law
This DPA shall be governed by and construed in accordance with the laws that govern the Agreement, unless otherwise required by applicable data protection laws.
10. Contact
For any questions regarding this DPA or to exercise any rights under this agreement, please contact us at:
Email: support@templated.io
Annex A — Details of Processing
| Detail | Description |
|---|---|
| Subject matter | Provision of template-based image, video, and PDF generation services via API |
| Duration | For the term of the Agreement |
| Nature and purpose | Rendering templates containing Customer-provided content, including potentially Personal Data, into images, videos, and PDFs |
| Types of Personal Data | Names, email addresses, images of identifiable individuals, and any other personal data included in template content by the Controller |
| Categories of Data Subjects | Controller’s employees, end-users, customers, and any other individuals whose data is included in templates |
Annex B — Sub-processors
The following sub-processors are authorized by the Controller as of the date of this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage (S3), and serverless computing (Lambda) for template rendering | United States |
| Stripe | Payment processing and subscription management | United States |
| Mailjet | Transactional email delivery | EU (France) |
| Crisp | Customer support chat and communication | EU (France) |
| Google Cloud Platform | Authentication services (Google OAuth) | United States |
| The Processor will notify the Controller of any changes to sub-processors by updating this list. The Controller may subscribe to updates by contacting support@templated.io. |
Annex C — Technical and Organizational Security Measures
The Processor maintains the following technical and organizational measures:
Access Control
- Role-based access control (RBAC) for all internal systems
- Multi-factor authentication for administrative access
- Regular access reviews and revocation of unnecessary permissions
Data Protection
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256
- Regular automated backups with encryption
Operational Security
- Automated monitoring and alerting for security events
- Regular security updates and vulnerability patching
- Incident response procedures and documentation
Data Minimization
- Rendered outputs are stored only as long as necessary for service delivery
- Template data is deleted upon account termination or upon request
- Logs are retained for a limited period and anonymized where possible