Skip to content
Back

Data Processing Agreement

Last updated: June 10, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Creator Offload Pte. Ltd. ("Creator Offload" or "Processor") and the customer entity that has agreed to Creator Offload's Terms of Service ("Customer" or "Controller"). This DPA applies where Creator Offload processes personal data on behalf of the Customer in the course of providing the Service. This DPA is intended to meet the requirements of Article 28 of the GDPR and equivalent obligations under other applicable data protection laws.

1. Definitions

  • Controller: The Customer, who determines the purposes and means of processing personal data managed within their Creator Offload workspace.
  • Processor: Creator Offload Pte. Ltd., which processes personal data on behalf of the Controller.
  • Personal Data: Has the meaning given in applicable data protection law. In the context of the Service, it includes personal information about creators, brand contacts, or other individuals stored within the Customer's workspace.
  • Processing: Any operation or set of operations performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
  • GDPR: Regulation (EU) 2016/679 (the General Data Protection Regulation), including as retained in UK law ("UK GDPR") and implemented in Switzerland where applicable.
  • Sub-Processor: Any third party engaged by Creator Offload to process personal data on behalf of the Customer.
  • Standard Contractual Clauses (SCCs): The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (as updated from time to time).

2. Scope and Nature of Processing

2.1 Role of the Parties

The Customer is the Controller. Creator Offload is the Processor. Creator Offload will process personal data only in accordance with the Customer's documented instructions, except where required to do otherwise by applicable law.

2.2 Subject Matter and Duration

Creator Offload processes personal data for the duration of the Customer's active subscription, plus the post-termination retention period described in the Terms of Service (30-day grace period, after which deletion occurs).

2.3 Nature of Processing

Creator Offload processes personal data to provide the following core Service functions:

  • Creator portal intake: Storing creator profile data, submitted content, and usage rights information
  • Rights management: Recording and enforcing content usage rights, expiry dates, and consent records
  • QA review: Facilitating review workflows and attaching reviewer annotations to content records
  • Asset management: Storing and organizing content assets for brand/agency teams
  • Export: Generating ad-ready content packages for downstream distribution

2.4 Types of Personal Data

  • Creator identifiers: name, username, email address, phone number, social media handles
  • Content and media: photos, videos, audio files submitted by creators
  • Rights and consent records: signed agreements, consent timestamps, usage terms
  • Communications: messages exchanged through the platform between brands and creators

2.5 Categories of Data Subjects

  • Content creators (individuals)
  • Brand and agency personnel
  • Other individuals whose personal data is incidentally included in uploaded content

3. Processor Obligations

3.1 Documented Instructions

Creator Offload will process personal data only on documented instructions from the Customer (as reflected in the Customer's use of the Service and these Terms).

3.2 Confidentiality

Creator Offload will ensure that all personnel authorized to process Customer personal data are bound by appropriate confidentiality obligations.

3.3 Security

Creator Offload will implement technical and organizational security measures appropriate to the risk, as described in our Security page. These measures include encryption of data at rest and in transit, access controls, and monitoring.

3.4 Sub-Processor Engagement

Creator Offload will not engage Sub-Processors without the Customer's prior general written authorization. The Customer grants general authorization for Creator Offload to engage the Sub-Processors listed in Schedule A. Creator Offload will notify the Customer at least 14 days in advance of any material changes to the Sub-Processor list.

3.5 Data Subject Rights

Creator Offload will provide reasonable assistance to the Customer in responding to requests from data subjects exercising their rights under applicable data protection law (access, rectification, erasure, restriction, portability, objection).

3.6 Security Assistance

Creator Offload will provide reasonable assistance to the Customer in ensuring compliance with the security obligations in Article 32 of the GDPR, including by notifying the Customer of any personal data breach as described in Section 6.

3.7 DPIAs

Creator Offload will provide reasonable assistance to the Customer in carrying out Data Protection Impact Assessments (DPIAs) under Article 35 of the GDPR where the nature of the processing requires one.

3.8 Deletion or Return

Upon termination of the Service or upon written request, Creator Offload will delete or return all Customer personal data in accordance with the Customer's instructions. Data will be deleted from active systems within 30 days of termination.

3.9 Audit Rights

Creator Offload will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. At the Customer's reasonable written request (no more than once per year unless a specific incident warrants it), Creator Offload will respond to security questionnaires or provide relevant audit-related information.

4. Customer Obligations

The Customer represents and warrants that:

  • It has a lawful basis for processing personal data uploaded to the Service under applicable data protection law.
  • It has provided adequate privacy notices to data subjects (including creators) whose personal data is processed through the Service.
  • It has obtained any required consents from data subjects.
  • It will use the Service in accordance with applicable data protection law.
  • It will promptly inform Creator Offload of any instruction that it believes would constitute a violation of applicable law.

5. International Data Transfers

5.1 Transfers to the United States

Creator Offload is incorporated and operated in the United States. Processing of Customer personal data by Creator Offload and its Sub-Processors may involve transfers from the EEA, UK, or Switzerland to the United States or other third countries.

5.2 Transfer Mechanisms

For transfers of personal data from the EEA to countries not recognized as providing an adequate level of protection, Creator Offload relies on the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914, Module Two: Controller to Processor), which are hereby incorporated into this DPA by reference.

For transfers subject to UK GDPR, Creator Offload relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable. For transfers from Switzerland, Creator Offload relies on the SCCs as supplemented by guidance from the Swiss FDPIC.

5.3 Supplementary Measures

Where required, Creator Offload implements supplementary technical and organizational measures to ensure an essentially equivalent level of protection for transferred data, including encryption in transit and at rest.

6. Personal Data Breach Notification

Creator Offload will notify the Customer without undue delay — and in any event within 72 hours of becoming aware — of any accidental, unlawful, or unauthorized access, disclosure, alteration, or destruction of Customer personal data ("Personal Data Breach"). Notification will include, to the extent known at the time:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach

The Customer is responsible for determining whether and how to notify affected data subjects and/or supervisory authorities based on the information provided.

7. Governing Law

This DPA is governed by the law of the State of California, United States, except that provisions relating to the GDPR or SCCs are governed by the law of the applicable EU Member State or the laws of England and Wales for UK-specific provisions, as required to give effect to those instruments.

8. Security Measures (Article 32 Summary)

The following technical and organizational security measures are implemented by Creator Offload:

  • Encryption in transit: TLS 1.2+ for all data in transit between client and server
  • Encryption at rest: AES-256 encryption for database storage and file assets
  • Access controls: Role-based access control (RBAC); principle of least privilege
  • Authentication: Multi-factor authentication available; session management with secure tokens
  • Audit logging: Access and administrative actions logged with timestamps
  • Backup: Regular encrypted backups with tested restore procedures
  • Incident response: Documented incident response plan; breach notification procedure
  • Vendor security: Sub-Processors assessed for security compliance prior to engagement
  • Employee training: Security awareness training for personnel with access to Customer data

Schedule A: Authorized Sub-Processors

The following Sub-Processors are authorized as of the effective date of this DPA. Creator Offload will update this schedule and provide advance notice of any material additions or replacements.

Stripe, Inc.

Purpose: Billing and payment processing

Data processed: Name, email, billing address, subscription metadata

Country: United States

Transfer mechanism: SCCs / EU-US Data Privacy Framework

Resend, Inc.

Purpose: Transactional email delivery

Data processed: Email address, email content (may include name and account info)

Country: United States

Transfer mechanism: SCCs

Google LLC

Purpose: OAuth authentication (Sign in with Google)

Data processed: Name, email address (authentication token only)

Country: United States

Transfer mechanism: SCCs / EU-US Data Privacy Framework

Analytics Provider

Purpose: Anonymous product analytics

Data processed: Anonymized/pseudonymized usage events (no PII in identifiable form)

Country: United States

Transfer mechanism: SCCs

Creator Offload maintains Data Processing Agreements or equivalent contractual commitments with each Sub-Processor.

Schedule B: Contact Information

Data Controller: Customer (see account details)
Data Processor: Creator Offload Pte. Ltd.
Privacy contact: privacy@creatoroffload.com

This DPA supplements and is incorporated into the Creator Offload Terms of Service. In the event of conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA will prevail.

We collect a bit of analytics

To understand how visitors use our platform, we record usage events along with some of your non-sensitive device information and approximate location. You may opt out anytime. Privacy Policy