Data Processing Agreement (DPA)

Controller: the Customer (record label, music pool, distributor or other legal or natural person) that contracts the Service and uploads or causes to be uploaded personal data of third parties through the Platform.

Processor: GRUP SEIDAN 3000, S.L., with registered office in Pineda de Mar, Barcelona, Spain, Tax ID B26594119, operator of the RemixTrack platform.

The parties acknowledge that, in respect of personal data uploaded by the Controller (e.g. artist details, end-user identifiers, recipients of watermarked downloads), the Controller acts as data controller and the Processor acts strictly as a data processor under Art. 28 GDPR.

The subject matter of the processing is the provision of the Service set out in the Terms. This DPA enters into force on the Controller's acceptance of the Terms and remains in force for the entire duration of the Subscription, plus the periods strictly necessary to return or delete the personal data in accordance with clause 12.

The Processor processes personal data on behalf of the Controller for the sole purposes of:

• Storing audio files and the associated metadata uploaded through the Service.
• Generating digital watermarks and watermarked derivative files associated with the recipient of each download.
• Carrying out forensic leak detection on audio samples submitted by the Controller.
• Managing ancillary user, organisation and access workflows necessary to operate the Service.
• Producing aggregated and anonymised statistical metrics that do not identify data subjects.

Categories of data subjects:

• End users and members of the Controller's organisation.
• Artists and right holders whose tracks are uploaded to the Service.
• Recipients of watermarked downloads (e.g. DJs, promo recipients, customers).

Categories of personal data:

• Identifiers (name, alias, organisation role).
• Contact data (email address).
• Technical data (IP address, user agent, device identifiers).
• Audio-related metadata (track title, artist, release information).
• Transactional and audit logs (downloads, watermark events, API calls).

The Processor does not knowingly process special categories of data under Art. 9 GDPR. The Controller undertakes not to upload such data through the Service without prior written agreement.

The Processor undertakes to:

• Process personal data only on the Controller's documented instructions, including with regard to international transfers, unless otherwise required by EU or Member State law.
• Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement the technical and organisational security measures set out in clause 7.
• Respect the conditions for engaging sub-processors set out in clause 6.
• Assist the Controller, taking into account the nature of the processing, in fulfilling its obligation to respond to requests for the exercise of data subject rights (Arts. 15-22 GDPR).
• Assist the Controller in ensuring compliance with the obligations under Arts. 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation).
• At the Controller's choice, return or delete all personal data after the end of the provision of services, in accordance with clause 12.
• Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, as set out in clause 11.
• Inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other data protection provisions.

The Controller grants the Processor general written authorisation to engage the sub-processors listed below for the provision of the Service:

• Stripe, Inc. (United States) — payment processing and invoicing.
• Supabase, Inc. (EU region) — authentication and database infrastructure.
• Cloudflare, Inc. (United States / EU) — encrypted audio file storage and edge security.
• Vercel, Inc. (United States) — application hosting, CDN and performance metrics.
• Modal Labs, Inc. (United States) — on-demand GPU compute for watermark embedding and detection.
• Sentry, Inc. (United States) — operational error monitoring and performance tracing.

The up-to-date list of sub-processors is maintained at https://remixtrack.app/legal/privacy ↗.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors with at least 30 days' notice, giving the Controller the opportunity to object to such changes on reasonable data protection grounds. If the Controller's objection cannot be reasonably resolved, the Controller may terminate the affected Service with no penalty other than the loss of access for the remainder of the prepaid period.

The Processor shall impose on each sub-processor, by contract, data protection obligations equivalent to those set out in this DPA and remains fully liable to the Controller for the sub-processor's performance.

The Processor applies technical and organisational measures appropriate to the level of risk, including:

• Encryption in transit — all connections are made over HTTPS/TLS; unencrypted traffic is rejected.
• Encryption at rest — audio files and database records are stored encrypted; decryption keys are managed by hosting providers under their own security certifications.
• Access control — internal access to production data follows the principle of least privilege.
• Multi-factor authentication (MFA) — available to all users and configurable as mandatory by each organisation's administrators.
• Audit logs — download, watermark and API events are timestamped and logged; logs are treated as sensitive data.
• Regular review — security measures are reviewed periodically and updated where necessary in light of the state of the art.

Where the provision of the Service requires the transfer of personal data to sub-processors located outside the European Economic Area, such transfers are covered by the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914, or by any other valid transfer mechanism foreseen in Chapter V of the GDPR. The Processor implements supplementary measures where necessary in accordance with the case law of the Court of Justice of the European Union.

Taking into account the nature of the processing, the Processor shall assist the Controller, by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject rights laid down in Chapter III of the GDPR within the statutory timeframes. If the Processor receives a request directly from a data subject, it shall, where possible, forward the request to the Controller without undue delay and shall not respond to the request itself unless authorised to do so by the Controller.

The Processor shall notify the Controller of any personal data breach affecting the personal data processed on the Controller's behalf without undue delay and, where feasible, within 48 hours after becoming aware of it. The notification shall include, to the extent available, the information required by Art. 33.3 GDPR. The Processor shall reasonably cooperate with the Controller to investigate the breach, mitigate its effects and, where applicable, comply with notification obligations to the competent supervisory authority and to affected data subjects.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR. The Controller may carry out an audit once per calendar year, with reasonable prior notice (at least 30 days), during working hours and without unreasonably disrupting the Service. The Processor may satisfy the audit obligation by providing independent third-party reports (such as ISO 27001 or SOC 2) covering the relevant controls. Audit costs shall be borne by the Controller, unless the audit reveals material non-compliance attributable to the Processor.

On termination of the Service, the Controller shall have a period of 30 calendar daysto export its personal data through the tools made available by the Service. After that period, the Processor shall delete all personal data processed on behalf of the Controller, including copies, unless EU or Member State law requires the retention of such data (in particular invoicing and tax records under applicable commercial and tax legislation). Backup copies shall be deleted in accordance with the Processor's retention cycles.

The liability of the parties under this DPA is subject to the limitations agreed in the Terms. This DPA is incorporated into and forms part of the Terms; in the event of conflict between this DPA and the Terms on matters of personal data protection, this DPA shall prevail.

This DPA is governed by Spanish law and by the directly applicable EU data protection regulations. Any dispute shall be submitted to the Courts and Tribunals of the city of Barcelona, without prejudice to the competent supervisory authority's powers under the GDPR.

This DPA is provided in English and Spanish for the convenience of the parties. In the event of discrepancy, the Spanish version shall prevail.