Data Processing Agreement (DPA)
Effective Date: 16th June, 2025
Between
This Data Processing Agreement (“DPA”) applies to any company, organisation, or individual acting as a data controller (the “Controller”) who uses the 82DASH platform, operated by:
82DASH Ltd
71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
(as the “Processor”)
Preamble
The Processor operates 82DASH platform, a user-generated content service that enables content creators to upload content, including personal data, for commercial use by client companies. Under the Main Contract, the Controller uses 82DASH platform to receive such creator-submitted content for its own defined purposes.
In this context, the Controller determines the purposes and means of processing the personal data contained within the content and therefore acts as a data controller under applicable data protection laws. The Processor acts solely on behalf of the Controller and processes personal data exclusively for the purpose of facilitating the receipt, transfer, and technical handling of the data submitted via 82DASH platform.
In accordance with Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the parties are required to enter into a data processing agreement to ensure the lawful processing of personal data.
This Data Processing Agreement (“DPA”) forms an integral part of the Main Contract and governs the data protection obligations of the parties in relation to the processing of personal data through 82DASH platform. The execution of this DPA shall not be subject to separate remuneration, unless expressly agreed otherwise in writing. In case of discrepancies between this Data Processing Agreement in other languages and the English version, the English version shall prevail.
1.0 Agreement to Terms
By electronically accepting this DPA (e.g., by checking a box or clicking “I Agree”), the Controller acknowledges and agrees to be bound by its terms. This DPA forms an integral part of the Main Contract between the Parties and governs the processing of personal data under applicable data protection law, particularly Regulation (EU) 2016/679 (“GDPR”).
2.0 Definitions of Terms
"EU Data Protection Law" shall mean the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and any applicable implementing or supplementary data protection laws of EU Member States as applicable to the parties.
"Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined in Article 4(7) GDPR.
"Data Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, as defined in Article 4(8) GDPR.
"Data Subject" means an identified or identifiable natural person whose personal data is processed by the controller or processor, as defined in Article 4(1) GDPR.
"Personal Data" means any information relating to an identified or identifiable natural person (“data subject”), as defined in Article 4(1) GDPR.
"GDPR" refers to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Terms not otherwise explicitly defined in this DPA shall have the meanings attributed to them under the GDPR.
In the event of a conflict between the definitions used in this DPA and those in the GDPR, the definitions of the GDPR shall prevail.
3.0 Subject Matter
The Processor provides a content delivery and user-generated content platform (82DASH) through which personal data, uploaded by creators, is transferred to the Controller. The Processor processes such personal data exclusively on behalf of the Controller and strictly in accordance with the Controller’s documented instructions. The scope, nature, and purposes of the processing are defined in the Main Contract and further detailed in Annex 1 to this DPA.
This DPA sets out the parties’ respective obligations and rights under EU Data Protection Law in relation to the processing of personal data. In the event of any conflict between this DPA and the Main Contract, the provisions of this DPA shall prevail with respect to data protection matters.
The provisions of this DPA apply to all processing activities performed by the Processor, its employees, or authorized agents under the Main Contract, where such activities involve personal data originating from or collected for the Controller.
The duration of this DPA is linked to the duration of the Main Contract, unless otherwise specified in this DPA or required by applicable data protection law (e.g., retention obligations or data return/deletion provisions upon termination).
4.0 Rights of Instruction
The Processor shall collect, process, or use personal data solely within the scope of the Main Contract and in strict accordance with the documented instructions of the Controller. This includes, in particular, any transfers of personal data to a third country or to an international organisation.
Where processing is required under the laws of the European Union or of a Member State to which the Processor is subject, the Processor shall inform the Controller of such legal requirements prior to processing, unless such law prohibits such disclosure on important grounds of public interest.
The Controller’s instructions are initially set forth in this DPA and may be amended, supplemented, or replaced by the Controller at any time in written or text form (e.g., email). Lawful instructions may include, but are not limited to, directives regarding the rectification, erasure, anonymisation, restriction, or transfer of personal data.
All instructions shall be documented by both parties. Instructions that go beyond the scope of services defined in the Main Contract shall be treated as a request for a change in service and may require a separate agreement or amendment.
If the Processor considers an instruction from the Controller to be unclear, inconsistent, or in violation of EU Data Protection Law, the Processor shall immediately notify the Controller without undue delay. The Processor may suspend the execution of such instruction until it is either confirmed or amended by the Controller. The Processor must reject the execution of any instruction that is manifestly unlawful.
5.0 Type of Personal Data Processed, Group of Data Subjects
In the performance of the Main Contract, the Processor shall have access to and process only the personal data provided or made available by content creators through 82DASH platform, solely for the purpose of enabling the Controller to use such content in accordance with the agreed services.
The categories of personal data and data subjects concerned are specified in Annex 1 to this DPA. These typically include identifying information (e.g., name, likeness, social media handle, audio/video content) voluntarily submitted by creators and may, in certain cases, include data falling under special categories as defined in Article 9 GDPR, if expressly provided by the data subject.
The Processor shall not process any personal data beyond the categories listed in Annex 1 unless expressly instructed in writing by the Controller.
5.0 Type of Personal Data Processed, Group of Data Subjects
In the performance of the Main Contract, the Processor shall have access to and process only the personal data provided or made available by content creators through 82DASH platform, solely for the purpose of enabling the Controller to use such content in accordance with the agreed services.
The categories of personal data and data subjects concerned are specified in Annex 1 to this DPA. These typically include identifying information (e.g., name, likeness, social media handle, audio/video content) voluntarily submitted by creators and may, in certain cases, include data falling under special categories as defined in Article 9 GDPR, if expressly provided by the data subject.
The Processor shall not process any personal data beyond the categories listed in Annex 1 unless expressly instructed in writing by the Controller.
5.0 Type of Personal Data Processed, Group of Data Subjects
In the performance of the Main Contract, the Processor shall have access to and process only the personal data provided or made available by content creators through 82DASH platform, solely for the purpose of enabling the Controller to use such content in accordance with the agreed services.
The categories of personal data and data subjects concerned are specified in Annex 1 to this DPA. These typically include identifying information (e.g., name, likeness, social media handle, audio/video content) voluntarily submitted by creators and may, in certain cases, include data falling under special categories as defined in Article 9 GDPR, if expressly provided by the data subject.
The Processor shall not process any personal data beyond the categories listed in Annex 1 unless expressly instructed in writing by the Controller.
5.0 Type of Personal Data Processed, Group of Data Subjects
In the performance of the Main Contract, the Processor shall have access to and process only the personal data provided or made available by content creators through 82DASH platform, solely for the purpose of enabling the Controller to use such content in accordance with the agreed services.
The categories of personal data and data subjects concerned are specified in Annex 1 to this DPA. These typically include identifying information (e.g., name, likeness, social media handle, audio/video content) voluntarily submitted by creators and may, in certain cases, include data falling under special categories as defined in Article 9 GDPR, if expressly provided by the data subject.
The Processor shall not process any personal data beyond the categories listed in Annex 1 unless expressly instructed in writing by the Controller.
6.0 Security Measures of the Processor
The Processor, in its role as a platform facilitating the upload and transfer of user-generated content from creators to client companies (Controllers), is obligated to comply with applicable data protection laws, including the GDPR.
The Processor is responsible for ensuring that its internal organisational structure and operations are designed and maintained to meet the requirements of EU Data Protection Law. In accordance with Article 32 GDPR, the Processor shall implement appropriate technical and organizational measures to protect the personal data it processes. These shall include, at a minimum:
a) Measures for the pseudonymisation and/or encryption of personal data, where appropriate;
b) Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
c) Measures to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures to ensure processing security.
The technical and organisational measures currently implemented by the Processor are detailed in Annex 2 to this DPA. The Processor may update or modify such measures from time to time, provided that such updates do not result in a lower level of security than those contractually agreed upon.
The Processor shall ensure that any personnel (including employees, contractors, or agents) authorised to process personal data are subject to appropriate confidentiality obligations in accordance with Article 28(3)(b) GDPR. The Processor shall ensure that such obligations are contractually imposed and effectively enforced. Upon request, the Controller shall be provided with appropriate evidence of these confidentiality undertakings.
7.0 Information Duties of the Processor
In the event of a personal data breach, including any security incidents related to the content or personal data processed on behalf of the Controller, whether by 82DASH, its personnel, or its authorised subprocessors, The Processor shall notify the Controller in writing without undue delay and, in any case, no later than 48 hours after becoming aware of such an incident. This also applies to any audits or investigations conducted by a supervisory authority that are directly related to processing activities performed on behalf of the Controller. The notification shall include, at minimum:
a) A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records affected;
b) A description of the measures taken or proposed by the Processor to address the breach and, where appropriate, to mitigate its possible adverse effects.
The Processor shall immediately implement necessary measures to secure the data and minimise any potential harm to the data subjects.
The Processor shall, upon request or discovery, provide the Controller with updates or relevant information when the Controller’s data has been affected by a breach as described above.
In the event that any of the Controller’s data is subject to access, seizure, confiscation, insolvency or enforcement proceedings, or similar actions by third parties, the Processor shall notify the Controller without delay. In such cases, The Processor will make clear to all relevant parties and authorities that the control over such data resides exclusively with the Controller in accordance with the GDPR.
The Processor shall inform the Controller without delay of any significant changes that could materially lower the level of technical and organisational security measures as outlined in § 5(2).
The Processor and, where applicable, its designated representative shall maintain a record of all categories of processing activities performed on behalf of the Controller, in accordance with Article 30(2) GDPR. Such records shall be made available to the Controller upon request.
The Processor shall provide appropriate assistance to the Controller in compiling and maintaining the Controller’s own records of processing activities under Article 30(1) GDPR by supplying relevant information in a timely and appropriate manner.
8.0 Roles and Responsibilities
Role as Data Processor:
The Processor acts on behalf of the Controller, collecting and managing data submitted by Creators. In this capacity, the Processor processes personal data solely in accordance with the Controller’s instructions and as outlined in the Main Contract, this Data Processing Agreement (DPA), and applicable laws, particularly the GDPR. The Processor shall not process the personal data for its own purposes or beyond the scope of the Controller’s instructions without obtaining prior written consent from the Controller.
The Processor is responsible for implementing appropriate technical and organisational measures to ensure the security and confidentiality of the personal data and to comply with its obligations under Article 28 of the GDPR.
Role as Data Controller:
Upon transfer of content and data, the Controller assumes the role of Data Controller. In this capacity, the Controller is responsible for the further use, processing, and compliance with applicable data protection laws. Specifically, the Controller is responsible for:
Ensuring that the processing of personal data complies with the principles of the GDPR, including fairness, lawfulness, transparency, and purpose limitation.
Providing clear and transparent information to data subjects (Creators) about the purposes of the data processing, the legal basis for processing, and their rights under the GDPR.
Responding to any requests from data subjects exercising their rights (e.g., access, rectification, deletion, restriction of processing, data portability, objection).
Ensuring the legal basis for any further processing of personal data is established and documented in accordance with Articles 6 and 9 of the GDPR.
Performing any necessary data protection impact assessments (DPIAs) when required by the GDPR.
Implementing appropriate safeguards, including contractual agreements with the Processor or other third-party processors, to ensure that the data processing meets GDPR requirements.
The Controller acknowledges that it remains fully responsible for ensuring compliance with the GDPR and for addressing any issues related to data protection that arise after the data is transferred from the Processor.
The Processor’s Independent Role as Data Controller:
In addition to acting as a Data Processor on behalf of the Controller, the Processor may also act as an Independent Data Controller for its own purposes, including but not limited to the following:
Conducting analytics, product improvement, and AI development based on aggregated, anonymised, or pseudonymised data.
Collecting data for internal reporting and operational purposes, which may include system performance analysis, user engagement statistics, and other business-related metrics.
As an Independent Data Controller, the Processor is responsible for ensuring that it complies with all applicable data protection laws, including the GDPR, and that it provides appropriate notices to data subjects about how their data is being used for these purposes. The Processor will also handle any data subject rights requests directly related to its own processing activities
9.0 Use of Sub-processors
The Processor shall carry out the agreed services, or the specific parts thereof as listed in Annex 3, with the assistance of the subprocessors identified therein. The Processor is permitted to engage additional subprocessors in connection with the performance of its contractual obligations. The Controller shall be informed without undue delay of the intended addition or replacement of subprocessors by email to the address provided by the Controller.
The Processor shall select any subprocessor with due diligence, ensuring their reliability and capability to comply with applicable data protection requirements. Any subprocessor engaged by the Processor must be bound by data protection obligations substantially equivalent to those set out in this DPA. The Processor shall ensure that the Controller’s rights, particularly the rights of inspection and audit, can also be exercised directly against any engaged subprocessor.
If a subprocessor is located in a third country outside the European Economic Area, the Processor must ensure that such subprocessor provides adequate safeguards in accordance with Articles 44 et seq. GDPR. This includes, where necessary, the execution of Standard Contractual Clauses and the implementation of supplementary measures to ensure an essentially equivalent level of protection. The Controller retains the right to object to the engagement or replacement of subprocessors in accordance with Article 28(2) GDPR.
10.0 International Data Transfers
The Controller and the Processor acknowledge that:
If the Processor or Controller is located outside the EEA or processes personal data outside the EEA, any transfer of personal data must comply with the requirements of Articles 44 ff. of the GDPR. The Controller ensures that such transfers will be governed by the EU Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 04 June 2021), as outlined in Annex 4, and any supplementary measures necessary to ensure compliance with these clauses.
In the event of a conflict between the provisions of this DPA and the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall take precedence.
In the event of a revised version of the Standard Contractual Clauses being published, both parties commit to ensuring promptly accept the updated terms to maintain compliance with GDPR regarding international data transfers to third countries.
If alternative transfer mechanisms under Articles 44 ff. of the GDPR become available, both parties may implement these additional mechanisms, alongside the Standard Contractual Clauses, to ensure lawful data transfers.
11.0 Requests and Rights of Data Subjects
The Processor shall support the Controller to the extent commercially reasonable with appropriate technical and organisational measures to fulfill its obligations under Articles 12-23 and 32-36 of the GDPR, particularly with regard to user-generated content.
If a data subject asserts any rights, such as the right to access personal data under Article 15, rectification under Article 16, or deletion under Article 17, directly against the Processor concerning their user-generated content, the Processor shall contact and notify the Controller immediately, so the Controller can manage and respond to such requests as required by the GDPR.
12.0 Controller’s Responsibilities Upon Termination
This DPA remains in effect as long as the Controller continues to use the Processor’s platform services. Upon termination of the Controller’s account:
The Processor will delete or anonymise all personal data processed on behalf of the Controller, unless the Processor is legally obligated to retain the data.
The Controller is responsible for ensuring that any personal data transferred to it by the Processor prior to termination is retained, managed, and disposed of in accordance with applicable data protection laws. This includes ensuring compliance with any ongoing obligations for data retention or further processing, as required by law or the Controller’s own operational needs.
13.0 Final Clauses
This DPA shall remain in effect for the duration of the Main Contract, unless terminated earlier in accordance with applicable law or the provisions herein. Upon termination, the Processor shall, at the Controller’s choice, delete or return all personal data, unless legal obligations require otherwise.
This DPA constitutes the entire agreement between the Parties concerning its subject matter and supersedes all prior agreements or understandings. Any changes must be made in writing and agreed upon by both Parties (electronic communication suffices)
If any provision of this DPA is or becomes partially or wholly invalid or unenforceable, the validity of the remaining provisions shall not be affected.
This DPA is governed by the laws applicable to the Processor, in accordance with the jurisdiction of the Processor’s registered seat. The exclusive place of jurisdiction for any disputes arising in connection with this DPA shall be the jurisdiction of the Processor's registered seat.
If the personal data derived from user-generated content that the Processor handles on behalf of the Controller is at risk due to third-party actions (such as seizure, confiscation, legal claims), insolvency, composition proceedings, or any other events that could compromise its confidentiality or availability, the Processor shall notify the Controller without undue delay.
This DPA is concluded electronically. No physical signature is required. By accepting this DPA via checkbox, click-wrap, or other digital acceptance method, the Controller confirms that it has read, understood, and agreed to be legally bound by its terms.
Annexes
Annex 1 - Description of processing activities, purposes, processed personal data and special categories of personal data
Annex 2 - Technical and Organisational Measures of the Processor
Annex 3 - Approved Subprocessors
Annex 1 - Description of processing activities, purposes, processed personal data and special categories of personal data
The Processor (82DASH) enables the upload, management, and transfer of user-generated content from creators to the Controller. The content may include personal data.
Nature of the Processing:
- Storage, display, and transfer of content to the Controller
- Categorisation, tagging, or indexing of content
- Enabling download, review, and content playback
- Support and infrastructure services
- Name or pseudonym (e.g., username, display name)
- Email
- Image, likeness, and voice (video/audio content)
- Social media handles or tags- Metadata (e.g., titles, captions)
- Voluntary contact info & text questions
- Performance analytics linked to the creator
- Content that may reveal special categories
(e.g., health, ethnicity) if visible or audible in the content
- Individuals featured in the content
- Client company representatives (for support or account purposes, limited and incidental)
Yes – Special category data may be processed if it is visible or audible in the user-generated content (e.g. health status, ethnicity, religious symbols). This is incidental and not explicitly collected by 82DASH but can occur based on content submitted by users.
- Client companies (Controllers) who receive user-submitted content via the 82DASH platform
- Sub-processors providing infrastructure, analytics, or support services (listed in the DPA or Subprocessor Annex)
Yes – Applies if personal data is transferred to sub-processors or infrastructure providers located outside the EU/EEA (e.g. U.S.-based cloud providers)
Standard Contractual Clauses (SCCs) as approved by the European Commission, Data Processing Agreements with sub-processors, and supplementary technical/organisational measures where required
Continuous – as part of the regular operation and functionality of the 82DASH platform, especially for global access, hosting, or analytics
For the duration of the Main Contract between Controller and Processor. Data will be deleted or returned upon termination, unless retention is required by law or otherwise agreed in writing.
Annex 2 -
Access Control to Premises and Facilities.
Electronic access control systems
ID cards, magnetic badges, chip cards
Key issuance and tracking
Secured door locking mechanisms (e.g. electric locks)
CCTV or video surveillance
Alarm systems
Access Control to Systems.
Strong password policies (i.e. complexity requirements, expiry rules)
No use of guest or anonymous accounts
Centralised user account and access management
Access Control to Data.
Technical measures to prevent unauthorised remote access
Role-based access rights management
Granular access permissions based on job responsibilities
Automatic logging of data access events
Disclosure Control.
Enforced use of secure private networks for all data transmission
Restriction or prohibition of portable storage media
End-to-end encryption (e.g. VPNs) for data in transit
Comprehensive logging and auditing of all data transfers
Input Control.
Audit trails for data entry, modification, and deletion
Ability to verify and trace data transmission targets
User activity logs on all relevant systems
Time- and user-stamped records of data input
Job Control.
Clearly worded, binding data processing instructions in contracts
Ongoing monitoring of processor compliance
Disclosure Control.
Data recovery procedures in place for system interruptions
Monitoring systems to ensure uptime and fault reporting
Safeguards to prevent data corruption from system failures
UPS (Uninterruptible Power Supply) installations
Business continuity and disaster recovery plans
Offsite or cloud-based backup storage
Regularly updated antivirus and firewall systems
Segregation Control.
Access limitation based on purpose and staff responsibilities
Separate environments for development/testing and production
Logical separation between different business systems and datasets
Annex 3 -
For a full and up-to-date list of our subprocessors, please refer to our Subprocessor List.
