ColorGenius

Data Processing Agreement

Last updated: January 20, 2025

GDPR Compliance

This Data Processing Agreement (DPA) forms part of our Terms of Service and governs the processing of personal data by ColorGenius as a data processor on behalf of our customers (data controllers) in compliance with GDPR.

Data Protection

We implement appropriate technical and organizational measures to protect personal data.

International Transfers

Data transfers are protected by appropriate safeguards including SCCs.

Data Subject Rights

We assist customers in responding to data subject requests and exercising rights.

1. Definitions

In this DPA:

  • "Customer Data" means personal data processed by ColorGenius on behalf of Customer
  • "Data Protection Laws" means GDPR and other applicable data protection legislation
  • "Processing" has the meaning given in the GDPR
  • "Sub-processor" means any third party engaged by ColorGenius to process Customer Data

2. Processing of Personal Data

ColorGenius will:

  • • Process Customer Data only for the purpose of providing our Services
  • • Process Customer Data only on documented instructions from Customer
  • • Ensure confidentiality of Customer Data
  • • Not transfer Customer Data outside the EEA without appropriate safeguards

3. Security Measures

We implement appropriate technical and organizational measures including:

  • • Encryption of data in transit and at rest
  • • Regular security assessments and audits
  • • Access controls and authentication measures
  • • Staff training on data protection requirements
  • • Incident response and breach notification procedures

4. Sub-processors

ColorGenius may engage sub-processors to assist in providing our Services. We maintain a list of current sub-processors and will:

  • • Ensure sub-processors provide sufficient guarantees of data protection
  • • Enter into written agreements with sub-processors
  • • Remain fully liable for sub-processor performance
  • • Provide 30 days notice of new or changed sub-processors

5. Data Subject Rights

We will assist Customer in responding to data subject requests by:

  • • Providing access to Customer Data when technically feasible
  • • Implementing correction or deletion requests
  • • Providing data portability where applicable
  • • Restricting processing when required

6. Data Breach Notification

In the event of a personal data breach affecting Customer Data, we will:

  • • Notify Customer without undue delay and within 72 hours where feasible
  • • Provide details of the breach and its likely consequences
  • • Describe measures taken to address the breach
  • • Assist Customer in notifying supervisory authorities if required

7. Audits and Compliance

ColorGenius will:

  • • Make available information necessary to demonstrate compliance
  • • Allow for and contribute to audits by Customer or authorized auditor
  • • Provide annual SOC 2 Type II reports
  • • Maintain records of processing activities

8. Data Deletion

Upon termination of our Services, ColorGenius will:

  • • Delete or return Customer Data as instructed
  • • Provide confirmation of deletion upon request
  • • Delete existing copies unless legal storage is required

9. Liability and Indemnification

Each party's liability under this DPA will be subject to the limitation of liability provisions in our Terms of Service. ColorGenius will indemnify Customer against fines imposed by supervisory authorities resulting from ColorGenius' breach of this DPA.

Need a Signed DPA?

Enterprise customers can request a fully executed Data Processing Agreement for their records and compliance requirements.