PEWIT Labs
Get it free See Pro plans
Get it free See Pro plans
Legal

Data Processing Addendum (DPA)

GDPR data-processing terms for business customers using our products.

Last updated: [EFFECTIVE_DATE] · PEWIT Labs

Template notice. This document is a starting point, not legal advice. Bracketed [PLACEHOLDERS] must be completed with the registered details of PEWIT Labs and reviewed by a qualified lawyer (GDPR / UOKiK in Poland; EU VAT and ePrivacy) before publication.

Last updated: [EFFECTIVEDATE]_

This DPA is available for business customers who use managed AI credits / AIMT Cloud, where PEWIT Labs may act as a data processor on your behalf. For BYOK usage, images go directly from your site to OpenAI and PEWIT Labs is not a processor of those images.

How to use: offer this as a downloadable/countersignable document. Have it reviewed by a lawyer.

1. Roles

  • Controller: you (the customer).
  • Processor: [COMPANY_LEGAL_NAME], for managed-mode image processing.
  • Sub-processors: OpenAI (AI generation), hosting/infrastructure provider.

2. Subject matter and duration

Processing of images and related metadata submitted through managed mode, for the purpose of generating image metadata, for the duration of your subscription.

3. Nature and purpose

Transient transmission and processing of images to generate ALT/title/caption/description and to meter credit usage. No use of customer images for model training.

4. Types of data and data subjects

Images uploaded by the controller and any personal data they may incidentally contain; data subjects are those depicted in or identifiable from the images.

5. Processor obligations

  • Process only on documented instructions of the controller.
  • Ensure confidentiality of personnel.
  • Implement appropriate technical and organizational measures (TOMs).
  • Engage sub-processors only under equivalent obligations and notify of changes.
  • Assist with data subject requests and security incidents.
  • Delete or return data after the engagement, subject to legal retention.

6. International transfers

Where sub-processors are outside the EEA (e.g. OpenAI in the US), transfers are covered by Standard Contractual Clauses (SCCs) and/or applicable adequacy mechanisms.

7. Sub-processor list

Current sub-processors and links to their terms are provided on request and maintained at /legal/privacy. Material changes will be notified.

8. Contact / signature

[COMPANY_LEGAL_NAME], [COMPANY_ADDRESS] — [COMPANY_EMAIL]. Countersignature blocks for both parties to be added in the published document.