Katoads

Data Processing Agreement

Last updated: March 2026

1. Introduction

This Data Processing Agreement ("DPA") supplements the Katoads Terms of Service and governs the processing of personal data by Katoads SAS ("Processor") on behalf of the customer ("Controller") in connection with the use of the Katoads platform. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies whenever the Controller's use of the Service involves the processing of personal data of EU/EEA data subjects.

2. Definitions

  • "Controller" — The customer entity that determines the purposes and means of processing personal data through use of the Katoads Service.
  • "Processor" — Katoads SAS, which processes personal data on behalf of the Controller.
  • "Personal Data" — Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • "Processing" — Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion, as defined in Article 4(2) GDPR.
  • "Sub-processor" — Any third party engaged by the Processor to process Personal Data on behalf of the Controller.

3. Scope & Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Katoads Service to the Controller, in accordance with the Controller's documented instructions.

Subject matter: Provision of AI-powered advertising creative generation services.

Duration: For the term of the service agreement between the parties, plus any legally required retention period.

Nature of processing: Collection, storage, analysis, AI processing, and delivery of advertising creatives. User data is processed for authentication, billing, and service delivery.

Purpose: Enabling the Controller and its authorized users to generate, manage, and export AI-powered advertising content.

Categories of data: User identity data (name, email), authentication data, usage data (generation history, preferences), product data (uploaded images, descriptions), payment references.

Data subjects: Controller's employees, contractors, and authorized end-users of the Katoads platform.

4. Obligations of the Controller

  • Ensure that the processing of Personal Data through the Service has a valid legal basis under the GDPR (e.g., consent, contract, legitimate interest).
  • Provide the Processor with documented instructions regarding the processing of Personal Data and notify of any changes.
  • Ensure that individuals whose data is processed through the Service are informed about the processing in accordance with Articles 13 and 14 GDPR.

5. Obligations of the Processor

  • Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law (Article 28(3)(a) GDPR).
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality obligations.
  • Implement appropriate technical and organizational security measures in accordance with Article 32 GDPR.
  • Not engage another processor without prior specific or general written authorization of the Controller (Article 28(2) GDPR).
  • Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) within the statutory timeframes.
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits.

6. Authorized Sub-processors

The Controller provides general authorization for the Processor to engage the following sub-processors. The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object.

Sub-processorPurposeLocation
ClerkUser authentication & identity managementUSA (EU data processing available)
StripePayment processing & billingUSA / Ireland (EU)
VercelApplication hosting, CDN, blob storageGlobal (primary: USA / EU)
SupabaseDatabase hosting & real-time featuresEU (Frankfurt)
Google (Gemini)AI product analysis & image generation (Gemini)Global (EU processing available)
fal.aiAI video generationUSA / EU
SentryError monitoring & performance trackingUSA (EU data processing)
UpstashRate limiting & caching (Redis)EU (Frankfurt)

7. International Data Transfers

Where Personal Data is transferred outside the EU/EEA, the Processor ensures appropriate safeguards are in place in accordance with Chapter V GDPR. This includes: EU-US Data Privacy Framework certifications for US-based sub-processors, Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914), and additional supplementary measures where required following a transfer impact assessment. The Processor will inform the Controller of any changes affecting the adequacy of transfer safeguards.

8. Security Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access control with role-based permissions and multi-factor authentication
  • Regular security assessments and dependency vulnerability scanning
  • Data isolation between customer accounts at the database level
  • Automated backups with encrypted storage and tested restoration procedures

9. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach. The notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach. The Processor shall cooperate with the Controller in investigating the breach and fulfilling any notification obligations to supervisory authorities (Article 33 GDPR) and data subjects (Article 34 GDPR).

10. Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests under Articles 15-22 GDPR. Upon receiving a request directly from a data subject, the Processor shall promptly redirect the request to the Controller and shall not respond directly unless instructed to do so. Technical support for data export, rectification, and deletion requests is provided at no additional charge.

11. Audit Rights

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and no more than once per year unless required by a supervisory authority or following a data breach. The Processor shall cooperate fully and provide all necessary access and documentation. Audit costs are borne by the Controller unless the audit reveals material non-compliance.

12. Duration & Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days, and certify such deletion in writing, unless EU or Member State law requires continued storage. Processing activities necessary for deletion or return of data are covered by this DPA until completion.

PrivacyTerms of Service

© 2026 Katoads. All rights reserved.