Data Processing Addendum (DPA)
Last Updated: March 13, 2026
This Data Processing Addendum ("DPA") supplements the Terms of Service between the Client (acting as "Data Controller") and Coral Design Studio (acting as "Data Processor"). It applies where we process Personal Data subject to the General Data Protection Regulation (GDPR) or similar privacy frameworks on your behalf during the provision of our drafting services.
1. Definitions & Roles
The terms "Personal Data", "Data Subject", "Controller", "Processor", and "Processing" have the meanings given in the GDPR. The parties acknowledge that the Client is the Data Controller, and Coral Design Studio is the Data Processor, handling data solely on the Controller's documented instructions.
2. Scope & Duration of Processing
We process name, email, phone number, project address, and drafting blueprints solely to deliver technical drafting services and manage project workflows through the Client Portal. Data is processed for the duration of the active agreement plus six (6) months for archival purposes.
3. Technical & Organizational Security Measures
The Processor implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. This includes SSL/TLS encryption for all data in transit, database encryption at rest, secure key management, and strict access controls limited to authorized personnel.
4. Sub-processors
The Controller grants general authorization to the Processor to engage sub-processors (such as Supabase for database hosting and Vercel for web application hosting). The Processor ensures that all sub-processors are bound by data protection obligations equivalent to those in this DPA.
5. Data Subject Rights & ARCO Support
We will promptly notify the Controller if we receive a request from a Data Subject to exercise their rights (such as ARCO/GDPR requests). The Processor will assist the Controller by providing access to the tools inside the Portal or retrieving the relevant logs within ten (10) business days, enabling the Controller to meet its legal obligations.
6. Breach Notification
In the event of a confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data, the Processor will notify the Controller without undue delay, and in any event, within seventy-two (72) hours of becoming aware of the breach.
7. International Data Transfers
Any transfers of Personal Data outside the European Economic Area (EEA) will be protected by appropriate safeguards, including the EU Standard Contractual Clauses (SCCs), or executed under an adequacy decision, ensuring an equivalent level of protection.