Partikl

Pricing

Docs

Legal

Data Processing Agreement

GDPR Article 28 compliant DPA between you and Partikl

Last updated: April 5, 2026

v1.0.0

Effective April 5, 2026

·

Governed by Georgia / EU SCCs law

Data Processing Agreement

ℹ️

Who needs this

This DPA is relevant if you are using Partikl to process personal data of your end users or employees (for example: storing user avatars, processing user-generated content, or handling any files that may contain personal data). By accepting this DPA in your dashboard, you enter into this agreement as the Data Controller. Partikl acts as your Data Processor.

⚠️

How to accept

To formally accept this DPA, go to Dashboard → Settings → Legal → Accept DPA. The acceptance date and version are recorded in your account audit log. Enterprise customers requiring a countersigned PDF may contact legal@partikl.io.

1. Definitions and Roles

1.1 Definitions

In this Data Processing Agreement ("DPA"), the following terms have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR"):

"Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).

"Processing" has the meaning given in GDPR Article 4(2).

"Controller" means the natural or legal person who determines the purposes and means of Processing of Personal Data.

"Processor" means a natural or legal person who Processes Personal Data on behalf of the Controller.

"Sub-processor" means any Processor engaged by Partikl to carry out specific Processing activities on behalf of the Controller.

"Data Subject" means the natural person to whom Personal Data relates.

"Supervisory Authority" means the competent data protection authority in the relevant EU member state.

"SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries adopted by the European Commission Decision 2021/914.

1.2 Roles

For the purposes of this DPA:

  • You (the Customer) are the Data Controller
  • Partikl is the Data Processor

Partikl determines no purposes or means of processing your Customer Content. We process Personal Data only as instructed by you through your use of the Service.

2. Subject Matter and Duration

2.1 Subject Matter

This DPA governs Partikl's processing of Personal Data contained in or derived from Customer Content uploaded to or processed by the Service on your behalf.

This DPA does not govern:

  • Processing of your Account data (email, name, billing) — governed by Privacy Policy
  • Processing performed by third-party Addons you have installed
  • Processing performed within your BYOS storage infrastructure

2.2 Duration

This DPA remains in effect for as long as your Account is active and Partikl processes Personal Data on your behalf. It terminates automatically upon Account termination, subject to the data deletion provisions in §8.

3. Nature and Purpose of Processing

3.1 Processing Activities

Partikl processes Personal Data that may be contained in Customer Content for the following purposes, as directed by you:

ActivityDescription
StorageStoring uploaded files in encrypted form
TransformationExecuting Pipeline operations (resize, encode, convert)
EncryptionApplying per-Namespace encryption to content at rest
DeliveryServing Variants via CDN to your application's end users
Variant generationCreating processed output versions per Pipeline
ReprocessingRe-applying updated Pipelines to existing content
BackupMaintaining redundant copies for durability

3.2 Categories of Personal Data

The categories of Personal Data processed depend on what you upload. Typical categories include:

  • Images that may contain faces or identifying features
  • Video content that may contain identifiable individuals
  • Documents that may contain personal information
  • Metadata associated with such files (filenames, EXIF data, timestamps)

Partikl does not require, request, or encourage you to upload special categories of Personal Data (sensitive data under GDPR Article 9). If you do upload such data, it is processed under the same technical controls as all other Customer Content.

3.3 Categories of Data Subjects

Data Subjects may include your end users, customers, employees, or any other individuals whose Personal Data appears in Customer Content that you upload to the Service.

4. Controller's Instructions

4.1 Documented Instructions

Partikl processes Personal Data only on your documented instructions. Your instructions are given through:

  • Your Pipeline configuration (what operations to perform)
  • Your Namespace settings (where to store, how to encrypt)
  • Your API calls (what to upload, transform, or delete)
  • Your dashboard actions (deletion requests, export requests)

4.2 Instruction Conflicts

If Partikl is required by EU or member state law to process Personal Data in a manner not covered by your instructions, we will notify you before such processing unless that law prohibits notification.

4.3 Compliance with Instructions

Partikl will promptly notify you if, in our reasonable opinion, an instruction infringes GDPR or other applicable EU data protection law.

5. Confidentiality

Partikl ensures that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory). Personnel receive data protection training appropriate to their role.

6. Security Measures

6.1 Technical and Organizational Measures

Partikl implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures described at partikl.io/security and summarized below:

MeasureImplementation
Encryption at restAES-256-GCM or ChaCha20-Poly1305 per Namespace
Encryption in transitTLS 1.3 for all connections
Key managementNo plain-text key storage at any infrastructure layer
Access controlsRole-based access, least privilege principle
Audit loggingAccess events logged with timestamp and context
Infrastructure isolationLogical namespace isolation
Personnel accessNo human access to Customer Content in plain text
Incident responseDocumented response procedures

6.2 Security Updates

Partikl may update security measures over time to improve protection. Updates that reduce the overall security level will not be made without prior notice.

6.3 Your Security Responsibilities

You are responsible for:

  • Securing your Account credentials and API keys
  • Configuring appropriate access controls in your application
  • Implementing appropriate security for BYOS storage (if applicable)
  • Ensuring your Pipeline configurations do not inadvertently expose Personal Data to unauthorized parties

7. Sub-processors

7.1 Authorization

You authorize Partikl to engage sub-processors to assist in providing the Service. The current list of sub-processors is maintained at partikl.io/legal/subprocessors.

7.2 New Sub-processors

Partikl will notify you at least 30 days before adding a new sub-processor that processes Personal Data. Notification is given via email and dashboard notice.

7.3 Objection to Sub-processors

You may object to a new sub-processor within 14 days of notification by emailing privacy@partikl.io with your objection and reasons. If we cannot accommodate your objection without materially affecting the Service, you may terminate your Account with a full refund of any unused prepaid subscription amount.

7.4 Sub-processor Obligations

Partikl imposes data protection obligations on all sub-processors equivalent to those in this DPA. Partikl remains liable to you for the acts and omissions of sub-processors to the extent Partikl would be liable under this DPA.

8. Data Subject Rights

8.1 Assistance

Partikl provides you with technical means to assist in fulfilling Data Subject rights requests, including:

RightSelf-service tool
AccessDashboard data export
ErasureDashboard account/content deletion
PortabilityDashboard data export (JSON + original formats)
RectificationDashboard profile settings
RestrictionContact privacy@partikl.io

8.2 Forwarded Requests

If Partikl receives a Data Subject rights request directly that relates to Personal Data you control, we will forward it to you within 5 business days without acting on it (as that is your responsibility as Controller).

8.3 Response Assistance

Taking into account the nature of processing, Partikl will provide reasonable assistance to you in responding to Data Subject rights requests, where technically feasible.

9. Data Breach Notification

9.1 Notification Obligation

Partikl will notify you without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer Content under this DPA.

9.2 Content of Notification

Notification will include, to the extent then known:

  • Nature of the breach and categories of data affected
  • Approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9.3 Your Obligations

You are responsible for notifying relevant Supervisory Authorities and affected Data Subjects as required by GDPR Articles 33 and 34. Partikl's notification to you under §9.1 does not constitute an admission of fault or liability.

10. Data Protection Impact Assessments

Where required, Partikl will provide reasonable assistance to you in conducting Data Protection Impact Assessments (DPIAs) and in prior consultations with Supervisory Authorities, taking into account the nature of processing and information available to Partikl.

11. Deletion and Return of Data

11.1 Upon Your Request

At your request, Partikl will:

  • Delete Customer Content from Partikl-managed storage (within 30 days)
  • Provide an export of Customer Content in original formats
  • Provide confirmation of deletion upon request

11.2 Upon Agreement Termination

Upon termination of this DPA and your Account:

  • Customer Content is deleted within 30 days of termination date
  • Deletion confirmation is available upon request
  • Backups containing your data are purged within the same period

11.3 Exceptions

Data that must be retained for legal or accounting purposes (billing records, transaction logs) is retained per applicable law and governed by the Privacy Policy, not this DPA.

12. Audit Rights

12.1 Audit Mechanism

Partikl makes available all information reasonably necessary to demonstrate compliance with this DPA, including:

  • This DPA and related policies
  • Security documentation at partikl.io/security
  • Sub-processor list at partikl.io/legal/subprocessors
  • Responses to reasonable security questionnaires

12.2 Third-Party Audits

Where available, Partikl will provide results of third-party security audits or certifications (such as SOC 2 Type II when obtained) in lieu of on-site customer audits.

12.3 On-Site Audit

On-site audits may be requested by Enterprise customers with at least 30 days written notice. On-site audits are subject to reasonable confidentiality obligations and may incur reasonable costs charged to the requesting party.

13. International Data Transfers

13.1 EU to Third Countries

Where processing of Personal Data requires transfer outside the EEA, Partikl ensures appropriate safeguards through:

  • EU Standard Contractual Clauses (SCCs) with sub-processors (Controller-to-Processor: Module 2 of Commission Decision 2021/914)
  • Assessment of legal frameworks in destination countries

13.2 SCCs Incorporation

The SCCs (Module 2: Controller to Processor) adopted by the European Commission Decision 2021/914 of 4 June 2021 are hereby incorporated into this DPA by reference and apply to transfers of Personal Data from the EEA to Partikl's infrastructure or sub-processors outside the EEA.

In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail with respect to international transfers.

13.3 Annex to SCCs

Annex I — Parties:

  • Data exporter: You (the Customer), as described in your Account
  • Data importer: Partikl Aleksei Umanchenko I/E, registered in Georgia.

Annex I — Description of Transfer:

  • Categories of data subjects: As described in §3.3
  • Categories of personal data: As described in §3.2
  • Frequency: Continuous (as you use the Service)
  • Nature and purpose: As described in §3.1
  • Retention period: As described in §11

Annex II — Technical and Organizational Measures: As described in §6.1 of this DPA and at partikl.io/security.

14. Liability

14.1 Allocation

Each party is liable to Data Subjects and Supervisory Authorities for its own compliance obligations under GDPR.

14.2 Indemnification

Each party agrees to indemnify and hold harmless the other party from claims, fines, or penalties imposed by Supervisory Authorities or Data Subjects that result from that party's breach of its obligations under this DPA or GDPR.

14.3 Cap

Partikl's total liability under this DPA is subject to the limitation of liability in the Terms of Service §16.

15. Governing Law and Disputes

This DPA is governed by the laws of Georgia. Disputes are subject to the dispute resolution provisions of the Terms of Service. For transfers subject to EU SCCs, the SCCs' governing law provisions apply to those transfers.

16. Order of Precedence

In the event of conflict between documents:

  1. EU Standard Contractual Clauses (for international transfers)
  2. This DPA
  3. Terms of Service
  4. Privacy Policy

Version 1.0.0 — Effective April 5, 2026 Legal Changelog

All systems operational

99.98% uptime

Status page

Partikl

© 2026 Partikl. All rights reserved.

Phone Number: +995 599 136 221

Move with ❤️ in Georgia

PrivacyTermsDMCAGDPR

GDPR Compliant

CCPA Ready

Data processed in EU / US regions

End-to-end encryption