Data Processing Agreement
Last updated: 22 April 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between the customer identified in the master service agreement ("Controller") and Mantra Technology ("Processor"), collectively "the Parties".
2. Subject Matter
The Processor processes personal data on behalf of the Controller for the sole purpose of providing the Mantra Technology image generation service ("the Service") in accordance with the master service agreement.
3. Duration
This DPA applies for the term of the master service agreement and for 30 days thereafter to permit orderly return or deletion of data.
4. Categories of Data Subjects
Authorised users of the Controller who create accounts or are granted access to the Service.
5. Categories of Personal Data
- Email addresses and authentication identifiers.
- Language preferences.
- Prompt text submitted by users.
- Generated images and associated metadata.
- IP addresses, user agents, and usage logs collected for security and abuse prevention.
The Parties acknowledge that the Service is not intended to process special categories of data (GDPR Article 9) or data relating to criminal convictions (GDPR Article 10).
6. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, including with regard to international transfers.
- Ensure that persons authorised to process the personal data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (see §7).
- Engage Sub-processors only in accordance with §8.
- Assist the Controller in meeting requests from data subjects and other GDPR obligations.
- Make available to the Controller all information necessary to demonstrate compliance.
7. Security Measures
The Processor implements the following measures:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (server-side encryption on object storage).
- Access controls based on least-privilege, with authentication and session expiry.
- Logging of security-relevant events and review of access logs.
- Secure software development practices and dependency vulnerability scanning.
- Incident response procedures with notification to the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach.
8. Sub-processors
The Processor relies on Sub-processors as disclosed in the Privacy Policy. The Controller grants general authorisation for these Sub-processors. The Processor shall maintain an up-to-date list and shall notify the Controller of any addition or replacement, giving the Controller 30 days to object in writing.
9. Data Subject Rights
The Processor shall, to the extent permitted, assist the Controller in responding to requests from data subjects exercising their rights under GDPR Articles 12 to 23.
10. International Transfers
Where personal data is transferred outside the European Economic Area, the Parties rely on the Standard Contractual Clauses adopted by the European Commission and, where appropriate, supplementary measures.
11. Return or Deletion
Upon termination of the master service agreement, the Processor shall, at the Controller's choice, return or delete all personal data within 30 days, unless retention is required by applicable law.
12. Audit
The Controller may, no more than once per year and with 30 days' prior written notice, audit the Processor's compliance with this DPA. Audits shall be conducted during business hours and without unreasonable disruption.
13. Liability
Each Party's liability under this DPA is subject to the liability provisions of the master service agreement.
14. Governing Law
This DPA is governed by French law. Disputes are subject to the jurisdiction of the courts designated in the master service agreement, or failing that, the courts of Paris.
Contact
legal@mantratechnologie.comfor DPA negotiation.privacy@mantratechnologie.comfor data-protection questions.