Data Processing Agreement (DPA)
Last updated: 10/16/2025
1. Subject Matter
This DPA governs the processing of personal data by MyLabelDesk on behalf of the Customer in the course of providing the MyLabelDesk SaaS platform and related services (the "Services").
2. Roles of the Parties
- • The Customer acts as the Data Controller.
- • MyLabelDesk (ADIX) acts as the Data Processor.
- • MyLabelDesk shall process personal data only in accordance with the documented instructions of the Customer, as set out in this DPA, the Terms of Service, and the Customer's use of the Services.
3. Categories of Data
MyLabelDesk may process the following categories of personal data:
- • Identification data (name, email address).
- • Organization/Label information (label name, role).
- • Account information (subscription plan, settings).
- • Usage data (uploads, signings, reviews, activity logs).
- • Communication data (transactional emails, support).
Payment details are processed directly by Stripe as an independent controller. MyLabelDesk does not store credit card details.
4. Purpose of Processing
MyLabelDesk processes personal data solely for the following purposes:
- • Provision of the Services (account setup, demo review workflows, metadata management, analytics, etc.).
- • Customer account administration.
- • Security, monitoring, and troubleshooting.
- • Legal compliance (e.g. accounting, tax).
5. Subprocessors
MyLabelDesk engages the following subprocessors to deliver the Services:
- • Supabase (EU/Global) – authentication and database hosting.
- • Cloudflare R2 (EU/US regions) – file and audio storage.
- • Netlify (Global) – frontend hosting.
- • Stripe (Global) – payment processing (separate controller).
- • Google Workspace (EU/US) – email and communication (SMTP).
MyLabelDesk shall ensure subprocessors provide sufficient guarantees of GDPR compliance, including appropriate safeguards for international transfers (e.g. Standard Contractual Clauses).
6. Security Measures
MyLabelDesk implements appropriate technical and organizational measures, including:
- • Encryption in transit (TLS) and at rest.
- • Role-based access control (RLS) in databases.
- • Signed URLs for secure file access.
- • Regular monitoring for vulnerabilities.
- • Backups and disaster recovery procedures.
7. Confidentiality
All MyLabelDesk employees and subcontractors authorized to process personal data are bound by confidentiality obligations.
8. Data Retention and Deletion
- • Personal data is retained for the duration of the Customer's subscription.
- • Upon termination, all personal data will be deleted within 30 days, unless required by law to retain data longer.
- • During this 30-day period, the Customer may request restoration or export of data.
9. Data Subject Rights
MyLabelDesk shall assist the Customer, to the extent possible, in fulfilling obligations regarding:
- • Right of access, rectification, and erasure.
- • Right to restriction of processing.
- • Right to data portability.
- • Right to object.
Requests from data subjects received by MyLabelDesk shall be forwarded to the Customer without undue delay.
10. International Transfers
Where personal data is transferred outside the European Economic Area (EEA), MyLabelDesk ensures such transfers are subject to appropriate safeguards, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.
11. Audit and Compliance
- • MyLabelDesk shall make available information necessary to demonstrate compliance with this DPA.
- • Upon reasonable written request, the Customer may conduct audits (or appoint a qualified third party) limited to verifying MyLabelDesk's compliance with this DPA.
- • Audits shall not interfere unreasonably with MyLabelDesk's operations and may occur no more than once per year.
12. Liability
MyLabelDesk's liability under this DPA is subject to the limitations set out in the Terms of Service.
13. Term and Termination
This DPA remains in effect for as long as MyLabelDesk processes personal data on behalf of the Customer. Upon termination of the Services and expiration of the retention period, MyLabelDesk shall delete or anonymize all personal data.
14. Governing Law
This DPA is governed by the laws of Belgium. Any disputes shall be submitted to the competent courts of Ghent, Belgium.
Signed electronically by acceptance of the Terms of Service.