Data Processing Addendum.

Capitalised terms not defined here have the meaning given in the GDPR or in the Terms of Service.

• Controller, Processor, Data Subject, Personal Data, Processing, and Supervisory Authority have the meanings given in Article 4 GDPR.
• Sub-processor means any third party engaged by AntiNude to process Customer Personal Data.
• Standard Contractual Clauses or SCCs means the EU Commission’s Module Two clauses adopted by Decision 2021/914.
• UK Addendum means the International Data Transfer Addendum issued by the UK ICO under s.119A Data Protection Act 2018.
• Personal Data Breach has the meaning given in Article 4(12) GDPR.

The parties acknowledge that, with respect to Customer Personal Data processed under the Services, the Customer is the Controller and AntiNude is the Processor. Where Customer acts as a processor for a third party, AntiNude acts as a sub-processor and this DPA applies on that basis.

AntiNude processes Customer Personal Data only on documented instructions from the Customer, which include this DPA, the Terms of Service, and the configuration choices made by the Customer in the dashboard or via the API. AntiNude will inform the Customer if, in its opinion, an instruction infringes applicable data protection law.

• Subject matter: provision of the AntiNude content-safety SDK, Hosted Cloud API, dashboard, and related support.
• Duration: for as long as the Customer maintains an active account, plus the retention windows in Section 9.
• Nature and purpose: on-device classification of images for nudity (object detection), abuse prevention, billing, security monitoring, and customer support. Video scanning is on the roadmap.
• Categories of Data Subjects: the Customer’s end users, and the Customer’s own personnel who administer the account.
• Categories of Personal Data: account identifiers (email, name); device telemetry; the request IP address; per-class detection scores returned by the on-device model. No image bytes leave the device under the on-device SDK; a Hosted Cloud API (not yet available) would, when shipped, additionally process image bytes for the duration of inference.
• Special category data: if and when the Hosted Cloud API ships, images submitted to it may incidentally reveal special-category data within the meaning of Article 9 GDPR. The Customer would be responsible for ensuring it has a lawful basis under Article 9(2) for such processing.

The Customer warrants that:

• It has provided all required notices and obtained all necessary lawful bases (including consent where required) for AntiNude’s processing of Customer Personal Data.
• Its instructions to AntiNude comply with applicable data protection laws.
• It will not submit to the Services any Personal Data of children under the minimum age permitted by applicable law without the legally required parental consent.

AntiNude ensures that personnel authorised to process Customer Personal Data are bound by written confidentiality obligations, receive regular data-protection and security training, and access data on a least-privilege, need-to-know basis enforced by SSO, hardware-key MFA, and audited just-in-time access.

AntiNude implements and maintains the technical and organisational measures set out in Annex II below, in line with Article 32 GDPR. These include, at minimum:

• Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (AES-256).
• Network segmentation, firewalling, and DDoS mitigation at the edge.
• Centralised audit logging, anomaly detection, and 24/7 on-call response.
• A public security disclosure programme at security@antinude.io.
• Documented secure SDLC including code review, dependency scanning, and SAST/DAST in CI.
• Business continuity and disaster recovery testing at least annually.

AntiNude may update its security measures from time to time provided the level of protection is not materially reduced.

The Customer grants AntiNude a general authorisation to engage Sub-processors, subject to the conditions in this Section. The current list is reproduced in Annex III below.

• AntiNude will impose on each Sub-processor data-protection obligations no less protective than those in this DPA.
• AntiNude remains fully liable to the Customer for the performance of each Sub-processor.
• AntiNude will give the Customer at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor via email or the dashboard.
• The Customer may object on reasonable data-protection grounds within the notice period. If the parties cannot agree on a resolution, the Customer may terminate the affected portion of the Services without penalty and receive a pro-rata refund of any pre-paid fees.

Where AntiNude transfers Customer Personal Data out of the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, the parties agree that the Module Two SCCs are hereby incorporated by reference and apply as follows:

• Clause 7 (Docking clause) — included.
• Clause 9(a) — Option 2 (general written authorisation) with a 30-day notice period.
• Clause 11(a) — independent dispute resolution option is not selected.
• Clause 17 — governed by the law of Ireland.
• Clause 18 — forum and jurisdiction: the courts of Ireland.
• Annex I.A/B/C — populated by Annexes I and III of this DPA.
• Annex II — populated by Annex II of this DPA.

For UK transfers, the UK Addendum is incorporated and Tables 1–4 are completed by reference to the SCCs as populated above. For Swiss transfers, the SCCs are read with the adjustments published by the FDPIC.

• Telemetry events: retained for 13 months, then deleted.
• Hosted Cloud API inputs: n/a today (no such endpoint exists). When the Hosted Cloud API ships, inputs will be processed in volatile memory, deleted immediately after the response, never written to persistent storage, and never used for model training.
• Account data: retained for the life of the account plus 90 days for billing, audit, and dispute purposes.
• Backups: encrypted, retained for 35 days on a rolling basis, then cryptographically erased.

On termination of the Services, AntiNude will, at the Customer’s option, return or delete all Customer Personal Data within 30 days, unless retention is required by law. On request, AntiNude will provide a written certificate of deletion.

Taking into account the nature of the processing, AntiNude will provide reasonable assistance to the Customer in responding to requests from Data Subjects exercising rights of access, rectification, erasure, restriction, portability, and objection. Most such requests can be served directly by the Customer through the dashboard’s data-export and deletion tooling. AntiNude will forward to the Customer, without substantive response, any request it receives that concerns the Customer’s end users.

AntiNude will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and the measures taken or proposed to address it. Initial notifications are sent to the security contact configured in the account; if none is set, to the account owner.

Notification is not, by itself, an acknowledgement of fault or liability.

AntiNude will make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR, primarily through the security documentation at antinude.io/security.

Where those materials are insufficient, the Customer may, on 30 days’ written notice and no more than once per 12 months (except where required by a Supervisory Authority or following a Personal Data Breach), conduct an audit by an independent auditor bound by confidentiality, during business hours, in a manner that does not disrupt operations or expose other customers’ data. The Customer bears its own costs and those of the auditor.

AntiNude will provide reasonable assistance to the Customer with data-protection impact assessments and prior consultations with Supervisory Authorities under Articles 35 and 36 GDPR, where required and solely in relation to the Services.

Where the CCPA/CPRA applies, AntiNude acts as a “Service Provider”. AntiNude shall not:

• “Sell” or “Share” Customer Personal Data as those terms are defined under the CCPA.
• Retain, use, or disclose Customer Personal Data outside the direct business relationship or for any purpose other than the business purposes specified in the Terms of Service.
• Combine Customer Personal Data with personal information received from other sources, except as permitted by 11 CCR §7050(b).

AntiNude certifies that it understands these restrictions and will comply with them. Equivalent provisions apply under VCDPA, CPA, CTDPA, and UCPA.

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. This DPA enters into force on the Effective Date and terminates automatically when the Services terminate. Sections that by their nature should survive (including 5, 8, 9, 11, and 14) survive termination.

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. The SCCs prevail over both in case of conflict for restricted transfers.

A. List of parties

Data exporter (Controller): the Customer, as identified in the account billing profile.

Data importer (Processor): AntiNude, Inc., 2261 Market Street #4242, San Francisco, CA 94114, USA. Contact: legal@antinude.io. EU representative under Article 27 GDPR: EDPO (European Data Protection Office), Avenue Huart Hamoir 71, 1030 Brussels, Belgium — antinude@edpo.com. UK representative under Article 27 UK GDPR: EDPO UK Ltd, 8 Northumberland Avenue, London WC2N 5BY — antinude-uk@edpo.com.

B. Description of transfer

• Categories of Data Subjects: Customer’s end users; Customer’s administrative personnel.
• Categories of Personal Data: as described in Section 3 above.
• Sensitive data: none today (on-device inference only). If the Hosted Cloud API ships and the Customer opts into it, images submitted to it may contain special-category data; subject to the Customer’s own lawful basis.
• Frequency of transfer: continuous, for the duration of the Services.
• Nature of processing: on-device classification telemetry; optional cloud inference; storage of account, billing, and audit data.
• Purpose: provision of the Services, billing, security, and product improvement consistent with this DPA.
• Retention: as set out in Section 9.

C. Competent supervisory authority

The Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.

• Pseudonymisation and encryption: TLS 1.2+ in transit; AES-256 at rest; KMS-managed keys with hardware-backed roots; per-tenant encryption contexts.
• Confidentiality, integrity, availability, resilience: redundant multi-AZ deployments; rate limiting; WAF; immutable infrastructure; signed builds.
• Restoration: point-in-time recovery for primary databases; encrypted backups tested at least annually; documented RTO of 4 hours and RPO of 1 hour for tier-1 services.
• Testing and evaluation: annual third-party penetration test; continuous SAST/DAST in CI; quarterly internal access reviews.
• User identification and authorisation: SSO with mandatory hardware-key MFA for staff; SCIM provisioning; role-based access; just-in-time access for production with full audit trail.
• Data minimisation: on-device inference; telemetry events of fixed shape (verdict + per-class scores only); no image bytes or bounding-box coordinates leave the device.
• Logging and monitoring: centralised, append-only logs; 90-day hot retention; alerting on anomalous access patterns.
• Vendor management: security reviews of all sub-processors; contractual flow-down of GDPR Article 28 obligations.
• Incident response: documented runbooks; on-call rotation; tabletop exercises at least twice per year.

The list below is current as of the Last Updated date.

• Amazon Web Services, Inc. — primary cloud hosting (compute, storage, KMS). Region: eu-central-1, us-east-1.
• Cloudflare, Inc. — edge CDN, WAF, and DDoS mitigation. Global.
• Stripe, Inc. — payment processing and tax. US / EU.
• Datadog, Inc. — infrastructure metrics and application monitoring. EU region.
• Sentry (Functional Software, Inc.) — error reporting. EU region.
• Postmark (ActiveCampaign LLC) — transactional email delivery. US.
• Intercom, Inc. — customer support messaging. EU region.
• Google Workspace (Google LLC) — internal email, documents, and identity. EU / US.

This DPA is automatically incorporated into the Terms of Service on acceptance — no countersignature is required for it to be legally effective. Using the Services constitutes acceptance of this DPA on behalf of the Customer and its Authorised Affiliates.

If your procurement process requires a countersigned copy, email legal@antinude.io with:

• Your legal entity name and registered address.
• The name, title, and email of the authorised signatory.
• Any specific clauses your team needs to review or negotiate.

We will return a countersigned PDF within two business days. We can sign via DocuSign, Adobe Sign, or a plain PDF — whichever your team prefers.