Data Processing Agreement (DPA)
Effective Date: 1 May 2026 Last Updated: 1 May 2026
This Data Processing Agreement ("DPA") supplements and forms part of the master commercial agreement (the "Main Agreement") between Global Ink Alliance Ltd ("GIA", "we", "us", "Processor") and the entity using GIA business-to-business services (the "Customer", "you", "Controller").
This DPA applies to GIA's processing of personal data on behalf of the Customer (for example, where a tattoo studio uses GIA Partnership tools to manage relationships with its own clients or guest artists).
This DPA is designed to comply with:
- UK GDPR and the Data Protection Act 2018
- EU GDPR (Regulation 2016/679)
- The EU Standard Contractual Clauses 2021 (where applicable)
- The UK International Data Transfer Addendum (where applicable)
1. Definitions
The terms "personal data", "data subject", "processing", "processor", "controller", "sub-processor", and "supervisory authority" have the meanings given in the UK GDPR and the EU GDPR.
In this DPA:
- "Customer Personal Data" means any personal data that GIA processes on the Customer's behalf in connection with the Main Agreement.
- "Data Protection Laws" means the UK GDPR, the EU GDPR, the Data Protection Act 2018, and any other applicable data-protection laws.
2. Roles of the Parties
Where GIA processes Customer Personal Data on behalf of the Customer (e.g. data Customer's clients submit through Customer-managed booking forms or guest-artist channels), the Customer is the Controller and GIA is the Processor.
Where GIA processes personal data for its own purposes (e.g. when a data subject directly registers a personal GIA account, AI Sketch usage, sub-processor management, fraud detection, security), GIA acts as a separate Controller and our Privacy Policy governs.
This DPA covers only the Processor scenario.
3. Subject Matter, Duration, Nature, and Purpose
| Element | Description |
|---|---|
| Subject matter of processing | Personal data of the Customer's clients, guest artists, or contacts processed via GIA business tools |
| Duration | The term of the Main Agreement plus any retention period thereafter |
| Nature and purpose | Booking management, communication, scheduling, deal documentation, performance of B2B services |
| Categories of data | Identifiers (name, contact channels), profile data, communications, content uploaded by data subjects |
| Categories of data subjects | Customer's clients, guest artists, walk-ins, contacts |
4. Customer Instructions
GIA processes Customer Personal Data only:
- (a) On documented written instructions from the Customer (the Main Agreement and this DPA constitute initial instructions)
- (b) As required by law (in which case GIA will inform the Customer beforehand unless prohibited)
If GIA believes an instruction infringes Data Protection Laws, GIA will inform the Customer.
5. Confidentiality
GIA ensures that personnel authorized to process Customer Personal Data are bound by written confidentiality undertakings or are under a statutory obligation of confidentiality.
6. Security Measures (Article 32 GDPR)
GIA implements appropriate technical and organizational measures to protect Customer Personal Data, including:
- Encryption in transit (TLS 1.2+) and at rest (disk-level encryption on all servers and backups)
- Access controls — production access limited to named personnel on a need-to-know basis, with multi-factor authentication
- Logical separation of Customer environments
- Regular vulnerability scanning and patching
- Self-hosted error tracking (no third-party SaaS for crash logs)
- Secure software development lifecycle with code review for changes touching personal data
- Data-loss prevention — daily encrypted backups retained for 90 days
- Incident response plan with 72-hour notification commitment to the Customer
GIA reviews these measures periodically and may update them so long as the level of protection is not reduced.
7. Sub-processors
The Customer authorizes GIA to engage the sub-processors listed in Annex II for the purposes described there.
7.1 Notification of New Sub-processors
GIA will notify the Customer of any new sub-processor at least 30 days before that sub-processor begins to process Customer Personal Data. Notification is by email to the Customer's privacy contact.
7.2 Customer Objection Right
The Customer may object on reasonable data-protection grounds within 30 days of notification. The parties will work in good faith to address the objection. If unresolved, the Customer may terminate the Main Agreement (or the affected service) without penalty.
7.3 Sub-processor Obligations
GIA imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA. GIA remains liable to the Customer for the acts and omissions of its sub-processors.
8. International Transfers
Most processing occurs on GIA servers in Germany (EU). Where Customer Personal Data is transferred outside the UK / EEA — typically to sub-processors based in the United States or elsewhere — GIA implements:
- (a) The EU Standard Contractual Clauses (2021/914) with the relevant module
- (b) The UK International Data Transfer Addendum to the EU SCCs, where the data is subject to UK GDPR
- (c) Reliance on adequacy decisions of the European Commission or UK Secretary of State where they exist (e.g. the EU-US Data Privacy Framework)
A current list of the safeguards used for each sub-processor is in Annex II.
9. Data Subject Rights Assistance
GIA assists the Customer in fulfilling the Customer's obligation to respond to data-subject requests:
- GIA provides reasonable cooperation in identifying and exporting Customer Personal Data
- For requests addressed directly to GIA, GIA will redirect the data subject to the Customer when GIA is acting as Processor for that data
- The Customer is responsible for the substantive response within statutory deadlines
10. Personal Data Breach Notification
Without undue delay, and in any event within 72 hours of becoming aware, GIA will notify the Customer of any personal data breach affecting Customer Personal Data.
The notification will include, where reasonably available:
- The nature of the breach
- Categories and approximate number of data subjects and records affected
- Likely consequences
- Measures taken or proposed to mitigate
GIA assists the Customer with notifications to supervisory authorities and data subjects where required by law.
11. Data Protection Impact Assessment (DPIA)
GIA provides reasonable assistance to the Customer in carrying out DPIAs and prior consultations with supervisory authorities (Articles 35 and 36 GDPR), to the extent the Customer cannot do so without GIA's information.
12. Audits
The Customer may audit GIA's compliance with this DPA on 30 days' written notice, no more than once per year (more frequently if a regulator requires it or after a breach):
- Audits are conducted at the Customer's expense unless the audit reveals material breach
- The auditor must be bound by confidentiality
- GIA may require the auditor to be an independent third-party firm reasonably acceptable to GIA
- GIA may satisfy audit obligations by providing recent third-party certifications (e.g. ISO 27001) or summary reports where appropriate
13. Return or Deletion of Data
On termination of the Main Agreement, GIA will, at the Customer's choice:
- (a) Delete Customer Personal Data within 90 days, with deletion certified by GIA on request, OR
- (b) Return Customer Personal Data to the Customer in a structured, commonly used, machine-readable format (typically JSON or CSV), within 30 days
GIA may retain Customer Personal Data only to the extent and for the duration required by law. Such retained data continues to be subject to this DPA's confidentiality and security obligations.
14. Liability
The liability provisions of the Main Agreement apply to this DPA, except that nothing in the Main Agreement limits liability for breaches of Data Protection Laws below the minimum required by law.
15. Conflict
If there is a conflict between this DPA and the Main Agreement, this DPA prevails on data-protection matters.
16. Governing Law
This DPA is governed by the laws of England and Wales unless the Main Agreement specifies otherwise. Where the EU SCCs are incorporated, those clauses are governed by the law specified in the SCCs themselves.
ANNEX I — DETAILS OF PROCESSING
| Item | Description |
|---|---|
| Controller (Customer) | [INSERT CUSTOMER LEGAL NAME, ADDRESS, REGISTRATION NUMBER] |
| Customer DPO / privacy contact | [INSERT EMAIL] |
| Processor (GIA) | Global Ink Alliance Ltd, Suite RA01, 195-197 Wood Street, London, E17 3NU, UK, company number 17173898 |
| GIA contact | privacy@globalinkalliance.com |
| Data subjects | Customer's clients, guest artists, contacts |
| Categories of data | Identifiers, contact channels, profile, communications, content |
| Special categories | None expected; if accidentally provided (e.g. health remarks in chat), processed under Article 9(2)(a) consent of data subject or as instructed |
| Frequency of transfer | Continuous, for the term of the Main Agreement |
| Nature | Hosted SaaS-style platform processing |
| Purpose | B2B service delivery as described in the Main Agreement |
| Retention | Per Privacy Policy retention table; on termination, per Section 13 of this DPA |
ANNEX II — APPROVED SUB-PROCESSORS
| Sub-processor | Service | Location | Transfer safeguards |
|---|---|---|---|
| IONOS SE | Server hosting | Germany (EU) | None required (EU) |
| Replicate Inc. | AI image generation | United States | EU SCCs + UK IDTA |
| ipapi.co | IP-based country detection | United States | EU SCCs + UK IDTA |
| OpenStreetMap Foundation | Map tiles, reverse geocoding | UK / EU | None required |
| Stripe Inc. / Stripe Payments Europe Ltd | Payment processing on web | Ireland (EU) / United States | EU SCCs + UK IDTA |
| Apple Inc. | App Store distribution and IAP | United States | EU SCCs + UK IDTA |
| Google LLC | Google Play distribution and IAP | United States | EU SCCs + UK IDTA |
GIA reviews this list annually and notifies Customer per Section 7.
ANNEX III — TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
A summary of GIA's TOMs (per Section 6) is available on request from privacy@globalinkalliance.com. The summary covers:
- Pseudonymization and encryption
- Confidentiality, integrity, availability, and resilience of processing systems
- Restoration of availability after incidents
- Regular testing of security measures
- Personnel access controls
- Physical and environmental security at the data centre
- Vendor management and sub-processor oversight
SIGNATURES
Customer (Controller)
Legal name: __________________________ Address: __________________________ Registration number: __________________________ Signed by (name & title): __________________________ Signature: __________________________ Date: __________________________
Global Ink Alliance Ltd (Processor)
Signed by: Denys Humen, Director Address: Suite RA01, 195-197 Wood Street, London, E17 3NU, UK Company number: 17173898 Signature: __________________________ Date: __________________________
Document prepared for Global Ink Alliance Ltd. Version 1.0 — 1 May 2026