Data Processing Addendum

Last updated: July 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Topaz Media ("we", "us", "our") and the customer ("you", "your"). It governs the processing of personal data where you are the data controller and we are the data processor, in compliance with the UK Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed under your use of the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
  • "Data Controller" means you — the entity that determines the purposes and means of processing Personal Data.
  • "Data Processor" means Topaz Media — the entity that processes Personal Data on behalf of the Data Controller.
  • "Subprocessor" means a third-party engaged by Topaz Media to process Personal Data on behalf of the Data Controller.

2. Processing Details

  • Subject matter: Provision of digital signage platform services.
  • Duration: The period during which you have an active account.
  • Nature and purpose: Storing, displaying, and transmitting content on connected screens; account management; analytics.
  • Categories of data subjects: Your customers, visitors, employees, or other individuals whose data you choose to display or process through the Service.
  • Types of Personal Data: Any data you choose to upload or display, which may include names, contact details, images, or other personal information.

3. Processor Obligations

Topaz Media shall:

  • Process Personal Data only on your documented instructions, unless required to do so by applicable law.
  • Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures (see Section 6).
  • Notify you without undue delay of any Personal Data breach.
  • Assist you in fulfilling your obligations regarding data subject rights, breach notification, and data protection impact assessments.
  • Delete or return all Personal Data at your request upon termination of the Service.
  • Make available all information necessary to demonstrate compliance with this DPA.

4. Data Subject Rights

Where we receive a request from a data subject concerning their Personal Data processed under your account, we will forward it to you promptly. We will assist you in responding to such requests to the extent required by applicable data protection law.

5. Subprocessors

You authorize Topaz Media to engage the following Subprocessors. We will notify you at least 30 days before adding or replacing any Subprocessor.

SubprocessorServiceLocation
Amazon Web Services (AWS)Cloud hosting (S3, EC2)UK / EU / US
Google LLC (Google Cloud)Cloud infrastructure, Google AnalyticsEU / US
Stripe, Inc.Payment processingUS / EU
Segment (Twilio)Analytics data routingUS / EU
Chatbase (Reka.ai)AI chatbotUS

6. Security Measures

Topaz Media implements the following technical and organizational security measures:

  • Encryption of data in transit using TLS 1.2+.
  • Encryption of data at rest where technically feasible.
  • Access controls based on the principle of least privilege.
  • Regular security reviews and updates.
  • Secure data deletion upon account termination.

7. International Transfers

Personal Data may be transferred to countries outside the UK and EEA where Subprocessers are located. Such transfers are governed by the UK International Data Transfer Agreement or EU Standard Contractual Clauses, as applicable. You may request a copy of these safeguards by contacting us.

8. Data Breach Notification

We will notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting your data. We will provide reasonable information to assist you in meeting your notification obligations.

9. Deletion of Data

Upon termination of your account, we will delete or return all Personal Data within 60 days, unless retention is required by applicable law. You may request confirmation of deletion.

10. Audits

Upon your written request (no more than once per 12 months), we will make available information necessary to demonstrate our compliance with this DPA, provided such requests do not disrupt our business operations. Any audit shall be at your expense.

11. Governing Law

This DPA shall be governed by the laws of England and Wales, consistent with the Terms of Service.

12. Contact

For questions about this DPA or to exercise data subject rights:

Email: contact@topaz.media