DSP Watch
Start free trial

Legal

Data processing agreement

Effective 2026-06-06 · Last updated 2026-06-06

This Data Processing Agreement ("DPA") forms part of the DSP Watch terms of service between DSP Watch Pty Ltd ("DSP Watch", "Processor") and the customer ("Customer", "Controller"). It reflects the parties' obligations under Regulation (EU) 2016/679 ("GDPR"), the UK GDPR and the Australian Privacy Act 1988 (Cth) when DSP Watch processes personal data on the Customer's behalf. It applies automatically to every paid customer; no signature is required.

1. Parties and roles

For the purposes of GDPR Article 4 and Article 28, the Customer is the Controller and DSP Watch is the Processor of personal data processed through the DSP Watch service. The Customer determines the purposes and means of the processing; DSP Watch processes personal data only on documented instructions from the Customer, including those reflected in the terms of service, this DPA and the customer's configuration of the service.

For DSP Watch's own data processing — billing, account administration, security logging and product analytics — DSP Watch is an independent Controller and the privacy policy applies.

2. Subject matter and duration

Subject matter. Provision of the DSP Watch rights-operations platform: cataloguing recordings, scanning DSPs for unauthorised duplicates, scoring matches, dispatching takedown notices through five live adapters (dmca_generic, spotify_form, apple_form, youtube_cid, distributor_forward) and archiving the resulting audit trail.

Duration. This DPA applies for as long as DSP Watch processes personal data on behalf of the Customer under the terms of service, plus any retention period required by section 12 (return or deletion of data).

3. Nature and purpose of processing

DSP Watch processes personal data to (a) authenticate users and operate the customer's account; (b) ingest and store catalogue metadata; (c) scan public DSP catalogues for matches; (d) generate, dispatch and archive takedown notices; (e) communicate with Customer about the service; and (f) meet security, fraud, audit and legal obligations.

Processing operations include collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission, alignment, restriction and erasure.

4. Personal data and categories of data subjects

Categories of data subjects

  • Customer's authorised users (label staff, managers, artists);
  • the Customer's recording artists and rightsholders whose catalogue is monitored;
  • third parties identified in takedown notices (alleged infringers, uploaders, distributor contacts) — limited to data that is already publicly displayed on the target DSP.

Types of personal data

  • Identification & contact: name, email, account credentials (hashed), IP address, user-agent;
  • Commercial: billing name and address, last 4 digits of card, tax identifiers (handled by Stripe);
  • Catalogue & rights metadata: recording titles, ISRCs, UPCs, artist names, label name, release dates;
  • Takedown evidence: public URLs, screenshots, uploader display names, channel IDs, claim text;
  • Telemetry: service-usage logs, error reports, API request metadata.

DSP Watch does not require or solicit special categories of personal data under GDPR Article 9, nor data relating to criminal convictions under Article 10.

5. Processor obligations

In accordance with GDPR Article 28(3), DSP Watch will:

  • process personal data only on the Customer's documented instructions, including with regard to transfers to a third country, unless required to do otherwise by Union or Member State law (in which case DSP Watch will inform the Customer before processing, unless prohibited by that law);
  • ensure that persons authorised to process personal data have committed themselves to confidentiality or are under a statutory duty of confidentiality;
  • implement the technical and organisational measures listed in section 6;
  • respect the conditions in section 7 for engaging sub-processors;
  • assist the Customer, taking into account the nature of the processing, in fulfilling its obligation to respond to data-subject requests under section 10;
  • assist the Customer in ensuring compliance with the obligations under GDPR Articles 32 to 36 (security, breach notification, DPIA, prior consultation);
  • at the choice of the Customer, delete or return all personal data after the end of the provision of services, as set out in section 12;
  • make available to the Customer all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits under section 11.

If DSP Watch considers that an instruction infringes the GDPR, UK GDPR or other applicable data-protection law, it will immediately notify the Customer.

6. Security measures (Article 32)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, DSP Watch implements:

  • encryption of personal data in transit (TLS 1.2+, HSTS, modern cipher suites) and at rest (AES-256 on Supabase Postgres and Cloudflare R2);
  • role-based access control with least-privilege defaults and mandatory MFA for all DSP Watch staff with production access;
  • short-lived bearer tokens, automatic credential rotation and an immutable audit log of administrative actions retained for at least 24 months;
  • network isolation between worker tiers, secrets management through Cloudflare Workers secrets and Fly secrets;
  • continuous vulnerability scanning, dependency updates and annual independent penetration testing;
  • documented incident-response runbooks and an annually tested business-continuity plan with a recovery-time objective of 4 hours and a recovery-point objective of 15 minutes;
  • data-minimisation: takedown evidence is normalised to remove fields not required for the notice; analytics use aggregated counts rather than identifiable per-user logs.

The full controls catalogue is published at /trust.

7. Sub-processors

The Customer provides general written authorisation for DSP Watch to engage the sub-processors listed below and at /legal/sub-processors. DSP Watch will:

  • impose, by written contract, data-protection obligations on each sub-processor that are no less protective than those in this DPA;
  • remain fully liable to the Customer for the performance of each sub-processor's obligations;
  • give the Customer at least 30 days' prior notice (by email and the sub-processors page) of any intended addition or replacement of a sub-processor;
  • allow the Customer to object on reasonable data-protection grounds within that 30-day window. If the objection cannot be resolved, the Customer may terminate the affected service and receive a pro-rata refund of any pre-paid, unused fees.

Current sub-processors:

Sub-processor Purpose Location
Supabase, Inc. Primary application database, authentication and storage United States (AWS us-east-1)
Cloudflare, Inc. Edge CDN, Workers API, Pages hosting, DDoS protection Global edge network (data centre nearest end-user)
Fly.io, Inc. Headless-browser takedown workers and long-running jobs United States, Europe (region pinned per customer)
Stripe Payments Australia Pty Ltd Subscription billing, payment processing, tax calculation United States, Ireland, Australia
Google LLC (Gemini API) AI-assisted match-confidence scoring and content classification United States, Europe

8. International transfers

Where personal data of EU/EEA, UK or Swiss data subjects is transferred outside the EU/EEA, UK or Switzerland to a country that does not benefit from an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), incorporated by reference into this DPA, with the Customer acting as data exporter and DSP Watch as data importer (Module 2: controller-to-processor).

For UK transfers, the parties incorporate the UK International Data Transfer Addendum issued by the ICO under section 119A of the Data Protection Act 2018, version B.1.0.

DSP Watch has conducted, and will keep current, a transfer impact assessment ("TIA") covering each onward transfer to a sub-processor and makes the TIA available to Customer on request.

9. Personal data breach — 72-hour notice

DSP Watch will notify the Customer of a personal data breach affecting Customer personal data without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will be sent by email to the primary billing and security contacts on file and will, to the extent then known, include:

  • the nature of the breach, categories and approximate number of data subjects and records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its possible adverse effects;
  • the name and contact details of the DSP Watch security contact handling the incident.

Where complete information is not available within 72 hours, it will be provided in phases without undue further delay. DSP Watch will cooperate with the Customer to allow the Customer to meet its own notification obligations to supervisory authorities (GDPR Article 33) and data subjects (Article 34).

10. Data-subject request handling

DSP Watch provides self-service tooling in the admin console for the Customer to retrieve, rectify, export, restrict or erase personal data relating to a data subject, so that the Customer can fulfil requests under GDPR Articles 15–22 within the statutory 30-day response window.

If a data subject contacts DSP Watch directly with a request relating to Customer personal data, DSP Watch will, without undue delay and within 5 business days, forward the request to the Customer and will not respond directly unless authorised by the Customer or required by law.

Taking into account the nature of the processing, DSP Watch will assist the Customer by appropriate technical and organisational measures for the fulfilment of the Customer's obligation to respond to such requests. Standard assistance is included in the subscription; extraordinary assistance may be invoiced at DSP Watch's then-current professional services rates.

11. Audits and information rights

DSP Watch will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA. The Customer is entitled to audit DSP Watch's processing activities once per 12-month period, on 30 days' written notice, during normal business hours, in a manner that does not unreasonably disrupt the service or compromise the data of other customers. Audits will primarily be satisfied by DSP Watch providing the most recent independent assurance report and the trust-centre control catalogue. On-site audits are permitted where the auditor is independent, has signed a non-disclosure agreement, and a genuine concern remains after review of the assurance report.

12. Return or deletion of data on termination

On termination or expiry of the service agreement, at the Customer's election:

  • the Customer may export all personal data through the admin console during a 30-day grace period in a structured, commonly used and machine-readable format (JSON / CSV); and/or
  • DSP Watch will permanently delete all Customer personal data from production systems within 90 days of termination, and from encrypted backups within 180 days, after which the data is cryptographically irretrievable.

Audit-log carve-out. DSP Watch will retain an immutable audit-log copy of takedown notices sent by the Customer for as long as required to defend the integrity of those notices, and in any event no longer than 7 years from the date the notice was sent. This is necessary because §512(f), DMCA counter-notice and equivalent claims may surface years after a takedown, and the audit log is the Customer's primary defence.

DSP Watch will provide written confirmation of deletion on request.

13. Liability and order of precedence

Each party's liability under this DPA is subject to the limits and exclusions set out in section 7 of the terms of service. In the event of a conflict between this DPA and the terms of service, this DPA prevails on data-protection matters; in the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

14. Governing law

This DPA is governed by the laws of Victoria, Australia, except that, where personal data of EU/EEA data subjects is being processed and the Standard Contractual Clauses apply, the governing law for the Clauses is the law of the Republic of Ireland, as required by Clause 17 of the SCCs. For UK data subjects, the governing law for the UK Addendum is the law of England and Wales.

15. Contact

Data-protection notices, sub-processor objections, audit requests and breach correspondence must be sent to:

DSP Watch Pty Ltd
Attention: Data Protection Officer
[email protected]
Melbourne, Victoria, Australia

See also: Privacy policy · Terms of service · Sub-processors · Trust centre.