Legal

Data Processing Agreement

Last updated: 1 January 2026

[REPLACE — final copy from legal. This template is a placeholder for enterprise customers who require a formal DPA.]

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Galexivo ("Processor") and applies where Galexivo processes personal data on your behalf in connection with the Galexivo service.

1. Scope and purpose

Galexivo processes personal data only to provide the services described in the Terms of Service. The categories of personal data processed depend on your gallery's use of the service and may include names, email addresses, and contact details of your collectors and artists.

Because your gallery data is stored in your own Cloudflare account, Galexivo's role as a data processor is limited primarily to the account management layer (your Galexivo subscription account) rather than your gallery's operational data, which you control directly.

2. Data controller obligations

As the data controller, you are responsible for:

  • Ensuring you have a lawful basis for processing personal data of your collectors and artists
  • Responding to data subject access requests relating to data in your gallery instance
  • Maintaining records of processing activities as required by applicable law
  • Ensuring that any personal data you enter into Galexivo is limited to what is necessary

3. Data processor obligations

Galexivo will:

  • Process personal data only on your documented instructions
  • Implement appropriate technical and organisational security measures
  • Assist you in responding to data subject requests where technically feasible
  • Notify you without undue delay in the event of a personal data breach affecting your account data
  • Delete or return personal data upon termination of the service as requested

4. Sub-processors

Galexivo uses the following sub-processors:

  • Cloudflare, Inc. — infrastructure, hosting, and CDN (United States, with global edge presence)
  • Stripe, Inc. — payment processing for subscription billing (United States)

We will notify you of any intended changes to sub-processors with at least 30 days' notice.

5. International data transfers

Cloudflare operates a global network. You can configure your Cloudflare account to restrict data residency to specific regions. Galexivo account data (subscription information) is processed in the United States. For transfers from the European Economic Area, we rely on Standard Contractual Clauses.

6. Data subject rights

For personal data stored in your Galexivo subscription account (your own account details), contact us at [email protected] to exercise your rights.

For personal data in your gallery instance (collector and artist records), you control this data directly and are responsible for responding to data subject requests.

7. Execution

This DPA is incorporated into and forms part of the Terms of Service. By accepting the Terms of Service, you also accept this DPA. If your organisation requires a countersigned DPA, contact [email protected].