Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between BEY AGENCY LTD, a private limited company registered in England and Wales under company number 16435596 ("Processor"), and the individual or entity identified as the customer in a separate Sponsor Agreement, order form or equivalent instrument ("Controller"). It forms part of, and is governed by, the Terms of Service and the Sponsor Agreement between the parties.

The subject matter of the processing is the personal data necessary for Processor to deliver the Service to Controller. The nature and purpose of processing is limited to operating, securing and improving the Service, providing analytics in connection with sponsor placements, and fulfilling Controller's instructions. Processing shall continue for the duration of the underlying contract, after which Section 11 (Return or Deletion) applies.

The personal data processed under this DPA may include contact details of Controller's employees and authorised representatives, billing contacts, and end-user impressions related to sponsor-placed Content. Data subjects include Controller's representatives and end users who interact with Controller's sponsor Content on the Service.

Processor shall:

• Process personal data only on documented instructions from Controller and in accordance with the Terms of Service and this DPA.
• Ensure personnel authorised to process personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures in accordance with Article 32 UK GDPR.
• Assist Controller in responding to requests from data subjects exercising rights under UK GDPR.
• Assist Controller with DPIAs, prior consultations and security-incident notifications as required by law.

Controller provides general authorisation for Processor to engage sub-processors, provided that Processor imposes materially the same data protection obligations on each sub-processor. Processor shall remain liable to Controller for the performance of each sub-processor's obligations.

The following sub-processors are engaged by Processor to deliver the Service. Material additions or replacements will be reflected in this section and announced via the active email subscriber list at least thirty (30) days prior to taking effect, except where applicable law requires shorter notice.

Vercel Inc. (United States)

Hosting, edge runtime, deployment infrastructure, content delivery, and Speed Insights real-user-monitoring for ai2.design. Lawful transfer mechanism: UK International Data Transfer Addendum to the EU Standard Contractual Clauses (Module 2 — Controller to Processor).

Stripe, Inc. (United States / Ireland)

Sponsorship checkout, subscription billing, payment method tokenisation, invoicing and tax calculation. Stripe is a self-certified participant in the EU-U.S. Data Privacy Framework (DPF) and the UK Extension; transfers also covered by EU SCCs and UK IDTA. Visitor data shared with Stripe is limited to the information voluntarily entered on the hosted Stripe Checkout page (name, email, billing address, payment instrument, optional VAT identifier).

Resend Inc. (United States)

Transactional and marketing email delivery (welcome flow, sponsor onboarding lifecycle, contact form responses, unsubscribe acknowledgements). Receives recipient email address, message content and engagement signals (delivery, open, click, bounce). Transfer mechanism: UK IDTA / EU SCC. Bounce and complaint events trigger automatic suppression of the affected address.

PostHog Inc. (European Union — Frankfurt region)

Product analytics for funnel, cohort and retention measurement. The EU region (eu.i.posthog.com) keeps all personal data inside the European Union — no international transfer takes place under normal operation. Configured with anonymise_ips=true, persistence=memory (cookieless), and session replay disabled. Loaded only if the visitor has affirmatively consented via the cookie banner.

Upstash Inc. (European Union — Frankfurt region for AI2 instance)

Serverless Redis store powering rate-limit counters and webhook idempotency keys. Stores hashed identifiers (IP-derived, never raw email) and Stripe event IDs with short time-to-live (≤24 hours). The Frankfurt region keeps data inside the European Union; transfers, where applicable, governed by EU SCC.

Sentry — Functional Software, Inc. (European Union — German region for AI2 instance)

Error and performance monitoring (de.sentry.io). Captures stack traces, breadcrumb logs and request metadata associated with caught exceptions; configured with session replay disabled and IP scrubbing enabled. EU data residency means no international transfer takes place under normal operation.

Anthropic, PBC (United States)

Server-side API used by the design extractor to generate the optional AI curator analysis and agent prompt brief. Receives only the public URL submitted by the user and the resulting design tokens; no personal data is transmitted to Anthropic. Transfer mechanism: UK IDTA / EU SCC.

Data flow summary: visitor browser (any country) → Vercel edge node (US-region by default, EU-region for ai2.design via Frankfurt edge) → application runtime (Vercel serverless functions) → conditional sub-processors as triggered by user action: PostHog (EU) for analytics if consent given; Resend (US) for transactional email; Stripe (US/IE) for payment processing; Upstash (EU) for rate-limit/idempotency state; Sentry (EU) for error capture; Anthropic (US) for optional AI extraction. All international transfers from the United Kingdom or European Economic Area to the United States rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (UK IDTA), the EU-U.S. Data Privacy Framework (where the recipient is self-certified), or the EU Standard Contractual Clauses Module 2 (Controller-to-Processor).

Processor shall notify Controller without undue delay after becoming aware of a personal data breach affecting Controller's data, and shall provide information reasonably necessary to assist Controller in meeting its own notification obligations under UK GDPR.

Where personal data is transferred outside the United Kingdom or the European Economic Area, Processor shall rely on an adequacy decision, the International Data Transfer Agreement, the International Data Transfer Addendum to the Standard Contractual Clauses, or another lawful transfer mechanism.

Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with Article 28 UK GDPR. Any audit shall be conducted at Controller's cost, no more than once per calendar year (except where required by a supervisory authority), on at least 30 days' prior written notice, during normal business hours, and without disrupting Processor's operations.

The liability limitations and exclusions set forth in the Terms of Service (Section 11) apply to this DPA to the maximum extent permitted by applicable law. Nothing in this DPA excludes liability that cannot be excluded under UK GDPR.

Upon termination or expiry of the underlying contract, Processor shall, at Controller's choice, return or delete personal data processed on Controller's behalf, unless applicable law requires continued retention.

This document, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation, shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.