MUSIVO GALLERIA DATA PROCESSING AGREEMENT
Version: 1.0 Effective Date: 22 May 2026
This Data Processing Agreement ("DPA") is entered into between:
Data Controller: [Enterprise Brand Name] ("Controller," "you") [Registered address] [Registration number]
Data Processor: Musivo LLC ("Processor," "Musivo") Qatar Financial Centre, Doha, State of Qatar
(each a "Party" and collectively the "Parties")
This DPA forms part of and supplements the Musivo Galleria Terms of Service and/or any other service agreement between the Parties (together, the "Main Agreement"). Terms used but not defined in this DPA have the meanings given in the Main Agreement.
ARTICLE 1: DEFINITIONS
1.1 "Applicable Data Protection Law" means any applicable law, regulation, directive, or binding guidance relating to the processing of Personal Data, including where applicable the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and any national implementing legislation.
1.2 "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
1.3 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
1.4 "Personal Data" means any information relating to an identified or identifiable natural person.
1.5 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
1.6 "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
1.7 "Processor" means the entity that processes Personal Data on behalf of the Controller.
1.8 "Sub-Processor" means any third party engaged by Musivo to process Personal Data on behalf of the Controller.
1.9 "Services" means the Musivo Galleria marketplace platform and related services provided to the Controller under the Main Agreement.
ARTICLE 2: SCOPE AND PURPOSE
2.1 This DPA applies where Musivo processes Personal Data on behalf of the Controller in the course of providing the Services.
2.2 Musivo processes Personal Data only for the purposes of providing the Services as described in this DPA and the Main Agreement.
2.3 Nature of Processing: Operating a marketplace platform facilitating product listings, buyer transactions, Brand Bookings, and related services.
2.4 Types of Personal Data Processed:
| Category | Examples |
|---|---|
| Identity data | Names, usernames, profile photos |
| Contact data | Email addresses, social media handles |
| Transaction data | Purchase history, amounts, dates, product details |
| Technical data | IP addresses, device identifiers, browser data |
| Brand Booking data | Booking details, briefs, deliverables, ratings |
| Communication data | Messages sent through the Platform |
2.5 Categories of Data Subjects:
- Controller's employees and team members who use the Platform
- Buyers who purchase from the Controller's storefront
- Creators booked by the Controller for Brand Bookings
2.6 Duration of Processing: For the duration of the Main Agreement, plus any retention period required by applicable law or as stated in Musivo's Privacy Policy.
ARTICLE 3: OBLIGATIONS OF THE PROCESSOR
Musivo shall, with respect to Personal Data processed under this DPA:
3.1 Process only on documented instructions: Process Personal Data only in accordance with the Controller's documented instructions, which are set out in this DPA and the Main Agreement. Musivo shall inform the Controller if it believes an instruction infringes Applicable Data Protection Law.
3.2 Confidentiality: Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
3.3 Security: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: (a) Encryption of Personal Data at rest using AES-256; (b) Encryption of Personal Data in transit using TLS 1.2 or higher; (c) Access controls ensuring only authorised personnel access Personal Data; (d) Regular security testing and assessment; (e) Procedures for regularly testing and evaluating the effectiveness of security measures.
3.4 Sub-Processors: Not engage Sub-Processors without prior written authorisation from the Controller, except as set out in Article 5 of this DPA.
3.5 Data Subject Rights: Assist the Controller in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection, taking into account the nature of the processing.
3.6 Security Assistance: Assist the Controller in ensuring compliance with its security obligations, taking into account the nature of processing and information available to Musivo.
3.7 Deletion or Return: Upon termination of the Main Agreement, at the Controller's choice, delete or return all Personal Data to the Controller, and delete existing copies unless storage is required by applicable law.
3.8 Audit Assistance: Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Controller or its appointed auditor, subject to reasonable notice and confidentiality protections.
3.9 Notification: Notify the Controller promptly if, in Musivo's opinion, an instruction infringes Applicable Data Protection Law.
ARTICLE 4: OBLIGATIONS OF THE CONTROLLER
The Controller shall:
4.1 Ensure it has a lawful basis for processing Personal Data and that its instructions to Musivo are lawful;
4.2 Provide any necessary notices to and obtain any necessary consents from Data Subjects for the processing described in this DPA;
4.3 Ensure the accuracy and completeness of Personal Data provided to Musivo;
4.4 Promptly notify Musivo of any changes to its instructions that may affect Musivo's processing activities;
4.5 Comply with all Applicable Data Protection Laws in connection with its own processing activities.
ARTICLE 5: SUB-PROCESSORS
5.1 The Controller grants Musivo general written authorisation to engage the following Sub-Processors in connection with the Services:
| Sub-Processor | Location | Processing Activity | Privacy Policy |
|---|---|---|---|
| Supabase, Inc. | United States | Database hosting, authentication, file storage | supabase.com/privacy |
| Vercel, Inc. | United States | Platform hosting and edge network | vercel.com/legal/privacy-policy |
| Stripe, Inc. | United States | Payment processing (physical products) | stripe.com/privacy |
| Whop Corp | United States | Digital product payment processing | whop.com/privacy |
| Resend, Inc. | United States | Transactional email delivery | resend.com/legal/privacy-policy |
| Shopify Inc. | Canada | Order fulfillment infrastructure | shopify.com/legal/privacy |
5.2 Musivo shall enter into written data processing agreements with each Sub-Processor imposing equivalent data protection obligations to those set out in this DPA.
5.3 Musivo shall inform the Controller of any intended addition or replacement of Sub-Processors by providing at least thirty (30) days' notice. The Controller may object to such changes on reasonable data protection grounds within fourteen (14) days of notification.
5.4 If the Controller objects and the Parties cannot resolve the matter, either Party may terminate the Main Agreement on thirty (30) days' written notice, without penalty to the Controller.
ARTICLE 6: INTERNATIONAL DATA TRANSFERS
6.1 Where Musivo transfers Personal Data to countries outside the European Economic Area (EEA), the United Kingdom, or any other jurisdiction with transfer restrictions, Musivo shall ensure such transfers are made: (a) To countries recognised as providing adequate protection; (b) Subject to Standard Contractual Clauses approved by the European Commission or UK ICO; (c) Subject to other appropriate safeguards under Applicable Data Protection Law.
6.2 The Controller authorises transfers to the Sub-Processors listed in Article 5, subject to the safeguards described in this Article.
ARTICLE 7: PERSONAL DATA BREACHES
7.1 Musivo shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data.
7.2 Such notification shall include, to the extent available at the time: (a) Description of the nature of the breach; (b) Categories and approximate number of Data Subjects affected; (c) Categories and approximate volume of Personal Data records affected; (d) Name and contact details of the data protection contact; (e) Description of likely consequences of the breach; (f) Description of measures taken or proposed to address the breach.
7.3 Where complete information is not available within seventy-two (72) hours, Musivo shall provide information in phases as it becomes available.
7.4 Musivo shall cooperate with the Controller in investigating, remediating, and notifying relevant authorities and Data Subjects where required by applicable law.
ARTICLE 8: DATA SUBJECT RIGHTS
8.1 Musivo shall promptly notify the Controller of any requests received from Data Subjects exercising their rights under Applicable Data Protection Law, where such rights relate to Personal Data processed on the Controller's behalf.
8.2 Musivo shall not respond to Data Subject requests relating to the Controller's Personal Data without the Controller's prior written instruction, except where required by law.
8.3 Musivo shall provide the Controller with such information and assistance as is reasonably necessary to enable the Controller to respond to Data Subject requests within applicable timeframes.
ARTICLE 9: DATA PROTECTION IMPACT ASSESSMENTS
9.1 Musivo shall provide the Controller with such reasonable assistance as the Controller requires to conduct data protection impact assessments (DPIAs) where required by Applicable Data Protection Law, to the extent such assessments relate to the Services provided by Musivo.
ARTICLE 10: RECORDS OF PROCESSING
10.1 Musivo shall maintain all records required under Applicable Data Protection Law in respect of processing activities carried out on behalf of the Controller.
10.2 Musivo shall make such records available to the Controller upon written request.
ARTICLE 11: AUDIT RIGHTS
11.1 Upon reasonable written notice of no less than thirty (30) days, Musivo shall provide the Controller or its authorised auditor access to information, systems, and personnel necessary to verify Musivo's compliance with this DPA.
11.2 Audits shall be conducted during normal business hours, no more than once per calendar year unless a breach is suspected, and shall not unreasonably disrupt Musivo's operations.
11.3 The Controller shall bear all costs of any audit unless the audit reveals a material breach of this DPA by Musivo.
11.4 Any auditor appointed by the Controller must be subject to appropriate confidentiality obligations and must not be a competitor of Musivo.
ARTICLE 12: TERM AND TERMINATION
12.1 This DPA shall remain in effect for the duration of the Main Agreement.
12.2 Termination of the Main Agreement shall automatically terminate this DPA, subject to the survival of provisions relating to return or deletion of Personal Data and any ongoing regulatory obligations.
12.3 Following termination, Musivo shall, at the Controller's written election, return or delete all Personal Data within sixty (60) days, and provide written confirmation of deletion upon request, unless storage is required by applicable law.
ARTICLE 13: LIMITATION OF LIABILITY
13.1 Each Party's liability under this DPA is subject to the limitations set out in the Main Agreement.
13.2 Nothing in this DPA limits either Party's liability for material breaches of data protection obligations where required to be unlimited under Applicable Data Protection Law.
ARTICLE 14: GOVERNING LAW
14.1 This DPA is governed by the laws of the State of Qatar and, where applicable, the laws of the European Union in respect of GDPR obligations.
14.2 For matters arising under GDPR or UK GDPR, the supervisory authority of the Controller's establishment shall have jurisdiction.
ARTICLE 15: GENERAL
15.1 Order of Precedence: In case of conflict between this DPA and the Main Agreement, this DPA shall prevail in respect of data protection matters.
15.2 Amendments: This DPA may only be amended by written agreement signed by authorised representatives of both Parties.
15.3 Severability: If any provision is invalid or unenforceable, the remaining provisions remain in full force.
15.4 Entire Agreement: This DPA constitutes the entire agreement between the Parties regarding the processing of Personal Data in connection with the Services.
EXECUTION
This DPA is entered into as of the date of acceptance of the Main Agreement, or if executed separately, the date last signed below.
FOR MUSIVO LLC:
Signature: ________________________ Name: ________________________ Title: ________________________ Date: ________________________
FOR [ENTERPRISE BRAND NAME]:
Signature: ________________________ Name: ________________________ Title: ________________________ Date: ________________________
IMPLEMENTATION NOTES FOR CURSOR
COOKIE POLICY
- URL: musivogalleria.com/legal/cookies
- Footer link: "Cookie Policy"
- Cookie banner links here
- Load analytics scripts ONLY after consent
- Preference centre accessible from footer at all times
SELLER AGREEMENT
- URL: musivogalleria.com/legal/seller-agreement
- Also available as downloadable PDF (generate server-side with puppeteer or similar)
- Checkbox mandatory during seller onboarding flow
- Re-acceptance required when material changes made
- Store acceptance timestamp in database: seller_agreement_accepted_at timestamptz seller_agreement_version text
DPA
- URL: musivogalleria.com/legal/dpa
- NOT shown to general users — enterprise brands only
- Accessible from: brand account settings → Legal Documents
- "Request DPA" button sends email to legal@musivogalleria.com
- For Enterprise tier brands: pre-filled DPA generated with brand details
- Store signed DPA in Supabase Storage, linked to brand account
- Add to brand_profiles table: dpa_requested_at timestamptz dpa_signed_at timestamptz dpa_document_url text
FOOTER LEGAL LINKS (complete set)
Terms of Service | Seller Agreement | Refund Policy | Privacy Policy | Cookie Policy | DPA (Enterprise) | Contact
All legal documents prepared for Musivo LLC — Qatar Financial Centre Must be reviewed by qualified legal counsel before publication This is not legal advice