Data Processing Addendum
Last updated: 2026-05-10
This DPA applies to customers using Iconkiln to process personal data of their end-users in the EU/UK/Switzerland. It supplements the Terms of Service.
1. Roles
Customer is the data controller. Iconkiln Studio, Inc. is the data processor for personal data the customer submits or that we process on the customer's behalf.
2. Subject matter and duration
Subject matter: provision of an AI icon generation service. Duration: the term of the Customer's account plus 30 days for deletion.
3. Categories of data and data subjects
- Account data of the Customer's administrators (email).
- Prompt content and uploaded reference images, which may contain personal data only if the Customer chooses to include it.
- Diagnostic events (IPs, user-agents, error stacks).
4. Sub-processors
See the Privacy Policy for the current list. We provide 30 days' notice before adding new sub-processors.
5. International transfers
Where data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (Module 2: Controller-to-Processor) with the relevant sub-processors.
6. Security
We employ TLS in transit, AES-256 at rest, role-based access control, RLS on the database, per-user storage isolation, and rate-limited APIs. Material security incidents are reported within 72 hours of confirmation.
7. Data subject rights and audits
We support access, correction, export, and deletion requests via the application or by email. We will reasonably cooperate with audits subject to confidentiality and reasonable notice.
8. Deletion
On account closure, we delete personal data within 30 days, except for records we are legally required to retain (financial transactions, abuse history).
9. Contact
Working template — have counsel review before signing with enterprise customers.