Ember

Legal · Article 28 GDPR

Data Processing Agreement

Version 2.1 · effective 1 March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and Ember Studio SAS ("Processor") for the provision of the Ember Studio service.

1. Subject matter and duration

The Processor processes Personal Data on behalf of the Controller for the duration of the subscription and up to 30 days after termination for the purposes of returning or deleting data.

2. Nature and purpose of processing

The Processor processes phone snaps, brand assets, scene references and related metadata to generate editorial photography on the Controller's behalf, store the resulting files, and provide the Ember Studio application.

3. Categories of data subjects and personal data

  • Account holders: name, email, password hash, IP address, billing details.
  • Team members: name, email, role.
  • Incidental: people appearing in submitted phone snaps. The Controller is responsible for obtaining any required consent.

4. Controller obligations

The Controller warrants that all Personal Data submitted to the Processor has a valid lawful basis and that data subjects have been informed in accordance with Articles 13–14 GDPR.

5. Processor obligations

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement the technical and organisational measures set out in Annex II.
  • Assist the Controller in responding to data subject requests within 5 working days.
  • Notify the Controller without undue delay (within 48 hours) of any Personal Data breach.

6. Sub-processors

The Controller authorises the use of the sub-processors listed in Annex III. The Processor will give 14 days' notice of any intended addition or replacement.

Current sub-processors: Amazon Web Services (EU-West-3, Paris), Supabase (EU-West-1), Stripe Payments Europe, fal.ai (EU), Resend (EU).

7. International transfers

Personal Data is hosted in the European Union. Where any sub-processor transfers data outside the EEA, the EU Standard Contractual Clauses (Commission Decision 2021/914) apply.

8. Return or deletion

On termination, the Processor will, at the Controller's choice, return or delete all Personal Data within 30 days, unless retention is required by law.

9. Audits

The Controller may, at its own cost and with 30 days' notice, audit the Processor's compliance with this DPA once per year. The Processor will make available the most recent SOC 2 and ISO 27001 reports of its sub-processors on request.

Annex II — Technical and organisational measures

Encryption at rest (AES-256) and in transit (TLS 1.2+); least-privilege IAM; mandatory MFA on all admin accounts; quarterly penetration tests; nightly encrypted backups with 30-day retention; documented incident response and business continuity plans.

To counter-sign this DPA on your organisation's letterhead, write to legal@ember.so. We typically counter-sign within two working days.