← Back to Catalog Manager

Data Processing Agreement

Catalog Manager — Effective Date: April 1, 2026 · Version 1.0 · Pursuant to GDPR Article 28

1. Parties and Scope

This DPA forms part of the Terms of Service and Privacy Policy for Catalog Manager:

• Controller ("You"): The organization or individual who creates an account and uploads personal data.
• Processor ("We"): Catalog Manager.

This DPA applies globally and is effective automatically when you upload personal data of third parties. By using the Service, you agree to this DPA.

2. Definitions

• "Personal Data": Info relating to an identifiable person (GDPR Art. 4(1)).
• "Processing": Any operation on Personal Data (Art. 4(2)).
• "Data Subject": Person whose data you upload (artists, producers, rights holders).
• "Sub-Processor": Third party we engage to process on your behalf.

3. Subject Matter

3.1. Purpose: Processing Personal Data to provide Catalog Manager — hosting, storing, displaying catalog, financial, and rights holder data.

3.2. Data Subjects: Artists, performers, producers, songwriters, rights holders.

3.3. Data Types: Names, stage names, financials (royalties, earnings, recoupment), splits, roles, documents.

3.4. Duration: For the life of the Service relationship plus until all data deleted/returned.

4. Controller Obligations

As Data Controller, you are responsible for compliance with all applicable data protection laws in your jurisdiction, including but not limited to GDPR, CCPA, LGPD, and similar regulations. You must:

• Have a lawful basis for processing your artists'/rights holders' data.
• Ensure accuracy and currency of all uploaded data.
• Provide privacy notices to your Data Subjects about your use of Catalog Manager.
• Respond to Data Subject requests within legal timeframes.
• Ensure uploaded financial data is accurate and authorized.
• Inform us promptly when a Data Subject exercises rights.
• Comply with all applicable data protection laws.

5. Processor Obligations

Catalog Manager commits to:

• Process only on your documented instructions, and as necessary to provide, maintain, and secure the Service, except where required by law.
• Bind all authorized persons by confidentiality.
• Maintain industry-standard security measures via infrastructure providers such as Supabase, including application-level controls (RLS, session-scoped financial access).
• You provide general authorization for the use of Sub-Processors listed in the Privacy Policy. No new Sub-Processors without prior notification and your right to object. Current list in Privacy Policy.
• Assist with Data Subject requests (export, deletion capabilities in-app).
• Assist with DPIAs and supervisory consultations where required.
• Delete or return all data on termination, at your choice, except where retention is required by applicable law.
• Provide compliance evidence for GDPR Art. 28; allow audits.
• Notify you within 72 hours of any Personal Data breach.

6. Sub-Processors

• Supabase, Inc. — Database, auth, storage. SOC 2 Type II.
• Spotify AB (optional) — Music metadata. User-initiated only.
• Google LLC / Gmail API (optional) — Email. User-initiated only.

Changes notified in advance. You may object; if unresolvable, you may terminate. Each Sub-Processor bound by equivalent terms.

7. International Transfers

Where Personal Data is transferred internationally, appropriate safeguards are implemented in accordance with applicable law, including Standard Contractual Clauses or equivalent mechanisms. Data location disclosed on request.

8. Security

We rely on third-party infrastructure providers (such as Supabase) that implement industry-standard security measures, including encryption at rest and in transit. We also implement application-level controls:

• Row-Level Security for organizational data isolation.
• Session-scoped access for financial data.
• Regular security reviews and access audits.
• Measures appropriate to risk, nature of data (financial records, artist PII), state of the art, and cost.

9. Breach Response

Notify Controller within 72 hours. Include: nature of breach, subjects affected, consequences, remediation. Cooperate fully.

10. Data Subject Rights

Processor assists Controller via in-app export/deletion. Direct requests redirected to Controller.

11. Audits

Controller may audit annually, subject to reasonable notice, scope, and confidentiality limitations, as well as reasonable operational and security constraints. Processor provides compliance information per GDPR Art. 28 and equivalent provisions under applicable law.

12. Termination

DPA ends when Service ends. On termination: return data (structured format) or delete (within 90 days), except where retention is required by applicable law (e.g., financial data up to 7 years). Certify deletion on request.

13. Liability

Per Terms of Service. Each party liable for its own infringements of this DPA or applicable law.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Italy, without regard to conflict of law principles. Nothing in this DPA limits any rights you may have under mandatory local law in your jurisdiction. Disputes are resolved per the Terms of Service.

15. Agreement

This DPA is incorporated into the Terms of Service for Catalog Manager. By accepting the ToS, you agree to this DPA.

Contact

Catalog Manager
Rome, Italy
Email: legal@catalogmanager.app