Data Processing Agreement
Last updated: April 15, 2026
For business customers who need a formal DPA for GDPR, CCPA/CPRA, or other data protection compliance.
When does this DPA apply? This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy for My Pixie Suite. It applies when you (the "Customer" or "Controller") use the Service and CNG Studios LLC (the "Processor") processes personal data on your behalf. This DPA is automatically incorporated into your agreement with us when you use the Service to process personal data of your end users, customers, contacts, or employees.
Need a signed copy? If your organization requires a countersigned DPA for compliance purposes, contact us with "DPA Request" in the subject line and we will provide an executable version.
1. Definitions
In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms of Service.
- "Personal Data" means any information relating to an identified or identifiable natural person that Customer submits to or processes through the Service.
- "Controller" means the entity (Customer) that determines the purposes and means of processing Personal Data.
- "Processor" means CNG Studios LLC, which processes Personal Data on behalf of the Controller.
- "Sub-Processor" means a third-party service provider engaged by the Processor to assist in processing Personal Data.
- "Data Subject" means the individual to whom Personal Data relates.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- "Data Protection Laws" means all applicable data protection and privacy laws, including GDPR (EU 2016/679), UK GDPR, CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), Florida Information Protection Act, and any other applicable data protection legislation.
- "Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of personal data approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
2. Scope and Roles
Customer as Controller: You are the Controller of the Personal Data you submit to and process through the Service. You determine what Personal Data to process, why it is processed, and how long it is retained (within the capabilities of the Service).
CNG Studios as Processor: We act as your Processor when handling Personal Data on your behalf through the Service. We process Personal Data only according to your documented instructions (as expressed through your use of the Service and these Terms) and applicable Data Protection Laws.
Types of Personal Data processed through the Service may include:
| Pixie Application | Categories of Personal Data | Data Subjects |
|---|---|---|
| EchoPixie | Social media account information, post content, engagement metrics, audience data | Customer's social media followers and audience |
| HadesPixie | Vendor names, invoice details, receipt data, financial transaction records | Customer's vendors, clients, contractors |
| IrisPixie | Contact names, email addresses, phone numbers, company names, interaction history, lead scores | Customer's leads, prospects, and contacts |
| AthenaPixie | Market research data, competitor information, sales analytics | Minimal personal data (primarily business data) |
| GaiaPixie | Chat transcripts, customer names, email addresses, support inquiries | Customer's end users and support requesters |
| HermesPixie | Delivery addresses, recipient names, phone numbers, shipment details | Customer's delivery recipients |
| CalliPixie | Author names, contributor information, publishing metadata | Customer's authors and contributors |
| SirenPixie | Artist names, contributor credits, release metadata | Customer's artists and collaborators |
3. Processing Instructions
We will process Personal Data only in accordance with:
- Your documented instructions as expressed through your configuration and use of the Service
- The Terms of Service and this DPA
- Applicable Data Protection Laws
If we believe an instruction from you infringes applicable Data Protection Laws, we will inform you promptly before carrying out the instruction (unless prohibited by law from doing so).
We will not process Personal Data for any purpose other than providing the Service to you, unless required by applicable law, in which case we will inform you of that legal requirement before processing (unless the law prohibits such notification).
4. Confidentiality
We ensure that all persons authorized to process Personal Data on our behalf are bound by obligations of confidentiality. Access to Personal Data is limited to personnel who need it to provide the Service, and all such personnel have received appropriate training on data protection obligations.
5. Security Measures
We implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
Technical Measures:
- Encryption in transit (TLS/HTTPS for all connections)
- Encryption at rest for sensitive credentials (AES-256-GCM)
- Password hashing with bcrypt (with appropriate cost factor)
- Multi-tenant data isolation at the database level (tenant_id filtering on all queries)
- JWT-based authentication with session validation
- CSRF protection on all state-changing operations
- Automated database backups every 6 hours with 30-day retention
- Cloudflare DDoS protection and WAF
Organizational Measures:
- Access to production systems limited to authorized personnel
- Physical servers located on private premises (not shared data centers)
- No cloud hosting providers used for application data storage
- All AI processing performed on private, self-hosted infrastructure (no third-party AI services)
- Security event logging and monitoring
- Incident response procedures documented and tested
6. Sub-Processors
We use the following Sub-Processors to assist in providing the Service. Each Sub-Processor receives only the minimum Personal Data necessary to perform its function:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, billing address, payment method | United States |
| Brevo (Sendinblue SAS) | Transactional email delivery | Email address, email content | EU (France) / United States |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | IP address, request metadata (encrypted in transit) | Global (edge nodes) |
No third-party AI Sub-Processors: All AI features (content generation, OCR, analytics) are processed on our own self-hosted infrastructure. No Personal Data is sent to any third-party AI service.
Changes to Sub-Processors: We will notify you by email at least 30 days before engaging a new Sub-Processor or making a material change to an existing Sub-Processor's role. You may object to a new Sub-Processor within that 30-day period by contacting us. If we cannot reasonably accommodate your objection, you may terminate the affected Service without penalty.
We ensure that each Sub-Processor is bound by data protection obligations no less protective than those in this DPA.
7. Data Subject Rights
We will assist you in fulfilling your obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws (access, rectification, erasure, restriction, portability, and objection). Specifically:
- The Service provides self-service data export tools that you can use to fulfill access and portability requests
- You can delete individual records (contacts, expenses, conversations, etc.) through the Service interface
- For requests that require our assistance beyond what the Service provides, contact us and we will respond within 10 business days
- If we receive a Data Subject request directly, we will promptly redirect the request to you (the Controller) and will not respond to the Data Subject without your instructions, unless required by law
8. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify you without undue delay, and in any event within 48 hours of becoming aware of the breach (this is faster than our general 72-hour commitment in our Privacy Policy, to give you time to meet your own notification obligations)
- Provide you with sufficient information to enable you to meet your obligations to notify Data Subjects and supervisory authorities, including:
- The nature of the breach and categories of Personal Data affected
- The approximate number of Data Subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
- Cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
- Maintain a record of all breaches, including those that do not require notification
9. International Data Transfers
The Service is operated from the United States. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions:
Transfer Mechanism: We rely on the European Commission's Standard Contractual Clauses (SCCs), specifically Module Two (Controller to Processor), as our legal mechanism for transferring Personal Data from the EEA/UK to the United States.
Supplementary Measures: In addition to the SCCs, we implement the following supplementary measures to protect transferred data:
- All data in transit is encrypted with TLS
- Sensitive data at rest is encrypted with AES-256-GCM
- Data is stored on private, self-hosted infrastructure (not US cloud providers subject to FISA 702 or similar orders)
- No third-party AI services process Personal Data
- Access to production data is strictly limited
If you require executed SCCs, contact us and we will provide them.
10. Data Protection Impact Assessments
We will provide reasonable assistance to you with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent required under applicable Data Protection Laws, taking into account the nature of the processing and the information available to us.
11. Audits and Inspections
Upon reasonable request and subject to appropriate confidentiality obligations, we will make available to you information necessary to demonstrate our compliance with this DPA. This may include:
- Responses to written security questionnaires (provided within 20 business days)
- Summaries of our security practices and controls
- Confirmation of Sub-Processor compliance
- Records of any data breaches or security incidents
If you require an on-site audit, we will accommodate reasonable audit requests with at least 30 days' advance notice, during normal business hours, and no more than once per year (unless a breach or specific compliance concern justifies an additional audit). Audits are conducted at your expense and must not disrupt our operations or compromise other customers' data.
12. Data Deletion and Return
Upon termination of the Service agreement or upon your written request:
- We will provide you with the ability to export your Personal Data in standard, portable formats (CSV, JSON) through the Service's export features
- After you confirm data export or after the Archive Mode period (35 days), we will delete all Personal Data from our active systems within 30 days
- Backup copies containing Personal Data will be purged within an additional 30 days after deletion from active systems
- We may retain Personal Data where required by applicable law (e.g., financial records for tax compliance), in which case the data will be isolated and protected, and deleted when the retention period expires
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection obligations that cannot be limited under applicable Data Protection Laws.
14. Term and Termination
This DPA takes effect when you begin using the Service and remains in effect for as long as we process Personal Data on your behalf. Upon termination of the Service agreement, the provisions of this DPA that by their nature should survive (including Sections 8, 9, 12, and 13) will continue to apply.
15. Conflict
In the event of a conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict with respect to the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the SCCs prevail.
16. Updates to This DPA
We may update this DPA to reflect changes in Data Protection Laws, our Sub-Processors, or our data processing practices. Material changes will be communicated by email at least 30 days before taking effect. If a change materially reduces the protections in this DPA, you may terminate the Service without penalty.
17. Contact
For DPA-related inquiries, data protection questions, or to request a signed copy:
CNG Studios LLC
Data Protection Contact: Gonzalo Figueroa
Email: Contact Form (subject: "DPA Request")
Website: cngstudios.biz