1.Object and parties
This Data Processing Agreement ("DPA") is entered into between ARDE AGENCY S.A.S., NIT 901.856.077-9, with registered address at Cl. 6A # 16-45, Ed. Guayacán de la Calera, Medellín, Antioquia, Colombia ("ARDE", acting as Processor / "Encargado del Tratamiento") and the client identified in the applicable services agreement or statement of work ("Client", acting as Controller / "Responsable del Tratamiento").
It applies whenever ARDE processes Client Personal Data — personal data contained in materials the Client provides or that ARDE handles on the Client's behalf during an engagement (e.g. talent and model-release data, images, likenesses and voices of identifiable persons, contact data of Client personnel, campaign or audience data the Client shares). In case of conflict with the general services terms, this DPA prevails with respect to the processing of personal data.
2.Legal framework
This DPA is drafted to satisfy, as applicable to a given engagement:
- Colombia: Law 1581 of 2012, Decree 1377 of 2013 and Decree 1074 of 2015 (SIC).
- European Union / EEA / UK: GDPR Article 28 (processor terms) and Chapter V (transfers), with the EU Standard Contractual Clauses (Decision (EU) 2021/914, Module 2, Controller→Processor) and the UK Addendum incorporated by reference where required.
- United States — California: CCPA/CPRA "service provider" terms — ARDE does not sell or share personal information and processes it only for the agreed business purpose.
- Mexico: the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) and its regulations.
Where more than one framework applies, the regime granting the data subject the greater protection prevails.
3.Roles, scope and instructions
The Client determines the purposes and means of processing; ARDE processes Client Personal Data only on documented instructions of the Client (including this DPA and the applicable SOW) and solely to perform the contracted services. ARDE will inform the Client if, in its opinion, an instruction infringes applicable data-protection law. Subject-matter, duration, nature and purpose of the processing, data categories and data-subject categories are described in Annex I.
4.Obligations of ARDE (Processor)
- Confidentiality. Ensure persons authorized to process Client Personal Data are bound by confidentiality obligations (NDAs).
- Security. Implement appropriate technical and organizational measures (Annex II).
- Sub-processors. Engage sub-processors only per Section 5.
- Data-subject requests. Assist the Client, taking into account the nature of the processing, in responding to data-subject requests (access, rectification, deletion, objection, portability, ARCO rights).
- Assistance. Assist the Client with data-protection impact assessments and consultations with supervisory authorities where required.
- Return or deletion. At the Client's choice, delete or return Client Personal Data at the end of the engagement (Section 9).
- Demonstrable compliance. Make available information reasonably necessary to demonstrate compliance and allow audits (Section 8).
- No training. Not use Client Personal Data to train artificial-intelligence models of general use, nor make it available to other clients.
- No sale. Not sell or share Client Personal Data (as those terms are defined under the CCPA/CPRA), nor retain, use or disclose it outside the direct business relationship with the Client.
5.Sub-processors
5.1 The Client provides general authorization for the sub-processors listed in the Sub-processor & Provider List published on this site.
5.2 ARDE will give the Client 30 days' prior notice of the addition or replacement of a sub-processor. The Client may object on reasonable data-protection grounds; if the objection cannot be resolved, the Client may terminate the affected service without penalty.
5.3 ARDE imposes on each sub-processor data-protection obligations equivalent to this DPA and remains liable for their performance.
6.International transfers
ARDE is established in Colombia and uses providers in the EU and the United States (see the sub-processor list). Where Client Personal Data originating in the EEA/UK is transferred to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (2021/914, Module 2) and the UK Addendum, which prevail in case of conflict. For data originating in Colombia or Mexico, ARDE complies with the applicable cross-border transfer requirements (including Title VIII of Decree 1074 of 2015 and SIC Circulars, and Articles 36–37 LFPDPPP).
7.Personal data breach notification
ARDE will notify the Client without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Client Personal Data, providing the information reasonably available to enable the Client to meet its own notification obligations (nature of the breach, categories and approximate number of data subjects and records, likely consequences, measures taken or proposed, and a point of contact). ARDE maintains a documented incident-response procedure with containment, eradication, recovery and post-mortem phases.
8.Audit
Upon reasonable prior notice, the Client may verify ARDE's compliance with this DPA once per year (or following a confirmed incident) through security questionnaires, documentation review or, where strictly necessary, an audit conducted in a manner that does not compromise the confidentiality or security of other clients.
9.Return and deletion
Upon termination or expiry of an engagement, ARDE will, at the Client's choice, return and/or securely delete Client Personal Data within 30 days, except where retention is required by law (in which case the data remains protected under this DPA and is isolated from further processing). Certification of deletion is available on request.
10.Liability
Liability under this DPA is subject to the limitations of the principal services agreement, without prejudice to the mandatory statutory rights of data subjects and the powers of supervisory authorities.
Annex I — Description of processing
| Item | Description |
|---|---|
| Subject matter | Provision of creative content and AI video production services under the applicable SOW. |
| Duration | Term of the engagement, plus the return/deletion period of Section 9. |
| Nature and purpose | Receipt, storage, editing, AI-assisted transformation and delivery of creative materials; production coordination. |
| Categories of data subjects | Client personnel and contacts; talent, models and voice actors appearing in materials; end consumers only if the Client includes them in provided materials or data. |
| Categories of personal data | Business contact data; images, likeness, video and voice recordings of identifiable persons; consent/release records; campaign or audience data provided by the Client. |
| Special categories | Not sought by default. Image and voice used for AI synthesis may qualify as biometric data in some jurisdictions and are processed only with the documented, explicit consent of the data subject (model release). |
Annex II — Technical and organizational measures (summary)
- Encryption in transit (TLS/HTTPS) for all data exchange; encryption at rest on managed storage providers.
- Access control on a least-privilege, need-to-know basis; multi-factor authentication on administrative and production accounts.
- Secrets and credentials kept out of code repositories, stored in managed environment configuration, rotated upon suspicion of compromise.
- Segregation of client materials per project; no cross-client reuse of confidential materials.
- Enterprise-tier AI platform agreements and private workspaces that contractually exclude client inputs and outputs from model training (primary generation platform: Higgsfield Enterprise); for other providers, no-training configurations where offered.
- Personnel NDAs and data-protection clauses; periodic security and privacy awareness training.
- Device security: full-disk encryption, automatic locking, managed updates on workstations.
- Backups of active project material; documented incident-response procedure (72-hour client notification).
- Vendor management: assessment and DPAs with sub-processors; 30-day change notice.
Annex III — Standard Contractual Clauses
For Client Personal Data subject to the GDPR or UK GDPR, the parties incorporate by reference Module 2 (Controller→Processor) of the SCCs approved by Commission Implementing Decision (EU) 2021/914 and, for UK transfers, the IDTA Addendum. Completed and executed SCCs for a specific engagement are provided with the signable DPA on request.
Contact
ARDE AGENCY S.A.S. · NIT 901.856.077-9 · Cl. 6A # 16-45, Ed. Guayacán de la Calera, Medellín, Antioquia, Colombia
Contact: contact@ardeagency.com