Data Processing Agreement
Data Processing Agreement
If you are on a Business or Enterprise plan, your usage includes this Data Processing Agreement ("DPA"). A signed version may be made available upon request.
Last updated: 03/11/2026
This DPA forms part of the Terms of Service and/or other main services agreement, order form, or similar ordering document (the "Agreement") entered into between:
DEKS MEDIA L.L.C, with offices at 2999 NE 191ST ST STE 907, MIAMI, FL 33180-3117 ("Company", "Processor"), and
Customer as defined in the Agreement ("Customer", "Controller")
(each a "Party", together the "Parties").
The Parties expressly acknowledge and agree that:
This DPA does not establish a joint controllership arrangement under Article 26 GDPR.
Each Party remains solely responsible for its own compliance with Applicable Data Protection Laws in respect of its separate processing activities.
Company processes Customer Personal Data solely on behalf of and under Customer's instructions.
Company may process Service Data, Log Data, aggregated data, and de-identified data as an independent controller solely for analytics, security, billing, compliance, and product-development purposes.
Company does not engage in automated decision-making producing legal or similarly significant effects on Data Subjects in the context of processing Customer Personal Data under this DPA.
Data Protection Officer / Privacy Contact
Email: dpo@ventora.cc
1. Definitions
Capitalized terms not defined in this DPA have the meaning given in the Agreement. In addition:
"Applicable Data Protection Laws" means all data protection, privacy, and security laws and regulations applicable to the Processing of Personal Data under this DPA, including, where applicable, the GDPR and UK GDPR, as interpreted by competent courts and supervisory authorities.
"CCPA" means the California Consumer Privacy Act of 2018, as amended (including by the CPRA), and implementing regulations.
"Customer" means the Customer defined in the Agreement.
"Customer Personal Data" means any Personal Data processed by Company (or its Sub-processors) on behalf of Customer under Customer's documented instructions in connection with the Services.
"Data Protection Laws" means collectively: (i) EU GDPR and UK GDPR and implementing/supplementary legislation; (ii) the EU-US Data Privacy Framework (and UK/Swiss extensions) where applicable; and (iii) U.S. federal/state privacy laws applicable to the Processing of Customer Personal Data under this DPA, plus other national laws governing Processing under this DPA.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Data Transfer" means (a) a transfer of Customer Personal Data from Customer to a Contracted Processor; or (b) an onward transfer from a Contracted Processor to a Sub-processor (or between establishments), where restricted by Data Protection Laws.
"DPA" means this data processing agreement and any annexes/appendices attached or incorporated by reference, as amended in accordance with its terms.
"EU SCCs" means the standard contractual clauses approved by the European Commission in Decision 2021/914 (as updated).
"ex-EEA Transfer" means a transfer of Personal Data regulated by GDPR from the EEA to a country without an adequacy decision.
"ex-UK Transfer" means a transfer of Personal Data regulated by UK GDPR from the UK to a country without an adequacy decision.
"GDPR" means Regulation (EU) 2016/679; references include UK GDPR where Customer is a UK entity, as applicable.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Personal Data Breach" means a confirmed breach of Company security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Company's possession, custody, or control. Personal Data Breach excludes unsuccessful attempts that do not compromise security (e.g., failed logins, scans, DoS attempts).
"Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, erasure, etc.).
"Service Data" means aggregated and/or de-identified data relating to the use, support, and/or operation of the Services collected by Company from and/or about users of the Services and/or Customer's use, processed by Company for its own purposes.
"Sub-processor" means any processor engaged by Company to process Personal Data on behalf of Customer.
"U.S. Privacy Laws" means applicable U.S. state/federal privacy and data security laws governing Processing of Customer Personal Data under this DPA (including CCPA/CPRA where applicable).
"UK Addendum" means the UK ICO International Data Transfer Addendum to the EU SCCs.
"UK SCCs" means the EU SCCs as amended by the UK Addendum.
The terms "controller", "processor", "data subject", "processing", "personal data", and "personal data breach" have the meanings set out in Article 4 GDPR (or equivalent under applicable law).
Roles
For EU Personal Data, Customer acts as controller and Company acts as processor.
For UK Personal Data, Customer acts as controller and Company acts as processor.
For U.S. Personal Data, Customer is a "business" and Company is a "service provider/contractor"; Company will not "sell" or "share" such data or combine it for cross-context behavioral advertising, consistent with CPRA and similar laws.
2. Subject Matter, Activities and Duration
Company shall Process Customer Personal Data only on Customer's documented instructions as described in Annex 1.
Company may refuse, suspend, or propose commercially reasonable alternatives to any instruction it reasonably believes would (i) violate this DPA or Applicable Data Protection Laws, or (ii) materially compromise the security, confidentiality, availability, or performance of the Services.
Company shall retain Customer Personal Data transmitted through the Services as described in Annex 1. Any other retention periods will be as specified in the Agreement and/or applicable order form.
This DPA remains in effect for the term of the Agreement.
3. Customer Obligations
Unless required by Applicable Data Protection Laws, Customer (on behalf of itself and its Affiliates, if any) will act as a single point of contact for Company for all DPA matters and will coordinate internally any instructions or requests.
Customer represents it has a lawful basis and all necessary consents/authorizations to provide Customer Personal Data to Company for Processing under the Agreement and this DPA.
Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it was collected.
Customer will comply with Applicable Data Protection Laws and is responsible for configurations and design decisions it controls, implementing them securely and in compliance with law.
Customer will reasonably cooperate with Company to assist Company in meeting its obligations relating to data subject requests, and will reimburse Company for reasonable, documented costs incurred (where permitted by law).
Without limiting Company's obligations, Customer is responsible for its use of the Services, including:
maintaining appropriate security for Customer Personal Data,
securing account credentials/devices used to access the Services,
securing Customer systems that connect to the Services, and
backing up Customer Personal Data.
Customer agrees that the Services, the Security Measures, and Company's commitments under this DPA are adequate to meet Customer's needs and provide a level of security appropriate to the risks.
Customer will not provide Sensitive Data to Company (including HIPAA PHI). Customer must not upload or input special categories of data or other sensitive categories such as financial account numbers, government identifiers, or biometric data, unless explicitly agreed in writing and supported by the Services.
4. Company Obligations
Company shall Process Customer Personal Data solely in accordance with Customer's documented instructions for these limited purposes:
providing the Services under the Agreement;
where applicable, operating and monitoring the infrastructure needed to provide the Services and meet technical/organizational requirements;
Processing initiated by authorized users in their use of the Services;
executing documented instructions consistent with the Services;
resolving service issues/technical problems; and/or
meeting an express legal requirement, in which case Company will (unless prohibited) inform Customer before processing.
Company will notify Customer without undue delay of requests/demands/orders from competent supervisory authorities or data subjects relating to Processing on Customer's behalf. If a data subject contacts Company, Company will forward the request to Customer once Company identifies that Customer is responsible for the request. Customer acknowledges Company is not responsible for directly responding to data subjects or authorities except as required by law or agreed in writing.
Subject to applicable retention obligations, upon termination Company will return or delete Customer Personal Data as described in this DPA.
Company will ensure personnel authorized to Process Customer Personal Data are bound by confidentiality obligations and access is limited to those who need it.
Company will inform Customer if, in Company's opinion, an instruction violates Applicable Data Protection Laws.
Company will provide reasonable assistance for DPIAs upon Customer request by providing relevant information about Personal Data processed in the Services; Company may charge professional services fees on a time-and-materials basis (unless prohibited by law).
Requests for assistance beyond Company's ordinary course of business or what is commercially reasonable may require a separate order form and additional fees.
Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Nothing in this Section obliges Company to take actions that would (i) violate law, (ii) require disclosure of third-party trade secrets/confidential info, or (iii) exceed the limitation-of-liability caps in the Agreement/DPA.
5. Security
Company will maintain appropriate administrative, physical, technical, and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, and to ensure a level of security appropriate to risk ("Security Measures").
6. Data Breach Notification
Company will notify Customer without undue delay after confirming a breach that constitutes a Personal Data Breach under this DPA and/or Applicable Data Protection Laws. Company will:
investigate and take reasonable steps to identify root cause(s) (where caused by Company or its Sub-processors);
provide available information about the breach, affected data type(s), and other reasonably requested information (to the extent legally permitted); and
provide follow-up reports on a timely basis as reasonably requested.
Company's notification/response does not constitute an admission of fault or liability.
If Customer determines to notify any governmental entity, data subjects, or the public, and such notice refers to or identifies Company (directly or indirectly), Customer will (where permitted by law):
notify Company in advance in writing; and
consult in good faith and consider Company's reasonable clarifications/corrections consistent with law.
Company may delay notice if law enforcement determines immediate disclosure would impede a criminal investigation, provided Company notifies Customer once the restriction is lifted.
These obligations do not apply to the extent the breach is caused by Customer or those acting on Customer's behalf, except Company will inform Customer and share information until it reasonably determines Customer caused the breach. Company may charge Customer for requested assistance where the breach is attributable to Customer.
7. Sub-processing
Customer authorizes Company to engage third-party subprocessors to process Personal Data in connection with providing the Services, including subprocessors that provide infrastructure, hosting, storage, analytics, communications, customer support, payment processing, security, and AI/ML services.
Company is not required to maintain or publish a static list of subprocessors within this DPA. Company may update or change subprocessors from time to time as needed to operate, secure, and improve the Services.
Company may continue to use Sub-processors engaged as of the effective date of this DPA.
If Customer objects to a new Sub-processor on reasonable grounds relating to data protection, Customer must notify Company within twenty (20) business days of Company's notice, by contacting dpo@ventora.cc.
The Parties will work in good faith to resolve the objection. If unresolved within a reasonable time, Customer's sole and exclusive remedy is to terminate the affected Services (or the Agreement if necessary) by written notice and receive a refund of prepaid fees for the unused portion, if any, as set out in the Agreement.
Company will impose on Sub-processors data protection obligations substantially equivalent to those in this DPA via written contract.
8. International Data Transfers
Company will not transfer Customer Personal Data to a third country or international organization unless:
the destination is covered by an adequacy decision; or
appropriate safeguards are in place (e.g., SCCs, BCRs, approved codes/certifications); or
Customer has provided explicit informed consent (where applicable).
For ex-EEA Transfers, the Parties agree transfers are made pursuant to the EU SCCs, incorporated by reference and completed as follows:
Module Two applies where Customer is controller and Company is processor.
Module Three applies where Customer is processor and Company is sub-processor.
For ex-UK Transfers, the Parties agree transfers are made pursuant to the UK SCCs (EU SCCs + UK Addendum), incorporated by reference and completed accordingly.
Company represents and warrants that:
as of the effective date, it has not received any formal requests from government intelligence/security services for access to Customer Personal Data ("Government Agency Requests"); and
if it later receives such a request, it will attempt to redirect the agency to Customer and provide reasonable notice unless legally prohibited.
If a transfer mechanism becomes invalid or enjoined, the Parties will cooperate in good faith to implement an alternative lawful mechanism. Company may suspend affected transfers/processing until a lawful mechanism is in place without constituting a breach.
9. Service Data
Customer acknowledges Company may collect, use, and disclose Service Data for its own business purposes, including:
accounting, tax, billing, audit, and compliance;
providing, improving, developing, optimizing, and maintaining the Services; preventing fraud/spam/abuse;
training or tuning proprietary machine-learning models used to deliver the Services (on Service Data only); and
as otherwise permitted or required by Applicable Data Protection Laws.
Service Data is not Customer Personal Data, and the obligations in this DPA do not apply to Company's Processing of Service Data.
Company may retain Service Data as long as it has a legitimate business need, may share it with Affiliates/Sub-processors for these purposes, and may create/publish anonymized or aggregated statistics, provided they do not identify Customer or any individual. Company warrants de-identification will meet "de-identified data" standards under CPRA and comparable laws.
No royalties or fees are due for Company's Processing of Service Data, and Customer has no right to opt out while remaining a customer of the Services.
10. Use of Customer Data for Artificial Intelligence and Machine Learning
Company shall not use Customer Personal Data to train, retrain, fine-tune, or otherwise develop AI/ML models.
Customer Personal Data will be processed solely to provide, maintain, secure, and support the Services, in accordance with Customer's documented instructions and Applicable Data Protection Laws.
Company may process de-identified and aggregated information derived from Customer Personal Data (as Service Data) for statistical reporting, security analysis, or operational insights, provided it cannot identify Customer, end users, or any natural person and is not used for AI/ML training.
11. Return and Deletion
Upon termination of the Agreement, Company will stop Processing Customer Personal Data other than secure storage or Processing expressly permitted under this DPA.
Within thirty (30) calendar days after termination, Customer may instruct Company in writing to return or delete Customer Personal Data in Company's possession or control, unless retention is required by law.
If no instruction is received within thirty (30) days, Company may delete or irreversibly anonymize Customer Personal Data pursuant to its retention schedule.
If manual export or bespoke deletion work exceeds two (2) person-hours, Company may charge reasonable documented costs at then-current professional services rates, unless prohibited by law.
This Section survives termination for as long as Company retains any Customer Personal Data.
12. Governing Law and Jurisdiction
This DPA (and any non-contractual obligations arising out of or in connection with it) is governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement.
13. Indemnity
Customer will defend, indemnify, and hold harmless Company and its Affiliates from third-party claims, investigations, fines, losses, or reasonable legal costs arising from:
- Customer's instructions or configurations;
- failure to secure lawful basis/consents;
- Customer's provision of prohibited/sensitive data; or
- Customer's breach of this DPA or Applicable Data Protection Laws.
Company will provide prompt notice and reasonable cooperation. Customer may control the defense, but may not settle in a way that admits Company fault or imposes non-monetary obligations without Company's prior written consent.
To the fullest extent permitted by law, Customer releases and indemnifies Company from claims/fines/losses arising from Customer's failure to implement or maintain security controls described in this DPA.
14. Liability
The Parties' liability under this DPA is limited as set out in the Agreement.
Neither Party is required to indemnify the other for administrative fines imposed by a supervisory authority or court under Applicable Data Protection Laws.
Neither Party will be liable for lost profits/revenue/goodwill, business interruption, loss/corruption of data, or indirect/special/incidental/punitive/consequential damages, even if advised of the possibility.
15. U.S. Privacy Laws
To the extent Processing of Customer Personal Data is subject to U.S. Privacy Laws:
The Parties acknowledge Company's Processing per Customer's instructions is integral to the Services and business relationship.
Company will:
use/retain/disclose Customer Personal Data only as necessary to perform business purposes specified in the Agreement or permitted by U.S. Privacy Laws;
provide the level of protection required of a "service provider/contractor";
implement reasonable security measures;
notify Customer if it cannot meet its obligations; and
cooperate to stop and remediate unauthorized use.
Company will not:
sell or share Customer Personal Data;
retain/use/disclose Customer Personal Data outside the direct business relationship except as permitted;
combine Customer Personal Data with other data except as permitted by U.S. Privacy Laws (e.g., to perform services, ensure security, prevent fraud).
Customer may take reasonable steps to ensure Company uses Customer Personal Data consistently with U.S. Privacy Laws and may request reasonable information to demonstrate compliance.
Company will notify Customer if it makes a determination it can no longer meet its obligations under U.S. Privacy Laws.
Entire Agreement; Order of Precedence
This DPA constitutes the entire understanding between the Parties regarding Processing of Customer Personal Data under the Agreement and supersedes any prior discussions on this subject. If there is a conflict between this DPA and the Agreement regarding Processing of Customer Personal Data, this DPA controls to the extent of the conflict.
Annex 1 - Description of Processing
This Annex describes the Processing of Customer Personal Data in connection with Customer's use of the Services.
A. LIST OF PARTIES
Data exporter:
Name: Customer as defined in the Agreement (on behalf of itself and permitted affiliates, if any)
Address: Customer's address as set out in the order form / account
Contact: Customer contact details as set out in the order form / account
Activities: Processing of Customer Personal Data in connection with Customer's use of the Services
Role: Controller (or Processor where Customer is acting as a processor)
Data importer:
Name: DEKS MEDIA L.L.C
Address: 2999 NE 191ST ST STE 907, MIAMI, FL 33180-3117
Contact: dpo@ventora.cc
Activities: Processing of Customer Personal Data in connection with providing the Services
Role: Processor (or Sub-processor where Customer is acting as a processor)
B. DESCRIPTION OF PROCESSING
Services description:
Ventora is an AI-powered application builder that enables customers to create and modify software using written instructions ("prompts"). The Services process Customer-provided data to translate prompts into software outputs, including front-end and back-end code.
Customer determines the Processing, which may include hosting, storage, compilation, scanning, indexing, static/dynamic analysis, generation, and deployment of software artifacts (including source code, configuration, commit history, tickets, comments, and user profile data) to provide, secure, maintain, monitor, and improve the Services.
Personal data processing
Customer Personal Data (data disclosed/made accessible by Customer identifying an individual) processed for:
Provision of the Services including account creation and billing;
Implementation/consultancy/support services where Company needs access to Customer environments (only upon Customer authorization/approval);
Non-personal data processing
Service Data (aggregated/de-identified) processed for:
accounting, tax, billing, audit, compliance;
product improvement, security monitoring, abuse prevention;
training/tuning proprietary ML models used to deliver the Services (on Service Data only);
as otherwise permitted/required by law.
Log Data may include device IP address and approximate location, browser type/version, pages/APIs/features accessed, timestamps and usage metrics, session/device identifiers, and error/debug codes, processed for security and platform improvement.
C. CATEGORIES OF DATA SUBJECTS
Customer's authorized users (employees, contractors, agents, collaborators)
End users of applications/websites published or deployed by Customer via the Services
Any other category relevant to your platform
D. RETENTION AND ERASURE
Company will retain:
Customer Personal Data as necessary for the term of the Agreement and return/delete upon written request, unless an exception applies (e.g., fraud prevention, legal compliance, legal defense). Deleted data may persist in backups for a limited period before final removal.
Service Data indefinitely in anonymized and aggregated form (where applicable).