Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions between Studio Launch Ltd and the Customer and governs the processing of personal data through the FlareForge platform.
Print or save as PDFDefinitions
- “Controller”
- The Customer — the organisation that determines the purposes and means of processing personal data.
- “Processor”
- Studio Launch Ltd, trading as FlareForge, which processes personal data on behalf of the Controller.
- “Personal Data”
- Any information relating to an identified or identifiable natural person processed through the FlareForge platform.
- “UK GDPR”
- The UK General Data Protection Regulation as retained in UK law following the UK’s departure from the European Union.
Roles
The Customer is the Controller. Studio Launch Ltd is the Processor. We process personal data only on your documented instructions and for no other purpose.
What we process
Through your use of FlareForge we may process the following categories of personal data:
- Names and job titles
- Email addresses and phone numbers
- Company names and business contact details
- Deal and transaction data you enter into the platform
- Any other contact or counterparty data you upload or connect
How we process it
We process personal data only to deliver the FlareForge service as described in our Terms and Conditions. We do not sell, license, or share your data with third parties. We do not use your data to train AI models.
Where we process it
All personal data is stored and processed on infrastructure located in London, United Kingdom. No personal data is transferred outside the UK without your explicit instruction.
Security measures
We maintain the following technical and organisational measures to protect personal data:
- AES-256-GCM encryption at rest for all credentials and tokens
- TLS 1.3 for all data in transit
- Organisation-level logical isolation at the database layer
- Role-based access controls with verified invite authentication
- Daily encrypted backups across two offsite locations with 30-day retention
- Automatic session expiry for inactive users
Sub-processors
We use the following sub-processors to deliver the FlareForge service. We will notify you of any material changes to this list with 30 days notice.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Storage | Encrypted backup storage | UK |
| Backblaze B2 | Encrypted backup storage | EU |
| Stripe | Payment processing | UK / EU |
| Anthropic | AI features | US — SCCs in place |
Your rights
We will assist you in responding to data subject requests under UK GDPR including rights of access, rectification, erasure, restriction, and portability — within the timeframes required by law.
Data retention and deletion
On termination of your account your personal data is retained for 30 days to allow export, then permanently deleted from all systems including backups within 90 days of termination.
Breach notification
We will notify you of any personal data breach affecting your data without undue delay and in any event within 72 hours of becoming aware of it, in accordance with our obligations under UK GDPR.
Audit rights
You may request written confirmation of our compliance with this DPA once per calendar year. We will respond within 30 days of receiving your request.
Governing law
This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.