Data Processing Agreement (DPA)

DPA availability: This is the standard DPA template for lender clients. To execute a DPA for your integration, contact hello@creatorlayer.eu.

Version 1.0 — Template for Pilot Lenders

Execution instructions

This template must be executed as a standalone agreement between your organisation and SATOSHI FRAMEWORK SASU before going live. Fill every [bracketed placeholder] and return a signed copy to hello@creatorlayer.eu.

Parties

This Data Processing Agreement ("Agreement") is entered into as of [Date] between:

Controller: [Lender Name], a [legal form] registered at [registered address], with company number [registration number] ("Controller"); and

Processor: SATOSHI FRAMEWORK SASU, a French société par actions simplifiée unipersonnelle registered at [registered address, France], operating the Creatorlayer income verification platform ("Processor").

Together referred to as the "Parties".

1. Definitions

Term	Meaning
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council
Personal Data	As defined in Art. 4(1) GDPR
Processing	As defined in Art. 4(2) GDPR
Data Subject	As defined in Art. 4(1) GDPR — here, EU-resident creators/obligors
Main Agreement	The pilot services agreement or API access agreement between the Parties
Sub-Processor	Any processor engaged by the Processor
Supervisory Authority	The competent national data protection authority — for the Processor: the CNIL (France)

Capitalised terms not defined here have the meaning given in the GDPR.

2. Subject Matter, Nature, Purpose and Duration

2.1 Subject matter

The Processor provides creator income verification services via the Creatorlayer API. In doing so, it processes Personal Data on behalf of the Controller for the purpose of producing Risk Tape reports used in lending decisions.

2.2 Nature of processing

Collection, structuring, storage, retrieval, use, disclosure (to the Controller), and erasure of Personal Data.

2.3 Purpose

Verification of creator income, generation of Risk Tape reports, and provision of benchmark analytics, as described in the Main Agreement.

2.4 Duration

This Agreement remains in force for the duration of the Main Agreement. On termination, clause 11 (Return and Deletion) applies.

3. Categories of Data Subjects and Personal Data

3.1 Data subjects

EU-resident individual content creators and self-employed creators who are obligors in a financing arrangement initiated by the Controller.

3.2 Categories of personal data

Category	Legal basis
Identity data — creator reference ID supplied by Controller	Art. 6(1)(b) — contract performance
OAuth access tokens — platform authorisation credentials (YouTube, Stripe)	Art. 6(1)(b) — contract performance
Platform income data — channel revenue, Stripe payouts, transaction records	Art. 6(1)(b) — contract performance
Consent records — timestamp, IP address, consent session ID	Art. 6(1)(c) — legal obligation
Typology profile data — behavioural and content category signals (optional)	Art. 6(1)(a) — creator's explicit consent

3.3 Special categories

The Parties do not anticipate processing special category data (Art. 9 GDPR). If special category data is inadvertently received, the Processor will notify the Controller within 48 hours.

4. Controller's Obligations

The Controller warrants and undertakes that:

It has a valid legal basis for each category of Personal Data before instructing the Processor to process it.
It has provided creators with a privacy notice meeting Arts. 13–14 GDPR before initiating a verification.
Where typology data is processed, it has obtained and can evidence the creator's explicit consent under Art. 6(1)(a) and Art. 7 GDPR.
Its instructions to the Processor are and will remain lawful.
It will notify the Processor promptly of any change in legal basis or applicable law that may affect the processing.

5. Processor's Obligations

5.1 Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law. In that case, the Processor shall inform the Controller before processing unless prohibited by law.

5.2 Confidentiality

The Processor shall ensure that persons authorised to process Personal Data are bound by confidentiality obligations.

5.3 Security

The Processor shall implement appropriate technical and organisational measures in accordance with Art. 32 GDPR. See Annex C.

5.4 Sub-processing

The Processor shall comply with clause 6 before engaging Sub-Processors.

5.5 Data subject rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests (Arts. 15–22 GDPR) within the timeframes set out in clause 8.

5.6 Deletion and return

At the Controller's choice, the Processor shall delete or return all Personal Data on termination, as set out in clause 11.

5.7 Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits as set out in clause 12.

5.8 Notification of unlawful instructions

If the Processor considers that an instruction from the Controller infringes the GDPR or applicable data protection law, it shall immediately inform the Controller.

6. Sub-Processing

6.1 Authorised sub-processors

The Controller grants the Processor general written authorisation to engage the sub-processors listed in Annex B. The Processor shall maintain an up-to-date version of Annex B at all times.

6.2 Notice of changes

The Processor shall give the Controller at least 30 days' prior written notice of any intended change to Annex B (addition or replacement of a sub-processor). The Controller may object to the change on reasonable data protection grounds within 14 days of receiving notice. If no objection is raised, the change takes effect on the date notified.

6.3 Flow-down

The Processor shall impose the same data protection obligations on each sub-processor as those set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in accordance with Art. 28(4) GDPR.

6.4 Liability

The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

7. Data Subject Rights

7.1 Requests

Where a data subject submits a request directly to the Processor exercising rights under Arts. 15–22 GDPR, the Processor shall:

Forward the request to the Controller within 3 business days; and
Provide reasonable technical assistance to enable the Controller to respond within the statutory 30-day period.

7.2 API endpoints

The Creatorlayer API exposes the following endpoints to assist the Controller in fulfilling data subject rights:

Endpoint	Purpose
`GET /api/v1/gdpr/access`	Retrieve all Personal Data held for a creator
`POST /api/v1/gdpr/erase`	Permanently erase a creator's Personal Data
`GET /api/v1/gdpr/export`	Export a creator's Personal Data in portable format

8. Personal Data Breach

8.1 Notification to Controller

The Processor shall notify the Controller of a Personal Data Breach without undue delay and, where feasible, within 36 hours of becoming aware of it. Notification shall include, to the extent then known:

Nature of the breach and categories of data affected;
Approximate number of data subjects and records affected;
Name and contact details of the data protection contact;
Likely consequences of the breach;
Measures taken or proposed to address the breach.

8.2 Notification to Supervisory Authority

The Controller is responsible for notifying its competent Supervisory Authority under Art. 33 GDPR within 72 hours. The Processor shall provide all reasonable assistance to enable the Controller to meet this obligation.

8.3 Communication to data subjects

The Controller is responsible for communications to data subjects under Art. 34 GDPR. The Processor shall assist as requested.

9. Data Protection Impact Assessment

Where the Controller is required to carry out a Data Protection Impact Assessment (DPIA) under Art. 35 GDPR in relation to processing carried out under this Agreement, the Processor shall:

Provide all information reasonably requested by the Controller regarding the processing;
Assist the Controller in completing the DPIA;
If required, assist with any prior consultation with a Supervisory Authority under Art. 36 GDPR.

10. International Transfers

10.1 Data location

All Personal Data is processed and stored on infrastructure located in the European Union. The Processor's primary infrastructure is hosted by Scalingo SAS on servers in France (see Annex B).

10.2 API calls to third-party platforms

When retrieving income data from YouTube (Google Ireland Limited) and Stripe (Stripe Payments Europe, Limited), Personal Data may transit through those platforms' infrastructure. Both Google Ireland and Stripe Payments Europe are established in the EU/EEA and process data in accordance with their standard contractual commitments and GDPR-compliant terms. No transfer outside the EEA occurs under Creatorlayer's control.

10.3 Standard Contractual Clauses

Should any transfer of Personal Data to a country outside the EEA become necessary in the future (for example, engagement of a non-EU sub-processor), the Parties shall execute the applicable Standard Contractual Clauses adopted by the European Commission under Art. 46(2)(c) GDPR prior to any such transfer. No such transfer is currently made.

10.4 Prohibited transfers

The Processor shall not transfer any Personal Data to a country outside the EEA without either (a) the Controller's prior written consent or (b) an appropriate safeguard under Arts. 44–49 GDPR being in place (including, where applicable, the Standard Contractual Clauses referenced in clause 10.3).

11. Return and Deletion

11.1 Upon termination

Within 30 days of termination of the Main Agreement, and at the Controller's written election, the Processor shall:

(a) Return to the Controller all Personal Data in machine-readable format (JSON); or
(b) Securely and permanently delete all Personal Data and confirm deletion in writing.

11.2 Retention for legal compliance

The Processor may retain Personal Data beyond the 30-day period only to the extent and for the duration required by EU or Member State law, and shall inform the Controller of any such obligation.

11.3 Backup purge

Deletion shall include Personal Data in backups. The Processor shall confirm that backup purge is complete within 60 days of the deletion instruction.

12. Audit Rights

12.1 Information

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement and Art. 28 GDPR, including up-to-date sub-processor lists, security documentation, and relevant certifications.

12.2 On-site and remote audits

The Controller may audit the Processor's data processing activities at most once per calendar year, with at least 14 days' prior written notice, during normal business hours and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear its own costs of the audit.

12.3 Third-party auditors

The Controller may appoint a mutually agreed independent third-party auditor. The auditor must sign a confidentiality undertaking before commencing the audit.

13. Liability and Indemnity

13.1 Each Party's liability under this Agreement is subject to the limitations set out in the Main Agreement.

13.2 Where a Party has paid compensation to a data subject in respect of a loss caused by the other Party's breach of this Agreement or the GDPR, the Party that paid may seek contribution from the other Party in proportion to its responsibility for the damage, in accordance with Art. 82(5) GDPR.

14. Governing Law and Jurisdiction

14.1 This Agreement is governed by the laws of France.

14.2 Any dispute arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Paris, France, without prejudice to any rights a data subject may have before their national Supervisory Authority.

15. General

15.1 This Agreement forms part of the Main Agreement and supplements it. In case of conflict between this Agreement and the Main Agreement on data protection matters, this Agreement prevails.

15.2 This Agreement may only be amended by written agreement signed by both Parties.

15.3 If any provision of this Agreement is held invalid or unenforceable, the remaining provisions remain in full force.

Annex A — Description of Processing

Field	Detail
Subject matter	Creator income verification for lending decisions
Duration	Duration of the Main Agreement
Nature	Collection, storage, retrieval, analysis, transmission to Controller, deletion
Purpose	Risk Tape generation; benchmark analytics
Categories of data subjects	EU-resident individual creators and self-employed creators
Categories of personal data	Identity reference, OAuth tokens, platform income data, consent records, typology data (optional)
Sensitive data	None anticipated
Frequency	Per-verification request (event-driven)
Retention	Retained for the duration of the Main Agreement; deleted on termination per clause 11

Annex B — Authorised Sub-Processors

Sub-Processor	Entity	Role	Data Location
Scalingo	Scalingo SAS, France	PostgreSQL database hosting (primary and replica); Redis cache	France (EU)
IONOS	IONOS SE, Germany	Static file hosting for docs.creatorlayer.eu (no Personal Data stored)	EU
Google (YouTube Data API)	Google Ireland Limited, Ireland	Platform income data retrieval via YouTube Data API v3	EU/EEA
Stripe	Stripe Payments Europe, Limited, Ireland	Platform income data retrieval via Stripe API	EU/EEA

The Processor will notify the Controller of any intended changes to this list in accordance with clause 6.2.

Annex C — Technical and Organisational Security Measures

The Processor implements the following measures in accordance with Art. 32 GDPR:

Access control

API keys are stored as SHA-256 hashes; raw keys are never persisted
Role-based access control (lender, gdpr_admin) enforced at API gateway
Internal access to production database restricted to the founder via SSH with MFA

Encryption

All data in transit encrypted using TLS 1.2+
PostgreSQL data at rest encrypted using AES-256 at the Scalingo infrastructure level
OAuth tokens stored encrypted at application level

Pseudonymisation

Creators are identified internally by a pseudonymous verification_id (UUID); the obligor_reference supplied by the Controller is the only external identifier stored

Data retention

Consent sessions expire automatically after 7 days of inactivity; associated ephemeral data is purged at expiry
Risk Tape records are retained for the duration of the Main Agreement and deleted within 30 days of termination (clause 11)
PostgreSQL daily automated backups with 7-day retention; backup purge confirmed within 60 days of deletion instruction

Resilience and availability

Redis used for ephemeral session data only (no long-term PII storage)
Documented incident response procedures in place

Rate limiting and abuse prevention

API rate limiting enforced at the gateway level to prevent abuse and reduce data exposure risk
Requests exceeding limits receive HTTP 429 responses; thresholds are documented in the API reference

API-assisted data subject rights

GET /api/v1/gdpr/access — retrieve all Personal Data held for a creator
POST /api/v1/gdpr/erase — permanently erase a creator's Personal Data
GET /api/v1/gdpr/export — export a creator's Personal Data in portable JSON format

Security testing

Dependency vulnerability scanning on every deploy
Regular review of API authentication and authorisation logic

Data minimisation

Only data fields required for Risk Tape generation are retrieved from platform APIs
OAuth scopes requested are the minimum necessary (read-only income/analytics data)

Confidentiality

Access to Personal Data is restricted to the founder, who is bound by confidentiality obligations

Last updated: 2026-03-20 — SATOSHI FRAMEWORK SASU

Annex 1 — Standard Contractual Clauses (SCCs) for International Transfers

Applicable GDPR provisions: Article 46(2)(c), Commission Implementing Decision (EU) 2021/914 of 4 June 2021

1.1 Scope of This Annex

Creatorlayer (as Data Controller, operated by SATOSHI FRAMEWORK SASU) relies on the following sub-processors located outside the European Economic Area (EEA). All transfers are governed by the EU Standard Contractual Clauses adopted by the European Commission on 4 June 2021.

1.2 Transfer Inventory

Sub-Processor	Country	Transfer Mechanism	SCC Module	Purpose
Google LLC (YouTube API)	USA	EU SCCs (2021)	Controller-to-Processor (Module 2)	OAuth-based access to creator YouTube analytics data
Stripe Inc.	USA	EU SCCs (2021)	Controller-to-Processor (Module 2)	OAuth-based access to creator Stripe income data
Resend Inc.	USA	EU SCCs (2021) + Resend DPA	Controller-to-Processor (Module 2)	Transactional email delivery (consent links, magic links)
GitHub Inc.	USA	EU SCCs (2021)	Controller-to-Processor (Module 2)	Source code hosting (no personal data of data subjects processed)

1.3 Transfer Impact Assessment

The Controller has assessed that:

All listed sub-processors have published commitments to the EU SCCs (2021 version).
The USA does not benefit from an EU adequacy decision under GDPR Article 45 at the time of this DPA; however, the EU SCCs provide an adequate safeguard per Article 46(2)(c).
The volume and sensitivity of data transferred is limited to the minimum necessary for the stated purpose.
No special categories of personal data (GDPR Article 9) are transferred to any sub-processor.

1.4 Obligation on Processor

Where the Processor or any sub-processor makes an onward transfer of personal data originating in the EEA, the Processor shall ensure that transfer is covered by a valid transfer mechanism under Chapter V of the GDPR.

Annex 2 — Technical and Organisational Measures (TOMs)

Applicable GDPR provision: Article 32 — Security of processing

The Processor (and Controller, acting as its own processor for internally operated services) has implemented the following technical and organisational security measures:

2.1 Transport Security

TLS 1.3 enforced on all API endpoints, dashboard, and documentation (older TLS versions rejected).
HSTS (HTTP Strict Transport Security) with max-age=31536000; includeSubDomains enforced via helmet.js.
Secure cookie flags (Secure, HttpOnly, SameSite=Strict) on all session cookies.

2.2 Application Security Controls

helmet.js with strict Content Security Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy headers.
CSRF protection on all state-changing endpoints.
CORS allowlist — requests accepted only from authorised origins.
HTTP payload size limit — express.json({ limit: '10kb' }) to prevent request body flooding.
Rate limiting — per-lender-plan Redis-backed rate limiting on all API endpoints.
Input validation — all API inputs validated with Zod (TypeScript) and AJV (JSON Schema) before processing.
TypeScript strict mode — strict: true in tsconfig.json; no implicit any, no unsafe assignments.

2.3 Authentication and Authorisation

API key hashing — API keys stored as SHA-256 hashes; plaintext never retained after issuance.
Role-Based Access Control (RBAC) — roles: lender, gdpr_admin, admin; enforced at middleware and resolver level.
Magic link authentication — time-limited, single-use tokens for creator portal access.
Session management — sessions expire after inactivity; withdrawal of consent immediately invalidates all related sessions.

2.4 Cryptography

AES-256 encryption at rest for OAuth tokens stored in PostgreSQL.
Field-level access control on Risk Tape JSONB — only the requesting lender may retrieve their commissioned Risk Tape.
HMAC-SHA256 webhook signature verification.

2.5 Audit and Logging

Append-only audit log (gdpr_audit_log table) — application database user has no DELETE or UPDATE privilege on this table.
7-year audit log retention — aligned with GDPR Article 5(2) accountability and French commercial record obligations.
CONFIDENTIAL trade secret headers on algorithm source files.

2.6 Code Quality and Supply Chain Security

Semgrep SAST — static analysis scanning for OWASP Top 10 vulnerabilities and custom rules in CI/CD pipeline.
Dependency auditing — npm audit run on every pull request.
CI/CD pipeline — all deployments via reviewed and approved GitHub Actions workflows; direct production pushes prohibited.

2.7 Infrastructure

Scalingo SAS (France, EU) — application hosting, PostgreSQL, Redis. All data stored and processed within the EEA.
Environment variable secrets management — no secrets committed to source code; managed via Scalingo environment configuration.
Automatic backups — PostgreSQL daily backups with point-in-time recovery.

2.8 Organisational Measures

Access on need-to-know basis — production database access restricted to the founder.
Incident response plan — documented procedure for breach detection, containment, notification (CNIL within 72 hours per GDPR Article 33; affected data subjects without undue delay if high risk per Article 34).
Annual review — TOMs reviewed annually or upon material change to the processing environment.

Annex 3 — Sub-Processor List

Applicable GDPR provision: Article 28(2) — Sub-processors

The Controller hereby provides general authorisation to the Processor to engage the sub-processors listed below. The Processor shall inform the Controller of any intended changes to this list (addition or replacement) with at least 14 days' notice, providing the Controller with the opportunity to object.

Sub-Processor	Registered Country	Role	Personal Data Processed	Legal Basis for Transfer	DPA / Safeguard Reference
Scalingo SAS	France (EU)	Application hosting platform — PostgreSQL database, Redis cache, container infrastructure	All personal data processed by Creatorlayer (stored in EU, no transfer outside EEA)	No transfer — EU-based	Scalingo DPA; Scalingo is HDS-certified and ISO 27001-aligned
Resend Inc.	USA	Transactional email delivery (consent initiation links, magic login links, GDPR response emails)	Creator email addresses; email subject lines; no PII in message body logs	EU SCCs (2021), Module 2 (C2P)	Subject to Resend Data Processing Agreement
Google LLC	USA	YouTube Data API — Creator OAuth token issuance and income analytics access	YouTube OAuth access/refresh tokens, creator channel analytics data	EU SCCs (2021), Module 2 (C2P)	Subject to Google Cloud Data Processing Addendum
Stripe Inc.	USA	Stripe Connect API — Creator OAuth token issuance and payment income data access	Stripe OAuth access/refresh tokens, creator payout and revenue data	EU SCCs (2021), Module 2 (C2P)	Subject to Stripe Data Processing Agreement
GitHub Inc.	USA	Source code repository hosting	Developer account data only; no personal data of data subjects (creators or lenders) is stored in source code	EU SCCs (2021), Module 2 (C2P) + GitHub DPA	https://docs.github.com/en/site-policy/privacy-policies/github-data-protection-agreement

Breach Notification Obligation

Each sub-processor is contractually required (via their respective DPAs) to notify the Controller of any personal data breach without undue delay and in any event within 72 hours of becoming aware of the breach, enabling the Controller to meet its own notification obligations to the CNIL under GDPR Article 33.

The Controller shall notify the CNIL within 72 hours of becoming aware of a breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall also notify affected data subjects without undue delay per GDPR Article 34.

Parties​

1. Definitions​

2. Subject Matter, Nature, Purpose and Duration​

2.1 Subject matter​

2.2 Nature of processing​

2.3 Purpose​

2.4 Duration​

3. Categories of Data Subjects and Personal Data​

3.1 Data subjects​

3.2 Categories of personal data​

3.3 Special categories​

4. Controller's Obligations​

5. Processor's Obligations​

5.1 Instructions​

5.2 Confidentiality​

5.3 Security​

5.4 Sub-processing​

5.5 Data subject rights​

5.6 Deletion and return​

5.7 Audit​

5.8 Notification of unlawful instructions​

6. Sub-Processing​

6.1 Authorised sub-processors​

6.2 Notice of changes​

6.3 Flow-down​

6.4 Liability​

7. Data Subject Rights​

7.1 Requests​

7.2 API endpoints​

8. Personal Data Breach​

8.1 Notification to Controller​

8.2 Notification to Supervisory Authority​

8.3 Communication to data subjects​

9. Data Protection Impact Assessment​

10. International Transfers​

10.1 Data location​

10.2 API calls to third-party platforms​

10.3 Standard Contractual Clauses​

10.4 Prohibited transfers​

11. Return and Deletion​

11.1 Upon termination​

11.2 Retention for legal compliance​

11.3 Backup purge​

12. Audit Rights​

12.1 Information​

12.2 On-site and remote audits​

12.3 Third-party auditors​

13. Liability and Indemnity​

14. Governing Law and Jurisdiction​

15. General​

Annex A — Description of Processing​

Annex B — Authorised Sub-Processors​

Annex C — Technical and Organisational Security Measures​

Access control​

Encryption​

Pseudonymisation​

Data retention​

Resilience and availability​

Rate limiting and abuse prevention​

API-assisted data subject rights​

Security testing​

Data minimisation​

Confidentiality​

Annex 1 — Standard Contractual Clauses (SCCs) for International Transfers​

1.1 Scope of This Annex​

1.2 Transfer Inventory​

1.3 Transfer Impact Assessment​

1.4 Obligation on Processor​

Annex 2 — Technical and Organisational Measures (TOMs)​

2.1 Transport Security​

2.2 Application Security Controls​

2.3 Authentication and Authorisation​

2.4 Cryptography​

2.5 Audit and Logging​

2.6 Code Quality and Supply Chain Security​

2.7 Infrastructure​

2.8 Organisational Measures​

Annex 3 — Sub-Processor List​

Breach Notification Obligation​