Data Processing Agreement

Last updated: June 5, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Model Pipeline AI Inc. ("ImagePipeline", "we", "us") and the customer ("Customer", "you") governing the provision of the ImagePipeline services (the "Services"). It applies where ImagePipeline processes Personal Data on behalf of the Customer in the course of providing the Services.

This page is provided for transparency. Customers who require a countersigned DPA for their records may request one at security@imagepipeline.io.

1. Definitions

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Supervisory Authority" have the meanings given in applicable data protection law, including the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). "Subprocessor" means any third party engaged by ImagePipeline to process Personal Data.

2. Roles of the Parties

For Personal Data processed in connection with the Services, the Customer acts as the Controller and ImagePipeline acts as the Processor. Where the Customer is itself a Processor acting on behalf of a third-party Controller, ImagePipeline acts as a sub-processor. ImagePipeline processes Personal Data only on the Customer's documented instructions, including as set out in this DPA and the applicable order or terms.

3. Scope and Purpose of Processing

ImagePipeline processes Personal Data only to provide and support the Services: receiving API requests, generating and returning images, maintaining accounts, billing, security, and support. The subject matter, duration, nature, and purpose of processing, the categories of Data Subjects, and the types of Personal Data are described in our Privacy Policy and the applicable order.

4. Confidentiality

ImagePipeline ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and access Personal Data only on a need-to-know basis under least-privilege controls.

5. Security Measures

ImagePipeline implements appropriate technical and organisational measures to protect Personal Data, as described on our Security page. These include encryption of data in transit and at rest, network segmentation, access controls and multi-factor authentication, continuous monitoring, and secure software-development practices.

6. Subprocessors

The Customer provides general authorisation for ImagePipeline to engage Subprocessors to process Personal Data. A current list of Subprocessors is maintained at imagepipeline.io/legal/subprocessors. ImagePipeline imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA and remains responsible for each Subprocessor's performance. We will provide a mechanism to notify Customers of changes to the Subprocessor list, and Customers may raise reasonable objections to a new Subprocessor.

7. Data Subject Requests

Taking into account the nature of the processing, ImagePipeline provides reasonable assistance to enable the Customer to respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, and objection) under applicable law. Where a Data Subject contacts ImagePipeline directly, we will, where lawful, refer the request to the Customer.

8. Personal Data Breach

ImagePipeline notifies the Customer without undue delay after becoming aware of a Personal Data breach affecting the Customer's Personal Data, and provides information reasonably available to assist the Customer in meeting its breach-notification obligations.

9. International Transfers

Where processing involves the transfer of Personal Data outside the European Economic Area, the United Kingdom, or Switzerland, such transfers are made under an appropriate transfer mechanism, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, as applicable.

10. Audit

ImagePipeline makes available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior request and subject to confidentiality, responds to the Customer's reasonable audit and questionnaire requests, including by providing relevant security documentation and certifications where available.

11. Return and Deletion

On termination of the Services, and in any event in line with the retention periods described in our Privacy Policy, ImagePipeline deletes or returns Personal Data processed on the Customer's behalf, save where retention is required by applicable law. Generated content and associated prompts are deleted from our primary systems within 30 days of creation.

12. Liability and Precedence

This DPA is subject to the limitations and exclusions of liability set out in the main agreement between the parties. In the event of a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA prevails.

13. Contact

For questions about this DPA or to request a countersigned copy, contact security@imagepipeline.io (Model Pipeline AI Inc., Delaware, United States).