Data Processing Agreement
Last updated May 2026
Parties
This DPA is between you ("Controller") and Nternet Studio B.V., Jacob van Lennepstraat 78H, 1053 HM Amsterdam, the Netherlands ("Processor"), and supplements the Terms & Conditions.
Subject matter and duration
Processing of personal data in connection with the Nendo service. Processing begins when you first use Nendo and continues for the duration of your use.
Data processed
Email addresses, uploaded images (which may contain portraits), generated 3D models, shipping addresses, payment metadata, usage data. Data subjects: users of the Nendo service.
Security measures
TLS encryption in transit, encryption at rest, access controls, least-privilege access, audit logging, regular sub-processor review (Art. 32 GDPR).
Instructions and confidentiality
The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers, unless EU or Dutch law requires otherwise. Personnel authorized to process personal data are bound by confidentiality obligations.
Sub-processors
General authorization granted. The Processor informs the Controller of changes, giving reasonable opportunity to object.
| Service | Purpose | Location | Transfer |
|---|---|---|---|
| Cloudflare | Hosting, CDN, D1, R2 | EU/US | SCCs + DPF |
| Stripe | Payments | US (EU entity) | SCCs + DPF |
| OpenAI | Image styling | US | SCCs + DPF |
| FAL.ai | 3D generation | US | SCCs |
| PostHog | Analytics | EU | N/A (EU) |
| JLC3DP | 3D printing | China | SCCs |
Breach notification
The Processor notifies the Controller without undue delay, within 72 hours of becoming aware of a breach, including nature, affected data subjects, consequences, and measures taken.
Assistance
The Processor assists the Controller, taking into account the nature of processing and available information, with data subject requests, security obligations, DPIAs, and prior consultations with supervisory authorities.
Audit rights
The Processor makes available all information necessary to demonstrate Art. 28 compliance and allows audits by the Controller or mandated auditor.
Deletion
Upon termination or request, the Processor deletes or returns all personal data within 30 days, unless retention is required by law.