Data Processing Agreement
Effective: May 15, 2026 · Last updated: May 15, 2026
1. The roles
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Studio”) and Automata Army d/b/a InkMate (“InkMate”).
- Studio = Controller of the personal data it collects from its clients through InkMate.
- InkMate = Processor acting on the Studio's documented instructions.
By using InkMate to collect client data, the Studio accepts this DPA. No separate signature is required. A signed copy is available on request to legal@inkmate.app.
2. Subject matter and duration
Subject matter: InkMate processes personal data on behalf of the Studio to provide the Service described in the Terms — booking, consent capture, client records, deposit processing, transactional email.
Duration: for as long as the Studio's account is active, plus the post-termination retention periods set out in the Privacy Policy.
3. Nature and purpose of processing
InkMate processes Studio Personal Data to:
- Maintain the Studio's client database
- Run the public booking page and appointment calendar
- Capture, store, and present digital consent forms with e-signatures
- Route deposit payments via Stripe Connect to the Studio's Stripe account
- Send transactional emails (booking confirmations, password resets, receipts)
- Store and serve reference imagery and design files scoped to the Studio
- Provide customer support to the Studio
- Maintain security, prevent abuse, comply with legal obligations
4. Categories of data subjects
- The Studio's clients (people who book appointments, sign consent forms, or pay deposits)
- The Studio's staff (artists, front-of-house) with access to the dashboard
- Prospects who reach out through the public booking page without completing a booking
5. Categories of personal data
- Identification & contact: name, email, phone, date of birth, postal address
- Health intake: allergies, medications, skin conditions, medical history collected via consent forms — only what the Studio's form asks
- Booking data: appointment date/time, service, artist, notes
- Consent records: form responses, e-signatures, IP, timestamps
- Imagery: reference photos, design files, healed-tattoo photos uploaded by the Studio
- Payment metadata: Stripe payment intent ID, amount, currency, last-4 of card on receipts (no full card data — Stripe handles that)
- Account & technical: login email, hashed password, session metadata, IP, user-agent, request logs
The Studio decides which of these to collect by configuring its consent forms and booking flow.
6. InkMate's obligations
InkMate will:
- Process Studio Personal Data only on the Studio's documented instructions, including those given by configuring the Service
- Ensure people authorized to process the data are bound by confidentiality
- Implement appropriate technical and organizational measures (section 8)
- Assist the Studio in responding to data-subject rights requests and in fulfilling its own obligations under applicable law
- Notify the Studio of personal data breaches without undue delay and in any event within 72 hours of confirmation
- Make available the information needed to demonstrate compliance with this DPA
- On Studio request, return or delete Studio Personal Data at the end of the contract, subject to legal retention requirements
7. Sub-processors
The Studio gives general authorization for InkMate to use the following sub-processors. We'll give 30 days' notice before adding or replacing a sub-processor; the Studio can object during that window.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Stripe, Inc. | Subscription billing; Connect deposit processing; payout routing to studios | United States |
| Resend, Inc. | Transactional email delivery (receipts, password reset, booking confirmations) | United States |
| Amazon Web Services, Inc. | Cloud infrastructure — application hosting, database, file storage | US-East-1 (N. Virginia) |
Each sub-processor is bound by data-protection obligations no less protective than this DPA.
8. Security measures
InkMate maintains the following technical and organizational measures. They may evolve; the spirit (defense in depth, least privilege, tenant isolation) does not.
- Transport: HTTPS / TLS 1.2+ across all client-server traffic
- Credentials: passwords hashed with bcrypt; no plaintext storage
- Tenant isolation: all data scoped per organization; queries enforce org membership; uploaded files are partitioned per org
- Access control: production credentials limited to authorized personnel, rotated, not shared
- Webhook integrity: Stripe webhook payloads signature-verified against per-endpoint secrets
- Network: hosted on AWS in US-East-1 behind a managed reverse proxy
- Logging: request and error logs retained for operational debugging; logs do not capture password fields or card data
- Backups: database backups taken on a rolling schedule
- Incident response: documented runbook for breach notification within 72h
9. International transfers
Personal data is processed in the United States (AWS US-East-1) and at our sub-processors' locations. Where applicable, transfers from the EEA, the UK, or Switzerland rely on the Standard Contractual Clauses (Commission Decision 2021/914) and additional safeguards as required.
10. Studio obligations
The Studio:
- Is responsible for the lawfulness of the personal data it collects and uploads to InkMate
- Must provide an appropriate privacy notice to its clients
- Must obtain the consents required by applicable law (especially for health data and imagery)
- Must not instruct InkMate to process data in a way that would violate applicable law
- Must use InkMate's access controls — keep credentials private, limit dashboard access to staff who need it
11. Data-subject rights
When a client (data subject) reaches out to InkMate directly, InkMate will route the request back to the relevant Studio (since the Studio is the Controller). InkMate provides the Studio with the tooling needed to access, correct, export, or delete a client's data through the dashboard. For cases the tooling doesn't cover, email privacy@inkmate.app and we'll help.
12. Audits
On reasonable written request and no more than once per year (more often if a regulator requires it or a breach has occurred), InkMate will provide the Studio with information reasonably necessary to demonstrate compliance with this DPA. Where the Studio reasonably requires on-site audit, the parties will coordinate timing and scope to minimize disruption.
13. Return and deletion
On termination of the Service, the Studio may export its data within the 30-day post-termination window described in the Privacy Policy. After that window, InkMate deletes Studio Personal Data, subject to the longer retention periods required by law (e.g. consent forms, billing records).
14. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
15. Changes
InkMate may update this DPA. Material changes (new sub-processors, changes to data location, changes to breach-notification windows) will be emailed to account owners at least 30 days before they take effect.
16. Contact
DPA questions and signed copies: legal@inkmate.app. Data-subject and privacy inquiries: privacy@inkmate.app.