Data Processing Addendum

This Data Processing Addendum explains the intended data-processing terms for business users who use Abistu to upload, organize, share, and receive feedback on client-related visual work.

It applies where the user determines the purposes and means of processing client content and Abistu processes that content on the user's behalf as a processor or service provider.

This DPA supplements the Terms of Service and Privacy Policy.

If this DPA applies to a processing activity, it should be read together with the Terms, Privacy Policy, Cookie Policy, Acceptable Use Policy, and any applicable service-specific terms.

For account, billing, security, service-operation, support, and abuse-prevention data, Abistu may act as controller because it determines how and why that data is processed.

For images, gallery details, viewer selections, item comments, general request messages, and client contact details uploaded or collected by a business user for that user's own client workflow, the business user may act as controller and Abistu may act as processor.

The user is responsible for deciding whether Abistu is appropriate for the content and people involved in the user's workflow.

The user is responsible for having the required rights, permissions, consents, releases, privacy notices, contractual authority, and lawful basis to upload, process, share, and receive data through Abistu.

The subject matter of processing is the provision of a private gallery and client-selection service.

Processing may continue for as long as the user maintains an account, uses galleries, stores gallery files, receives requests, or as long as needed for security, support, backup, legal, abuse-prevention, or operational purposes.

Depending on use, processed data may include uploaded images, optimized gallery files, thumbnails, gallery titles, descriptions, client selections, item-specific comments, general request messages, client names, client email addresses, timestamps, technical logs, gallery access data, and service-operation data.

Abistu processes user-uploaded client content to provide, secure, support, and operate the service according to the user's use of Abistu and the applicable legal documents.

Abistu may also process data where required to comply with law, protect the service, prevent abuse, respond to valid notices, preserve evidence where appropriate, or enforce the Terms and Acceptable Use Policy.

Abistu may use subprocessors and service providers for hosting, infrastructure, email delivery, storage, security, backups, monitoring, and service operation.

A dedicated subprocessors list may be added or expanded as the provider list is finalized. Users should review current legal pages before relying on Abistu for mature B2B or regulated use.

Abistu uses reasonable technical and organizational measures designed to protect uploaded content, account data, and service data.

No online service, hosting environment, transmission method, or storage system can guarantee absolute security, uninterrupted availability, or error-free operation.

Where Abistu acts as processor, the user remains primarily responsible for responding to data-subject requests related to the user's own client content.

Abistu may assist with reasonable requests where technically possible and where the request is consistent with applicable law, the Terms, security requirements, and service operation.

If Abistu becomes aware of a confirmed security incident affecting personal data processed under this DPA, Abistu will take reasonable steps to assess, contain, and address the incident.

Notification duties, timing, and content may depend on the nature of the incident, applicable law, available information, and legal review.

Abistu may delete or make unavailable gallery data according to product limits, lifecycle rules, user actions, plan rules, and service-retention behavior.

Deletion from active service areas may not immediately remove residual copies from backups, logs, or recovery systems.

Where a report, dispute, abuse concern, legal obligation, or security issue exists, Abistu may preserve limited records where reasonably necessary.

Abistu may use providers and infrastructure needed to operate the service. Transfer details and safeguards should be reviewed and updated as the service provider list is finalized.

Users with strict transfer, residency, sector-specific, or regulated requirements should not assume Abistu meets those requirements unless separately confirmed in writing.

For questions about this DPA, contact info@abistu.com.