Source-DAM LogoSource-DAMBack to home

Data Processing Addendum (DPA)

Last updated: February 26, 2026

1. Scope

This Data Processing Addendum applies when Source-DAM processes personal data on behalf of a customer in connection with the Source-DAM service. It supplements the Terms of Service.

2. Roles of the Parties

For customer workspace data, the customer acts as Controller (or Processor as applicable) and Source-DAM acts as Processor. Each party is responsible for complying with the obligations that apply to its role under applicable data protection law.

3. Details of Processing

  • Subject matter: Provision of digital asset management services.
  • Duration: For the term of the customer subscription and any agreed post-termination retention period.
  • Nature and purpose: Hosting, organizing, searching, processing, and sharing customer digital assets and related metadata.
  • Categories of data subjects: Customer personnel, customer collaborators, and end users included in customer-uploaded content.
  • Categories of personal data: Account identifiers, uploaded content, metadata, access and audit logs, and support communications.

4. Controller Instructions

Source-DAM processes personal data only on documented instructions from the customer, including instructions reflected in use of product features and configuration choices made by authorized customer users.

5. Confidentiality and Access Controls

Source-DAM ensures personnel with access to customer personal data are bound by confidentiality obligations and that access is restricted on a least-privilege basis.

6. Security Measures

Source-DAM implements appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. A high-level control overview is available on the Security page.

7. Subprocessors

Source-DAM may engage subprocessors to provide parts of the service. The current list is published on the Legal Hub. Source-DAM remains responsible for subprocessor performance of data protection obligations relevant to the services they provide.

Customers may raise reasonable objections to new subprocessors by contacting privacy@source-dam.com within thirty (30) days of notice.

8. International Data Transfers

Where personal data is transferred outside the EEA, Source-DAM relies on appropriate transfer mechanisms such as Standard Contractual Clauses and supplementary measures where required.

9. Data Subject Rights and Regulatory Assistance

Taking into account the nature of processing, Source-DAM provides reasonable assistance to help customers respond to data subject requests and regulatory inquiries.

10. Personal Data Breaches

Source-DAM will notify affected customers without undue delay after becoming aware of a confirmed personal data breach impacting customer personal data and will provide available information needed to support customer obligations.

11. Audits

Source-DAM will provide information reasonably necessary to demonstrate compliance with this DPA and may satisfy audit obligations through relevant documentation, security reports, and reasonable audit cooperation processes.

12. Return and Deletion

Upon termination, customer data is handled according to the Terms and documented retention windows, including allowing export before deletion where supported by the service.

13. Contact

Privacy and DPA requests: privacy@source-dam.com