CREAV DATA PROCESSING ADDENDUM Last Updated: June 12, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between creavio, Inc. ("Processor," "we," "us") and the Creator ("Controller," "you") and governs the processing of personal data by creavio on your behalf.
1. DEFINITIONS 1.1. "Personal Data" means any information relating to an identified or identifiable natural person processed through the Platform on your behalf. 1.2. "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion. 1.3. "Data Subject" means any identified or identifiable natural person whose Personal Data is processed (your clients, contacts, and leads). 1.4. "Sub-processor" means any third party engaged by creavio to process Personal Data on your behalf.
2. ROLES & SCOPE 2.1. You are the Data Controller for all client data you store on the Platform (client names, emails, phone numbers, addresses, photos, contracts, invoices, booking details, and any other information you upload or collect through forms). 2.2. creavio is the Data Processor, processing your client data only as necessary to provide the Platform services and as instructed by you. 2.3. creavio is the Data Controller for its own operational data (your account information, billing data, usage analytics, and support communications). 2.4. Agency-Tier (On-Behalf-Of) Processing. Where you operate creavio under the Agency tier to manage workspaces on behalf of third-party brands or businesses ("Brands"), you act as the Data Controller (or as the Brand's processor authorized to engage creavio) for that Brand's data and the personal data of the Brand's customers and contacts, and creavio acts as your Processor or sub-processor for that data, processing it only on your documented instructions. References to "you," "Creator," and "Controller" in this DPA include the Agency for such processing. You are responsible for the lawful basis, notices, and consents required for processing each Brand's data, and you represent that you are authorized by each Brand to engage creavio to process it. Each managed workspace is data-isolated from every other workspace. The Agency Services Addendum (creav.io/legal/agency-terms) governs the broader Agency relationship.
3. PROCESSING INSTRUCTIONS 3.1. creavio will process Personal Data only on your documented instructions, which include: hosting and displaying client data, sending emails on your behalf, processing payments, generating contracts and invoices, and any other Platform features you activate. 3.2. creavio will not process Personal Data for any purpose other than providing the Platform services, unless required by law. 3.3. If creavio is required by law to process Personal Data beyond your instructions, we will notify you before such processing unless legally prohibited from doing so.
4. SECURITY MEASURES 4.1. creavio implements appropriate technical and organizational measures to protect Personal Data, including: (a) Encryption in transit (TLS 1.2+) and at rest; (b) Tenant data isolation (all queries scoped to your tenant ID); (c) Password hashing with PBKDF2 (100,000 iterations); (d) AES-256-GCM encryption for sensitive data (contract signatures); (e) Role-based access controls; (f) Regular security monitoring and logging; (g) Secure file storage with access controls (Cloudflare R2).
5. SUB-PROCESSORS 5.1. You authorize creavio to engage the following sub-processors: - Cloudflare, Inc. (San Francisco, CA) — Infrastructure, hosting, D1 database, R2 file storage, KV, CDN, DNS - Stripe, Inc. (San Francisco, CA) — Payment processing, subscription billing (PCI DSS Level 1) - Resend, Inc. — Transactional and marketing email delivery - Telnyx, Inc. — SMS and MMS delivery - Anthropic, PBC (San Francisco, CA) — AI processing for copy, SEO optimizer, AI Insert (enterprise data terms; no training on customer data) - OpenAI, L.L.C. (San Francisco, CA) — AI processing for select admin tooling (API data terms; no training on API data) - DataForSEO — Keyword research and SERP data for the SEO suite (aggregate queries only, no personal data) - Google LLC (Mountain View, CA, USA) — Google Search Console and Google Analytics 4 data import when a Creator opts in; Google OAuth for sign-in; Google Maps Platform Places API for location search in Studio profiles (sends user-entered search queries and associated IP/request metadata; no location data is stored by creavio). (3) Platform Analytics: creavio uses GA4 for its own platform analytics and advertising attribution on creav.io and app.creav.io. Creators who configure GA4 on their canvas sites are data controllers for their own analytics — creavio is not responsible for Creator-configured tracking. - Coconut Video (USA) — Video transcoding, thumbnail generation, and HLS packaging. Coconut receives source media files for processing and temporarily stores source and output files during active jobs (cleared within 48 hours of job completion). Final processed files are delivered to Cloudflare R2. Coconut Video does not use uploaded content for training or any purpose other than fulfilling the processing job. 5.2. The canonical, dated sub-processor list is published at creav.io/legal/subprocessors. creavio will notify you of any new sub-processors at least 30 days before engagement. You may object by contacting privacy@creav.io within that period. Note: Coconut Video and Google Maps Platform were added effective June 21, 2026 (30-day notice issued May 22, 2026). 5.3. creavio ensures all sub-processors are bound by data protection obligations no less protective than those in this DPA.
6. DATA SUBJECT REQUESTS 6.1. If creavio receives a request from a Data Subject regarding Personal Data you control, we will promptly notify you and will not respond directly unless legally required. 6.2. creavio will provide reasonable assistance to help you respond to Data Subject requests (access, rectification, erasure, portability, restriction, or objection). 6.3. You can fulfill most Data Subject requests directly through the Platform (export data, delete clients, update records).
7. DATA BREACH NOTIFICATION 7.1. creavio will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your client data. 7.2. Notification will include: nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed to address the breach. 7.3. creavio will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
8. DATA RETURN & DELETION 8.1. Upon termination of your account, you may export your data within 30 days using the Platform's data export feature. 8.2. After the 30-day period, creavio will delete all Personal Data processed on your behalf, except where retention is required by law (e.g., payment records retained for 7 years). 8.3. creavio will purge Personal Data from backups within 30 days of the deletion date.
9. INTERNATIONAL TRANSFERS 9.1. Personal Data may be transferred to and processed in the United States and other countries where Cloudflare operates infrastructure. 9.2. For transfers from the EEA or UK, creavio relies on Standard Contractual Clauses as approved by the European Commission.
10. AUDIT RIGHTS 10.1. creavio will make available to you, upon reasonable request, information necessary to demonstrate compliance with this DPA. 10.2. You may conduct an audit, or engage a third-party auditor, to verify creavio's compliance. Audits shall be conducted with reasonable notice, during business hours, and no more than once per year. 10.3. creavio may satisfy audit requests by providing relevant certifications, audit reports, or documentation.
11. TERM & TERMINATION 11.1. This DPA remains in effect for the duration of your use of the Platform and for as long as creavio processes Personal Data on your behalf. 11.2. The obligations in Sections 7, 8, and 10 survive termination.
12. GOVERNING LAW This DPA is governed by the same governing law as the Terms of Service (Commonwealth of Virginia).
paints so dark-mode
users don't see a white flash. Allowed by CSP via a sha256 hash in
svelte.config.js script-src — if you edit anything in this block
(including whitespace), the CSP hash will change and CSP will block
the new script. Update svelte.config.js with the hash from the
browser console's CSP violation message.
-->
%sveltekit.body%