Last updated: May 3, 2026
This Data Processing Addendum (“DPA”) forms part of the ModelRoom Terms of Service or other agreement between Customer and ModelRoom governing Customer’s use of the Services (each, an “Agreement”), unless Customer and ModelRoom have agreed to another data processing agreement or other written terms that apply to the relevant processing.
This DPA applies only to the extent ModelRoom processes Customer Personal Data on behalf of Customer as a processor under Applicable Data Protection Laws. This DPA does not apply to personal data that ModelRoom processes as a controller, including account, billing, subscription, and support data, which is governed by the Privacy Policy.
Capitalized terms not defined in this DPA have the meanings given in the Agreement.
“Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Customer Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 (“EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection (“Swiss FADP”), and any applicable national data protection laws.
“Customer” means the individual, company, organization, or other legal entity that is party to the Agreement with ModelRoom.
“Customer Personal Data” means personal data processed by ModelRoom on behalf of Customer in connection with the Services.
“Data Subject,” “controller,” “processor,” “processing,” “personal data,” “personal data breach,” and “supervisory authority” have the meanings given under Applicable Data Protection Laws.
“ModelRoom” means HorseImpact Ltd, trading as ModelRoom.
“Restricted Transfer” means a transfer of Customer Personal Data from the EEA, the United Kingdom, or Switzerland to a recipient in a country that is not subject to an applicable adequacy decision or adequacy regulation, where such transfer requires appropriate safeguards under Applicable Data Protection Laws.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, as amended, replaced, or supplemented from time to time.
“Sub-processor” means any third party engaged by ModelRoom to process Customer Personal Data on behalf of Customer in connection with the Services.
Customer is the controller of Customer Personal Data, or acts as processor on behalf of another controller. ModelRoom processes Customer Personal Data as processor on behalf of Customer.
Customer is responsible for ensuring that it has all rights, permissions, notices, consents, and lawful bases necessary for ModelRoom and its Sub-processors to process Customer Personal Data in accordance with the Agreement and this DPA.
If Customer is a processor acting on behalf of another controller, Customer represents that its instructions to ModelRoom are authorized by the relevant controller and that Customer is entitled to appoint ModelRoom as a sub-processor.
The subject matter, duration, nature, purpose, categories of Data Subjects, and categories of Customer Personal Data are described in Annex I.
Customer instructs ModelRoom to process Customer Personal Data as necessary to:
(a) provide, operate, maintain, secure, and support the Services;
(b) process Content, prompts, inputs, chat interactions, files, media, outputs, metadata, and other materials submitted to or processed through the Services;
(c) comply with Customer’s documented instructions, the Agreement, and this DPA;
(d) prevent, detect, and address fraud, abuse, security incidents, violations of the Agreement, and technical issues;
(e) comply with applicable law; and
(f) otherwise perform ModelRoom’s obligations under the Agreement.
ModelRoom will promptly inform Customer if, in ModelRoom’s opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited from doing so by applicable law.
Customer is responsible for:
(a) determining the purposes and means of processing Customer Personal Data;
(b) ensuring that Customer Personal Data is collected, used, disclosed, and submitted to the Services lawfully;
(c) providing required notices to Data Subjects;
(d) obtaining required consents, permissions, and rights;
(e) ensuring that Customer Personal Data is accurate and appropriate for the intended processing;
(f) ensuring that Customer’s use of the Services complies with Applicable Data Protection Laws, the Agreement, and the Acceptable Use Policy; and
(g) not submitting Customer Personal Data to the Services where the Agreement, the Acceptable Use Policy, or applicable law prohibits such submission.
Customer will not submit special categories of personal data, children’s data, health data, biometric data used for identification, government identifiers, financial account data, or other sensitive personal data to the Services unless expressly permitted by the Agreement or otherwise agreed in writing with ModelRoom, and lawful under Applicable Data Protection Laws.
ModelRoom will:
(a) process Customer Personal Data only in accordance with Customer’s documented instructions, the Agreement, and this DPA;
(b) ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations;
(c) implement appropriate technical and organizational measures designed to protect Customer Personal Data, as described in Annex II;
(d) assist Customer with Data Subject requests as described in this DPA;
(e) assist Customer with security, breach notification, data protection impact assessments, and regulatory consultations as described in this DPA;
(f) delete or return Customer Personal Data as described in this DPA; and
(g) make available information reasonably necessary to demonstrate compliance with this DPA.
ModelRoom will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
Customer Personal Data will only be made available to personnel who need access for purposes of providing, securing, supporting, or improving the Services, or otherwise performing ModelRoom’s obligations under the Agreement and this DPA.
Customer grants ModelRoom general written authorization to engage Sub-processors to process Customer Personal Data in connection with the Services.
ModelRoom will require each Sub-processor to protect Customer Personal Data under written obligations that are appropriate to the nature of the Sub-processor’s services and no less protective, in substance, than the applicable data protection obligations in this DPA.
ModelRoom remains responsible for its Sub-processors’ processing of Customer Personal Data to the extent required by Applicable Data Protection Laws.
ModelRoom will make information about Sub-processors available on request or through another reasonable mechanism. ModelRoom may add or replace Sub-processors from time to time. Where required by Applicable Data Protection Laws, ModelRoom will provide notice of such changes and a reasonable opportunity to object on reasonable data protection grounds.
If Customer objects to a new Sub-processor, ModelRoom may, where reasonably practicable, make available a commercially reasonable workaround. If no workaround is reasonably available, Customer may stop using the affected part of the Services or terminate the affected order or subscription to the extent required by Applicable Data Protection Laws.
If ModelRoom receives a request from a Data Subject relating to Customer Personal Data, ModelRoom may refer the Data Subject to Customer or notify Customer of the request, unless prohibited by applicable law.
Taking into account the nature of the processing and the information available to ModelRoom, ModelRoom will provide reasonable assistance to Customer in responding to Data Subject requests under Applicable Data Protection Laws.
Customer is responsible for responding to Data Subject requests where Customer is the controller of the relevant Customer Personal Data.
ModelRoom will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
The notification will include information reasonably available to ModelRoom to assist Customer in meeting its breach notification obligations, which may include:
(a) the nature of the breach;
(b) categories and approximate number of affected Data Subjects, where known;
(c) categories and approximate number of affected personal data records, where known;
(d) likely consequences of the breach, where known;
(e) measures taken or proposed to address the breach; and
(f) contact information for follow-up.
ModelRoom’s notification of a personal data breach is not an admission of fault or liability.
Customer is responsible for determining whether notice to supervisory authorities, Data Subjects, or other third parties is required, unless Applicable Data Protection Laws impose such obligations directly on ModelRoom.
Taking into account the nature of the processing and the information available to ModelRoom, ModelRoom will reasonably assist Customer with Customer’s obligations under Applicable Data Protection Laws relating to:
(a) security of processing;
(b) personal data breach notifications;
(c) data protection impact assessments; and
(d) consultations with supervisory authorities.
ModelRoom may charge reasonable fees for assistance that is not included in the standard Services, unless prohibited by Applicable Data Protection Laws or otherwise agreed in writing.
Upon termination or expiry of the Agreement, or upon Customer’s written request, ModelRoom will delete or return Customer Personal Data in accordance with the Agreement, the Services’ functionality, and Applicable Data Protection Laws.
ModelRoom may retain Customer Personal Data to the extent required by applicable law, or as reasonably necessary for backups, security, fraud prevention, dispute resolution, legal compliance, or enforcement of the Agreement, provided that retained Customer Personal Data remains protected under this DPA and is not processed for other purposes.
Customer Personal Data stored in backups may be deleted in accordance with ModelRoom’s standard backup deletion cycles, provided that backup data is protected from active processing except where restoration is necessary.
ModelRoom will make available information reasonably necessary to demonstrate compliance with this DPA. ModelRoom may satisfy requests for information by providing written responses, security summaries, descriptions of relevant technical and organizational measures, Sub-processor information, or other reasonable materials.
To the extent required by Applicable Data Protection Laws, Customer may request an audit on reasonable prior written notice. Any audit must be conducted:
(a) during normal business hours;
(b) in a manner that does not unreasonably disrupt ModelRoom’s business or compromise the security, confidentiality, or availability of the Services;
(c) no more than once in any twelve-month period, unless required by a supervisory authority or following a confirmed personal data breach affecting Customer Personal Data;
(d) subject to appropriate confidentiality obligations; and
(e) at Customer’s cost, unless prohibited by Applicable Data Protection Laws.
ModelRoom may object to an auditor who is a competitor, lacks appropriate qualifications, or presents confidentiality, security, or conflict-of-interest concerns.
Customer authorizes ModelRoom and its Sub-processors to transfer Customer Personal Data outside the EEA, the United Kingdom, or Switzerland as necessary to provide the Services.
Where a Restricted Transfer occurs, the parties will ensure that an appropriate transfer mechanism is in place, such as an adequacy decision, the SCCs, the UK International Data Transfer Addendum, Swiss adaptations to the SCCs, or another lawful transfer mechanism.
Where the SCCs apply:
(a) Module Two applies where Customer is a controller and ModelRoom is a processor;
(b) Module Three applies where Customer is a processor and ModelRoom is a sub-processor;
(c) the optional docking clause applies;
(d) Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes will be the notice period described in Section 7 or, if no specific period is stated, a reasonable period;
(e) Clause 11 optional language does not apply;
(f) for Module Two, Clause 17 will be governed by the law of Cyprus, and Clause 18 courts will be the courts of Cyprus, unless the SCCs or Applicable Data Protection Laws require otherwise;
(g) for Module Three, Clause 17 will be governed by the law of Cyprus, and Clause 18 courts will be the courts of Cyprus, unless the agreement between Customer and the relevant controller, the SCCs, or Applicable Data Protection Laws require otherwise; and
(h) Annexes I, II, and III of this DPA will apply as the annexes to the SCCs.
For transfers subject to the UK GDPR, the SCCs will be supplemented by the UK International Data Transfer Addendum or other applicable UK-approved transfer mechanism, as applicable.
For transfers subject to the Swiss FADP, references in the SCCs to the GDPR will be interpreted to include the Swiss FADP where applicable, and references to EU Member States will be interpreted to include Switzerland where required.
Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Agreement, unless prohibited by Applicable Data Protection Laws.
Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Laws.
If there is a conflict between this DPA and the Agreement, this DPA will control to the extent of the conflict with respect to the processing of Customer Personal Data.
If the SCCs apply and conflict with this DPA or the Agreement, the SCCs will control to the extent of the conflict.
This DPA remains in effect for as long as ModelRoom processes Customer Personal Data on behalf of Customer.
Data Exporter: Customer, as identified in the Agreement.
Role: Controller, or processor acting on behalf of another controller.
Contact: As set out in the Agreement or Customer’s account.
Data Importer: HorseImpact Ltd, trading as ModelRoom.
Role: Processor, or sub-processor where Customer acts as processor.
Contact: [email protected]
Address: Griva Digeni 51, Athineon Court, Office 202, 8047 Paphos, Cyprus.
Processing of Customer Personal Data in connection with ModelRoom’s provision of the Services under the Agreement.
Customer may submit Customer Personal Data relating to:
(a) Customer’s personnel, representatives, contractors, agents, and users;
(b) Customer’s clients, prospects, customers, vendors, partners, or other business contacts;
(c) individuals depicted, referenced, or included in Content submitted to or processed through the Services;
(d) individuals participating in prompts, files, images, chat interactions, generated outputs, or other materials processed through the Services; and
(e) any other individuals whose personal data Customer submits to the Services.
Customer may submit Customer Personal Data contained in:
(a) Content, prompts, instructions, descriptions, chat messages, files, images, media, and other materials submitted to the Services;
(b) generated or edited outputs;
(c) metadata associated with Content or use of the Services, such as timestamps, settings, and parameters;
(d) names, email addresses, usernames, account identifiers, job titles, company information, and business contact details;
(e) images, likenesses, or other personal attributes included in Content; and
(f) any other personal data submitted to or processed through the Services by or on behalf of Customer.
The Services are not intended for processing special categories of personal data, children’s data, government identifiers, financial account data, biometric data used for identification, health data, or other sensitive personal data unless expressly permitted by the Agreement or otherwise agreed in writing with ModelRoom.
Customer must not submit such data to the Services unless the submission is expressly permitted as described above and Customer has a lawful basis and all required rights, consents, notices, and safeguards.
The processing may include collection, receipt, hosting, storage, organization, structuring, retrieval, consultation, use, transmission, disclosure, alignment, combination, modification, generation, editing, restriction, deletion, and destruction of Customer Personal Data.
The purpose of processing is to provide, operate, maintain, secure, support, and improve the Services, including AI generation, editing, agent chat, account functionality, customer support, abuse prevention, security, troubleshooting, and related service operations.
Customer Personal Data will be processed for the duration of the Agreement and as otherwise described in this DPA, the Agreement, or applicable written instructions, subject to legal retention requirements and standard backup deletion cycles.
Continuous for the duration of the Agreement, depending on Customer’s use of the Services.
ModelRoom will maintain technical and organizational measures designed to protect Customer Personal Data. These measures may include, as applicable and appropriate to the nature of the Services:
(a) restricting access to systems and Customer Personal Data to authorized personnel with a business need;
(b) use of authentication measures for administrative access;
(c) role-based or need-to-know access where supported by internal systems; and
(d) periodic review of access where reasonably practicable.
(a) confidentiality obligations for personnel who may access Customer Personal Data;
(b) limiting access to Customer Personal Data to personnel and service providers who need access to provide, secure, support, or improve the Services.
(a) use of encryption in transit where supported by relevant systems and providers;
(b) use of encryption at rest where supported by hosting, storage, and infrastructure providers;
(c) use of secure communication protocols where appropriate.
(a) use of reputable cloud, hosting, infrastructure, and AI service providers;
(b) reliance on provider security controls for physical security, data center security, network security, and infrastructure availability;
(c) reasonable configuration of infrastructure and access settings.
(a) backups or redundancy where appropriate for the Services;
(b) restoration procedures where supported by infrastructure providers;
(c) reasonable measures designed to maintain availability and resilience of the Services.
(a) collection and review of logs where appropriate for security, troubleshooting, fraud prevention, and abuse prevention;
(b) monitoring for suspicious activity where supported by the Services and providers.
(a) reasonable efforts to identify, assess, and remediate security issues;
(b) procedures for reviewing and responding to suspected security incidents;
(c) notification to Customer of personal data breaches as required by this DPA.
(a) processing Customer Personal Data only as necessary for the Services and documented instructions;
(b) deletion or de-identification of Customer Personal Data in accordance with the Agreement, this DPA, and applicable retention periods;
(c) backup deletion according to standard backup cycles.
(a) contractual obligations with Sub-processors that process Customer Personal Data;
(b) requiring Sub-processors to implement appropriate security measures;
(c) use of Sub-processors only as needed to provide, secure, support, or improve the Services.
(a) internal responsibility for privacy and security matters;
(b) internal guidance or procedures for handling Customer Personal Data;
(c) reasonable efforts to ensure personnel understand confidentiality and data protection obligations relevant to their roles.
Customer provides general written authorization for ModelRoom to engage Sub-processors as described in this DPA.
ModelRoom may engage Sub-processors to provide hosting, cloud infrastructure, storage, AI infrastructure, analytics, customer support, communications, payment processing, security, monitoring, and other service-related functions.
ModelRoom will make information about Sub-processors available to Customer on request or through another reasonable mechanism. Where required by Applicable Data Protection Laws, ModelRoom will provide notice of intended changes concerning the addition or replacement of Sub-processors as described in Section 7.
Where required by Applicable Data Protection Laws, Customer may object to a new Sub-processor on reasonable data protection grounds as described in this DPA.