Features Benefits Docs Pricing
Log In Get Started

Data Processing Addendum

Last updated: July 4, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Tiny Robots, LLC (“we,” “us,” or “our”) and you (the “Customer”) for the use of imgDeliver (the “Service”). It applies automatically, without further action, whenever your use of the Service involves our processing of personal data on your behalf that is subject to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, or similar data protection laws (together, “Data Protection Laws”).

1. Definitions

“Personal data,” “controller,” “processor,” “data subject,” “processing,” and “personal data breach” have the meanings given to them in the GDPR. “Customer Data” means personal data that you or your end users submit to the Service and that we process on your behalf. Customer Data does not include the account information we process as a controller (such as your name, email address, and billing and usage data), which is governed by our Privacy Policy.

2. Roles and Scope of Processing

For Customer Data, you are the controller (or a processor acting on behalf of another controller) and we are your processor. The processing is described as follows:

  • Subject matter and duration — the provision of the Service for the term of our agreement, plus the deletion period described in Section 8.
  • Nature and purpose — hosting, storage, transmission, analysis, and display of Customer Data as needed to provide the features of the Service you use.
  • Categories of data subjects — your end users, customers, employees, and other individuals whose personal data you submit to the Service.
  • Categories of personal data — the personal data you choose to submit, such as contact details, identifiers, and usage or behavioral data. You must not submit special categories of personal data without our prior written agreement.

You are responsible for the lawfulness of the Customer Data you submit, including having a lawful basis, providing required notices, and obtaining required consents.

3. Our Obligations as Processor

We will:

  • Process Customer Data only on your documented instructions — which are these Terms, this DPA, and your configuration and use of the Service — unless required to process otherwise by law, in which case we will inform you unless the law prohibits it
  • Inform you if, in our opinion, an instruction infringes Data Protection Laws
  • Ensure that everyone we authorize to process Customer Data is bound by confidentiality obligations
  • Never sell Customer Data or use it for our own marketing or advertising

4. Security

We implement appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of the data and the risks of the processing. These measures include:

  • Encryption of data in transit
  • Access controls, with access to Customer Data limited to personnel who need it
  • Logical separation of customer environments
  • Monitoring, logging, and error tracking of production systems
  • Regular review and updates of our security practices and dependencies

5. Sub-processors

You give us general authorization to engage sub-processors to help provide the Service. We impose data protection obligations on sub-processors that are no less protective than this DPA, and we remain responsible for their performance. Our current sub-processors are:

Sub-processor Purpose Location
Amazon Web Services Cloud hosting, data storage, and email delivery United States
Stripe Payment processing and billing United States
AppSignal Error monitoring and application performance European Union
Cloudflare Bot protection and security United States

We will notify you (by email or a notice in the Service) at least 14 days before adding or replacing a sub-processor. If you reasonably object on data protection grounds and we cannot offer an alternative, you may terminate the affected services and receive a pro-rata refund of prepaid, unused fees.

6. Assistance

Taking into account the nature of the processing, we will assist you, at your reasonable request and expense, in fulfilling your obligations under Data Protection Laws — including responding to data subject requests (access, rectification, erasure, portability, restriction, and objection), and carrying out data protection impact assessments and prior consultations. If a data subject contacts us directly about Customer Data, we will refer them to you.

7. Personal Data Breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide the information reasonably available to us about its nature, likely consequences, and the measures taken or proposed to address it, updating you as more information becomes available.

8. Deletion and Return

During the term you can export Customer Data using the features of the Service. Upon termination of our agreement, we will make Customer Data available for export for at least 30 days (unless termination was for your breach), after which we will delete it within a reasonable period, except where retention is required by law. Residual copies in backups are deleted in the ordinary course of our backup rotation.

9. Audits

We will make available to you the information reasonably necessary to demonstrate compliance with this DPA, including summaries of our security measures and any third-party certifications or reports we hold. Where Data Protection Laws grant you a mandatory audit right that cannot be satisfied this way, you may conduct an audit at your expense, no more than once per year, on at least 30 days’ notice, during business hours, under confidentiality obligations, and without unreasonable disruption to our operations.

10. International Transfers

Customer Data is processed primarily in the United States. Where our processing involves a transfer of personal data from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties agree that the European Commission’s Standard Contractual Clauses (controller-to-processor module, and the UK Addendum where applicable) are incorporated into this DPA by reference, with you as data exporter and us as data importer.

11. Liability and Precedence

Each party’s liability under this DPA is subject to the limitations of liability in the Terms of Service. If this DPA conflicts with the Terms, this DPA prevails with respect to the processing of Customer Data; if it conflicts with the Standard Contractual Clauses, the Clauses prevail.

12. Changes and Contact

We may update this DPA to reflect changes in the Service or in Data Protection Laws; the date at the top of this page shows when it was last revised, and material changes will be notified as described in the Terms. Questions about this DPA can be sent to hello@imgdeliver.io.

Product

  • Features
  • Benefits
  • Pricing
  • Status

Resources

  • Getting Started
  • Documentation
  • Guides
  • Help

Company

  • Contact
  • About
  • Blog
  • Customers
  • Climate Commitment

Policies

  • Terms
  • Privacy
  • Cookies
  • Acceptable Use
  • DPA
All systems normal

We use essential cookies to run this site, and — with your consent — analytics cookies to improve it. We never sell your data. See our Cookie Policy.

Manage