Snapblox
Docs Legal

Data Processing Agreement (DPA)

Template · v1.0 · July 12, 2026

For Enterprise customers only. This DPA is included with Enterprise contracts by default. Growth customers may request it for an additional fee. Contact odwnow@gmail.com to execute.

1. Scope & Parties

This Data Processing Agreement ("DPA") supplements the Snapblox Terms of Service and governs the processing of personal data by ODW Digital Media Solution ("Processor") on behalf of Customer ("Controller") in connection with the Snapblox platform ("Service").

2. Definitions

  • Personal Data — as defined in Thailand PDPA §6 and GDPR Art. 4(1)
  • Data Subject — the natural person to whom Personal Data relates (i.e., booth guests)
  • Processing — as defined in GDPR Art. 4(2)
  • Sub-processor — any third party engaged by Processor to process Personal Data on behalf of Controller

3. Subject-matter & purpose

Processor processes Personal Data solely to provide the Service to Controller as described in the Terms of Service. Categories of Personal Data:

  • Photographs captured by Controller's guests via the Snapblox booth
  • Session timestamps + IP address (for abuse prevention)
  • Consent records

4. Duration

This DPA remains in effect for the duration of Controller's subscription to the Service. Upon termination, Processor will delete Personal Data within 30 days unless legally required to retain.

5. Obligations of Processor

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Ensure personnel authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical + organizational security measures (see §7)
  • Not engage a sub-processor without prior written consent (list in §9)
  • Assist Controller in responding to Data Subject requests
  • Notify Controller of any Personal Data breach within 72 hours
  • Return or delete all Personal Data upon termination
  • Make available all information necessary to demonstrate compliance

6. Obligations of Controller

Controller shall:

  • Ensure it has lawful basis to collect Personal Data from guests (consent captured by booth UI)
  • Provide guests with required privacy notices
  • Respond to Data Subject requests within regulatory timeframes
  • Not upload Personal Data unnecessary for the Service (data minimization)

7. Security measures

Processor implements the following measures:

  • Encryption at rest (AES-256) via Supabase
  • Encryption in transit (TLS 1.3+)
  • Access control via magic link authentication + Row Level Security
  • Regular vulnerability scanning of dependencies
  • Access logs retained 2 years
  • Personnel background checks + confidentiality agreements
  • Disaster recovery: Supabase daily backups (7d free tier, 30d Pro)

8. International transfers

Personal Data may be transferred to and stored in Supabase data centers located in the United States and European Union. Such transfers rely on:

  • Standard Contractual Clauses (EU 2021/914) between Processor and Supabase
  • Additional safeguards (encryption, access controls)
  • Data Subject rights preserved via Processor's PDPA/GDPR-aligned contracts

9. Sub-processors

Controller consents to the following sub-processors as of the DPA effective date:

Sub-processor Location Purpose
Supabase Inc.USA, IrelandDatabase + storage
Netlify Inc.USAHosting + CDN + serverless functions
Stripe Inc.USA, IrelandPayment processing (paid tiers only)

Processor will notify Controller 30 days in advance of any new sub-processor. Controller may object; if unresolved, Controller may terminate the DPA + Service.

10. Data Subject requests

If Processor receives a request from a Data Subject regarding Personal Data processed under this DPA, Processor will:

  • Not respond directly (unless required by law)
  • Forward the request to Controller within 5 business days
  • Provide reasonable assistance to Controller in fulfilling the request

11. Audits

Controller may audit Processor's compliance with this DPA once per year with 30 days' notice. Alternatively, Processor may provide third-party audit reports (e.g., Supabase SOC 2) in lieu of on-site audits.

12. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service.

13. Governing law

Thailand law. Bangkok courts. See Terms of Service §9.

14. Execution

This DPA takes effect upon signature by both parties, or upon Controller's acceptance of the Terms of Service if this DPA is incorporated by reference.

Contact for DPA execution: odwnow@gmail.com

© 2026 Snapblox · Terms · Privacy · Cookies · DPA