Data Processing Addendum

Foundation for Artist Catalogues Inc.

Last Updated: February 1, 2026

Introduction

This Data Processing Addendum ("DPA") forms part of the Master Service Agreement and Artifact Services Agreement (collectively, the "Agreement") between Foundation for Artist Catalogues Inc. ("Provider," "we," "us," or "our") and the customer identified in the Agreement ("Customer," "you," or "your").

This DPA applies when Customer Data processed through our Services includes Personal Data (as defined below) of individuals located in the European Union or when Customer is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR").

For EU customers, this DPA is incorporated by reference into the EU Customer Addendum executed as part of the Agreement.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

"Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR.

"Controller" means the entity that determines the purposes and means of Processing Personal Data, as defined in Article 4(7) of the GDPR.

"Processor" means the entity that processes Personal Data on behalf of the Controller, as defined in Article 4(8) of the GDPR.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Sub-processor" means any Processor engaged by Provider to process Personal Data.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Scope and Applicability

2.1 Customer Data and Personal Data

Provider's Services enable customers to create and manage digital catalogue raisonné databases. Customer Data primarily consists of scholarly content documenting artworks and related research.

To the extent Customer Data includes information about identifiable living individuals (such as artists, collectors, contributors, curators, or other persons associated with catalogued works), such information constitutes Personal Data subject to this DPA.

2.2 Roles of the Parties

Customer is the Controller of Personal Data included in Customer Data. Customer determines what Personal Data is uploaded to the Services and how it is used.

Provider is the Processor of Personal Data. Provider processes Personal Data solely on behalf of and according to Customer's instructions to provide the Services.

3. Data Processing Terms

3.1 Purpose and Instructions

Provider shall process Personal Data only:

(a) To provide the Services as described in the Artifact Services Agreement;

(b) As instructed by Customer through use of the Services and any applicable settings, features, or functionalities; and

Provider will not process Personal Data for any other purpose unless required by EU or Member State law, in which case Provider will inform Customer of that legal requirement before processing (unless prohibited by law).

3.2 Customer Warranties

Customer warrants that:

(a) It has all necessary rights and has obtained all necessary consents to provide Personal Data to Provider for processing as contemplated by the Agreement;

(b) Its instructions for processing Personal Data comply with applicable data protection laws, including the GDPR;

(d) Where applicable, it has obtained valid consent from Data Subjects or has another legal basis for Provider's processing activities.

3.3 Compliance with Data Protection Laws

Provider shall:

(a) Process Personal Data only in accordance with Customer's documented instructions;

(b) Ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations;

(d) Assist Customer in responding to Data Subject requests as described in Section 4;

(e) Notify Customer without undue delay after becoming aware of a Personal Data breach;

(f) Assist Customer in ensuring compliance with GDPR obligations regarding security, breach notification, data protection impact assessments, and consultation with supervisory authorities;

(g) At Customer's choice, delete or return all Personal Data to Customer after termination of Services (as specified in the Agreement); and

(h) Make available to Customer information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 6.

4. Data Subject Rights

4.1 Assistance with Data Subject Requests

Provider will, to the extent legally permitted and taking into account the nature of processing, reasonably assist Customer in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under the GDPR, including:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)

4.2 Direct Requests from Data Subjects

If Provider receives a request directly from a Data Subject regarding their Personal Data, Provider will:

(a) Promptly redirect the Data Subject to Customer; and

(b) Not respond to the request without Customer's prior written authorization, except as required by applicable law.

4.3 Fees for Assistance

Provider's assistance with Data Subject requests that require substantial manual effort or custom development beyond standard platform functionality may be subject to Provider's then-current professional services rates.

5. Security Measures

5.1 Technical and Organizational Measures

Provider implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure.

These measures include:

Access Controls:

Multi-factor authentication for Provider personnel
Role-based access controls limiting access to Personal Data
Unique user credentials and regular access reviews
Encryption of data in transit (TLS 1.2 or higher)
Encryption of data at rest (AES-256 or equivalent)

Infrastructure Security:

Hosting on Amazon Web Services (AWS) infrastructure with SOC 2 certification
Data center physical security (24/7 monitoring, biometric access controls)
Segregation of Customer Data in multi-tenant environment
Regular security assessments and penetration testing

Data Integrity and Availability:

Daily automated backups stored in geographically separate locations
99.5% uptime commitment with redundant infrastructure
Disaster recovery and business continuity procedures
Regular backup restoration testing

Monitoring and Incident Response:

Continuous security monitoring and logging
Intrusion detection and prevention systems
Defined security incident response procedures
Prompt notification of Personal Data breaches

Personnel Security:

Background checks for personnel with access to Personal Data
Confidentiality agreements with all personnel
Regular security and data protection training
Strict need-to-know access policies

5.2 Updates to Security Measures

Provider may update these security measures from time to time, provided that such updates do not result in degradation of the overall security of the Services.

6. Sub-Processors

6.1 Authorized Sub-Processors

Customer provides general authorization for Provider to engage Sub-processors to process Personal Data, provided that Provider:

(a) Maintains a current list of Sub-processors at https://artistcatalogues.org/legal/subprocessors;

(b) Provides Customer with at least thirty (30) days advance notice of any new or replacement Sub-processor;

(d) Remains fully liable to Customer for the performance of any Sub-processor.

6.2 Current Sub-Processors

As of the date of this DPA, Provider uses the following Sub-processors. A current list is maintained at https://artistcatalogues.org/legal/subprocessors.

6.3 Objection to New Sub-Processors

Customer may object to Provider's appointment of a new Sub-processor on reasonable data protection grounds by notifying Provider in writing within thirty (30) days of notice.

If Customer objects, the parties will work together in good faith to find a commercially reasonable solution. If no solution can be found, Customer may terminate the affected Service Agreement as provided in the Agreement.

7. International Data Transfers

7.1 Data Transfer Mechanisms

When Provider processes Personal Data transferred from the European Union to countries outside the EU that have not been subject to an adequacy decision by the European Commission (including the United States), the parties agree to rely on the following transfer mechanisms:

(a) Standard Contractual Clauses as approved by Commission Implementing Decision (EU) 2021/914; and

(b) Additional technical, organizational, and contractual measures to ensure adequate protection.

7.2 Standard Contractual Clauses

The Standard Contractual Clauses are incorporated into this DPA by reference. The following information applies to the SCCs:

Module Two (Controller to Processor) applies, where:

Customer is the "data exporter" (Controller)
Provider is the "data importer" (Processor)
The details in Schedule 1 below apply

7.3 Additional Safeguards

Provider implements additional safeguards for international transfers, including:

Encryption of Personal Data in transit and at rest
Pseudonymization where technically feasible
Strict access controls and authentication
Regular security assessments
Contractual commitments with Sub-processors

8. Data Retention and Deletion

8.1 Retention Period

Provider will retain Personal Data only for as long as necessary to provide the Services under the Agreement.

8.2 Deletion Upon Termination

Upon termination or expiration of the Agreement, Provider will, at Customer's written election:

(a) Delete all Personal Data within thirty (30) days; or

(b) Return Personal Data to Customer in a standard format (JSON, CSV, or database export) and then delete all remaining copies.

If Customer does not provide written instructions within thirty (30) days of termination, Provider will proceed with deletion.

8.3 Retention for Legal Compliance

Provider may retain Personal Data to the extent required by EU or Member State law, in which case Provider will inform Customer and continue to protect such Personal Data in accordance with this DPA.

9. Personal Data Breach Notification

9.1 Notification Obligation

Provider will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's Personal Data, and in any event within seventy-two (72) hours of becoming aware of the breach.

9.2 Breach Notification Content

The notification will include, to the extent available:

(a) Description of the nature of the breach, including categories and approximate number of Data Subjects and Personal Data records affected;

(b) Name and contact details of Provider's data protection contact point;

(d) Description of measures taken or proposed to address the breach and mitigate its effects.

9.3 Cooperation

Provider will cooperate with Customer and take commercially reasonable steps to investigate, mitigate, and remediate the breach.

10. Audits and Compliance

10.1 Information and Documentation

Provider will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including:

Current security certifications (SOC 2, ISO 27001, or equivalent)
Security policies and procedures documentation
Compliance questionnaires completed by Provider
Sub-processor lists and agreements

10.2 Audit Rights

Customer may, upon reasonable advance notice and no more than once per year (unless required by a supervisory authority or in response to a Personal Data breach):

(a) Conduct an audit or inspection of Provider's data processing activities; or

(b) Engage a qualified third-party auditor to conduct such audit on Customer's behalf.

10.3 Audit Process

Any audit must:

Be conducted during Provider's normal business hours
Minimize disruption to Provider's operations
Be subject to a reasonable confidentiality agreement
Be at Customer's expense

Provider may charge a reasonable fee for audit assistance exceeding eight (8) hours per year.

10.4 Remediation

If an audit reveals non-compliance with this DPA, Provider will use commercially reasonable efforts to remedy such non-compliance within a reasonable timeframe.

11. Liability and Indemnification

11.1 Liability Limitations

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Master Service Agreement, except to the extent such limitations or exclusions are prohibited by applicable data protection laws.

11.2 Data Protection Indemnity

Provider will indemnify Customer against losses, damages, costs, or expenses (including reasonable legal fees) arising from Provider's breach of this DPA or applicable data protection laws, except to the extent such breach results from:

(a) Customer's instructions or specifications;

(b) Customer's breach of its obligations under this DPA or data protection laws;

This indemnity is subject to the liability limitations in the Master Service Agreement, except where prohibited by law.

12. Term and Termination

12.1 Duration

This DPA takes effect on the date Customer first uploads Personal Data to the Services and continues until the termination or expiration of the Agreement.

12.2 Survival

The following provisions survive termination of this DPA: Sections 8 (Data Retention and Deletion), 10 (Audits), 11 (Liability and Indemnification), and any other provisions that by their nature should survive.

13. Updates and Amendments

13.1 Updates to DPA

Provider may update this DPA from time to time to reflect:

(a) Changes in data protection laws or regulatory guidance;

(b) Updates to Provider's data processing practices;

(d) Standard industry practice improvements.

13.2 Notice of Material Changes

Provider will provide Customer with at least ninety (90) days advance notice of any material changes to this DPA by:

(a) Email to the address in the Agreement; and

(b) Posting the updated DPA at this URL with the revision date.

13.3 Acceptance of Changes

Customer's continued use of the Services after the effective date of changes constitutes acceptance of the updated DPA.

If Customer does not accept material changes, Customer may terminate the Agreement as provided in the termination provisions of the Agreement.

14. Contact Information

For questions about this DPA or to exercise rights related to Personal Data processing, contact:

Foundation for Artist Catalogues Inc.
Data Protection Contact
Email: privacy@artistcatalogues.org
Address: 242 Main Street, Beacon, New York, 12508, United States

SCHEDULE 1: Details of Processing

A. List of Parties

Data Exporter (Customer):

Name: As specified in the Agreement
Address: As specified in the Agreement
Contact: As specified in the Agreement
Role: Controller

Data Importer (Provider):

Name: Foundation for Artist Catalogues Inc.
Address: 242 Main Street, Beacon, New York, 12508, United States
Contact: privacy@artistcatalogues.org
Role: Processor

B. Description of Transfer

Categories of Data Subjects: Personal Data processed through the Services may relate to the following categories of Data Subjects:

Artists and creators featured in catalogue raisonné
Collectors and owners of catalogued works
Contributors to catalogue raisonné (scholars, researchers, cataloguers)
Exhibition curators and organizers
Authors and publishers of referenced literature
Gallery owners and dealers
Website visitors and users (if analytics enabled)
Customer's employees and authorized users

Categories of Personal Data: The Personal Data transferred may include:

Names and pseudonyms
Contact information (addresses, telephone numbers, email addresses)
Professional information (titles, affiliations, credentials)
Biographical information
Dates (birth, death, activity periods)
Nationality and residence information
Photographs and images
User account credentials and authentication data
IP addresses and usage data
Any other Personal Data uploaded by Customer to the Services

Sensitive Data: The Services are not intended for processing sensitive Personal Data (special categories of personal data under Article 9 GDPR). Customer must not upload sensitive Personal Data unless Customer has obtained explicit consent or has another lawful basis under Article 9 GDPR.

Frequency of Transfer: Personal Data is transferred on a continuous basis for the duration of the Agreement.

Nature of Processing: Provider processes Personal Data to provide the Services, including:

Hosting and storage of catalogue data
Providing access to authorized users via web interface
Publishing catalogue data to public or restricted websites (if selected)
Backup and disaster recovery
Technical support and troubleshooting
Platform updates and improvements

Purpose of Processing: To provide cloud-based catalogue raisonné creation, management, and hosting services as described in the Artifact Services Agreement.

Retention Period: Personal Data is retained for the duration of the Agreement and for thirty (30) days thereafter, unless:

Earlier deletion is requested by Customer;
Longer retention is required by applicable law; or
Data is part of archived backups, in which case it will be deleted in accordance with Provider's standard backup retention schedule (maximum 6 months).

C. Competent Supervisory Authority

The competent supervisory authority is determined in accordance with Clause 13 of the Standard Contractual Clauses.

For Customers located in Ireland: Irish Data Protection Commission
For Customers located in other EU Member States: The supervisory authority of Customer's location

SCHEDULE 2: Technical and Organizational Measures

Provider implements the following technical and organizational measures to ensure the security of Personal Data:

1. Measures of Pseudonymization and Encryption

All data transmissions use TLS 1.2 or higher encryption
Personal Data at rest is encrypted using AES-256 or equivalent
Database-level encryption for stored data
Secure key management procedures with regular key rotation
Encryption of backup data

2. Measures for Ensuring Ongoing Confidentiality, Integrity, Availability and Resilience

Confidentiality:

Role-based access controls limiting access to Personal Data
Multi-factor authentication for Provider personnel
Unique user credentials with strong password requirements
Access logging and regular access reviews
Confidentiality agreements with all personnel
Background checks for personnel with access to Personal Data

Integrity:

Input validation and sanitization
Audit trails capturing data modifications
Version control for configuration changes
Checksums and integrity verification for data transfers
Protection against SQL injection and other common attacks

Availability:

99.5% uptime commitment with redundant infrastructure
Daily automated backups stored in geographically separate locations
Disaster recovery plan tested annually
Distributed infrastructure across multiple availability zones
DDoS protection and rate limiting

Resilience:

Automated failover capabilities
Load balancing across multiple servers
Regular backup restoration testing
Business continuity procedures

3. Measures for Ensuring the Ability to Restore Availability and Access

Daily automated backups with point-in-time recovery capability
Backup retention for disaster recovery (minimum 7 days, with monthly backups retained for 6 months)
Regular testing of backup restoration procedures
Documented disaster recovery procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO)
Geographic redundancy of backup storage

4. Processes for Regularly Testing, Assessing and Evaluating Effectiveness

Annual third-party security assessments and penetration testing
Continuous security monitoring and alerting
Regular vulnerability scanning and patch management
Internal security audits and compliance reviews
Incident response plan testing
Security metrics tracking and reporting
Staff security training and awareness programs

5. Measures for User Identification and Authorization

Unique user accounts for all personnel
Multi-factor authentication requirements
Password complexity requirements and expiration policies
Automated account lockout after failed login attempts
Session timeout after period of inactivity
Privileged access management for administrative functions
Regular review and removal of inactive accounts

6. Measures for Protection of Data During Transmission

TLS 1.2 or higher for all data transmissions
Perfect forward secrecy for TLS connections
Certificate pinning where applicable
VPN or equivalent for remote access by Provider personnel
Secure file transfer protocols (SFTP, HTTPS)
Network segmentation and firewall rules

7. Measures for Protection of Data During Storage

Encryption of data at rest (AES-256)
Database-level encryption
Encrypted file systems
Secure deletion procedures
Physical security of data centers (AWS facilities)
Access controls preventing unauthorized data copying

8. Measures for Ensuring Physical Security

Provider uses Amazon Web Services (AWS) data centers, which implement:

24/7 security personnel and monitoring
Biometric access controls
Video surveillance
Environmental controls (fire suppression, climate control)
Power redundancy (UPS and backup generators)
Secure hardware disposal procedures
Visitor logging and escort requirements

9. Measures for Ensuring Events Logging

Comprehensive logging of system access and activities
Centralized log management and analysis
Logs include: user identity, timestamp, nature of access, IP address
Log retention for minimum 90 days
Protection of logs against tampering and unauthorized access
Regular review of security logs for anomalies
Automated alerting for suspicious activities

10. Measures for Ensuring System Configuration

Hardened system configurations following industry best practices
Regular security patch management
Change management procedures with testing before production deployment
Configuration baselines and compliance monitoring
Automated configuration management tools
Segregation of development, testing, and production environments

11. Measures for Ensuring Data Minimization

Personal Data processed only as necessary for providing Services
No processing beyond Customer's instructions
Automated deletion of Personal Data upon termination
Regular review of data retention policies
Pseudonymization where technically feasible

12. Measures for Ensuring Data Quality

Input validation and data quality checks
Error handling and logging
Data backup and recovery procedures
Regular data integrity verification

13. Measures for Ensuring Limited Data Retention

Retention limited to duration of Agreement plus 30 days
Automated deletion procedures
Secure deletion methods (overwriting, cryptographic erasure)
Exception only for legal compliance requirements

14. Measures for Ensuring Accountability

Designated data protection responsibilities
Data processing records maintained per Article 30 GDPR
Regular compliance assessments
Data protection impact assessments where required
Cooperation with supervisory authorities
Documentation of security incidents and responses

15. Measures for Allowing Data Portability

Standard export formats (JSON, CSV, database export)
Customer self-service export tools
API access for programmatic data retrieval (where applicable)
Assistance with data migration upon termination

Document Version History

Version 1.0 - February 1, 2026 - Initial publication

End of Data Processing Addendum

Sub-Processor	Service	Location
Amazon Web Services, Inc. (AWS)	Cloud infrastructure, hosting, storage, backup, and CDN	United States (with EU and AP regional availability)
Backblaze, Inc.	Cloud backup and storage	United States
Cloudflare, Inc.	DNS, CDN, and DDoS protection	Global (distributed network
Docker, Inc.	Container image registry and deployment	United States
Fly.io	Application hosting and deployment	United States
Heroku (Salesforce, Inc.)	Application hosting and deployment	United States
Juicy Orange LLC	Platform development and infrastructure management	United States
Mailgun Technologies, Inc. (Sinch)	Transactional and notification email delivery	United States

Foundation for Artist Catalogues

Data Processing Addendum

Join our Mailing List