This Data Processing Agreement (“DPA”) forms part of the agreement between Morphed (“Processor”) and the customer (“Controller” or “you”) governing your use of our Services. This DPA applies to the extent that Morphed processes Personal Data on your behalf in the course of providing its Services.
By using the Services after this DPA has been published, you agree to its terms. If you require a separately executed copy of this DPA, please contact legal@morphed.ai.
1. Definitions
- “Applicable Data Protection Law” means all laws relating to the processing of Personal Data, including the GDPR (EU 2016/679), UK GDPR, and any national implementing legislation.
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Morphed on behalf of the Controller.
- “Sub-processor” means any third party engaged by Morphed to process Personal Data on behalf of the Controller.
- “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
2. Scope, Roles & Processing Details
2.1. Roles: You are the Controller and Morphed is the Processor with respect to Personal Data processed in connection with the Services.
2.2. Scope: This DPA applies to the processing of Personal Data by Morphed on your behalf as described in Annex A below.
2.3. Duration: This DPA remains in effect for the duration of your use of the Services and automatically terminates upon termination of your account.
3. Processor Obligations
Morphed shall:
- Process Personal Data only on documented instructions from you, unless required by law
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational measures to ensure security of processing, as described in our Security Policy
- Assist you in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection)
- Notify you without undue delay (and within 72 hours) after becoming aware of a Personal Data breach
- Delete or return all Personal Data upon termination of the Services, unless retention is required by law
- Make available all information necessary to demonstrate compliance and allow for audits
4. Controller Obligations
You shall:
- Comply with your obligations as Controller under Applicable Data Protection Law
- Ensure that your instructions to Morphed comply with Applicable Data Protection Law
- Be responsible for the accuracy, quality, and lawful provision of Personal Data submitted to the Services
- Provide any required notices and obtain any required consents from Data Subjects before submitting their Personal Data
5. Sub-Processors
5.1. You authorize Morphed to engage sub-processors to process Personal Data on your behalf. The current list of sub-processors is available at morphed.app/legal/sub-processors.
5.2. Morphed will notify you of any intended changes to sub-processors by updating the sub-processors page. You may object to a new sub-processor by contacting us within 14 days of notification.
5.3. Morphed imposes contractual obligations on each sub-processor that are no less protective than this DPA.
6. International Data Transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland, Morphed ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.
7. Data Retention & Deletion
Upon termination of the Services, Morphed will delete Personal Data within 30 days, unless retention is required by law. Details of retention periods for different data categories are available in our Data Retention Policy.
Annex A: Processing Details
| Subject Matter | Provision of AI-powered image and video generation, headshot generation, product photography, and related creative services |
| Nature of Processing | Collection, storage, use, and deletion of Personal Data necessary to provide the Services |
| Purpose | To provide, maintain, secure, and improve the Services |
| Categories of Data Subjects | Customer users and individuals whose images are uploaded to the Services |
| Types of Personal Data | Email address, name, profile information, uploaded images (including facial images), usage data, payment metadata |
| Retention Period | As set out in our Data Retention Policy |
Annex B: Security Measures
Morphed's technical and organizational security measures are described in our Security Policy. Key measures include:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access control with least-privilege
- Two-factor authentication for infrastructure access
- Continuous monitoring and incident response
- Regular security assessments and code reviews
- Automated vulnerability scanning
Contact
For questions about this DPA or to request a signed copy:
- Email: legal@morphed.ai
- DPO: dpo@morphed.ai