Data Processing Addendum

How this DPA is entered into

This Data Processing Addendum (“DPA”) supplements and forms part of the NowRep Terms of Service available at nowrep.io/terms (the “Agreement”) between NowRep (“NowRep”) and the Customer that has accepted the Agreement (the “Customer”).

By accepting the Agreement (including by clicking “I agree,” signing an order form, or otherwise using the Service), the Customer is deemed to have entered into this DPA. No separate signature is required. Customers on Pro or Enterprise plans may request a countersigned PDF version of this DPA by emailing privacy@nowrep.io; the operative terms are the same as those set out in this document.

If this DPA and the Agreement conflict, this DPA controls only with respect to the processing of Personal Data. For all other matters, the Agreement controls.

Part 1 — Processing Details

This Part 1 describes the processing of Personal Data under the Service. Where a Customer has executed a countersigned version of this DPA, Part 1 is completed with that Customer’s specific details. For Customers accepting through the Agreement, Part 1 is completed with the standard particulars below.

Item	Description
Customer name and contact	The Customer’s account-holder name and the email address of record on the Customer’s NowRep account. For countersigned DPAs, supplied by the Customer at signing.
NowRep contact	`privacy@nowrep.io`
Customer’s role	Controller (or processor / service provider, where the Customer processes Personal Data on behalf of its own controller; see clause 2.3).
NowRep’s role	Processor (or sub-processor, where the Customer is itself a processor). NowRep is also an independent controller for the narrow Controller Purposes defined in clause 1.
Subject matter of processing	NowRep’s provision of the Service to the Customer: the talent-agency platform described in the Agreement, including roster management, bookings, packages, billing, generated artifacts, and portfolio-site syndication.
Duration of processing	The term of the Agreement, plus the post-termination Retention Period described in clause 11.
Nature of processing	Storage, retrieval, organisation, structuring, adaptation, alteration, indexing, transmission, deletion, anonymisation, and similar operations performed in providing the Service.
Purpose of processing	Provision of the Service in accordance with the Agreement and the Customer’s instructions.
Categories of data subjects	The Customer’s authorised users (agency staff); Talent represented by the Customer; the Customer’s clients and contacts (directory); recipients of shareable links and generated artifacts.
Categories of Personal Data	As described in §3 of NowRep’s Privacy Policy. Including: contact details, authentication factors, profile data (date of birth, gender, pronouns, nationality, measurements, biography), portfolio images and videos, identity documents (passport / visa / similar) where the Customer chooses to upload them, contracts and notes, booking and event records, directory contacts, invoice and payment records, generated artifacts.
Sensitive / special categories	The Service may receive Sensitive Data uploaded by the Customer at its discretion. The Customer is responsible for the lawful basis under which any Sensitive Data is uploaded (see clause 4).
Frequency of transfer	Continuous, throughout the term of the Agreement.
Sub-processors	As listed at nowrep.io/subprocessors and updated in accordance with clause 6.
Competent supervisory authority (EU/EEA Customers)	The supervisory authority of the EU/EEA Member State in which the Customer is established, or where the Customer has appointed an Article 27 representative, the supervisory authority of that representative’s Member State. For Customers established outside the EU/EEA, the supervisory authority of the Member State where data subjects whose Personal Data is transferred under this DPA in connection with the Customer’s use of the Service are predominantly located.

Part 2 — Data Processing Terms

1. Definitions

Capitalised terms not defined here have the meaning set out in the Agreement.

“Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR, the UK GDPR, the Swiss FADP, the CCPA, and other state, federal, and national privacy laws in force from time to time.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act.
“Controller Purposes” means NowRep’s processing of Service Usage Data, on its own behalf as a controller, for the limited purposes of: (a) operating, securing, monitoring, and improving the Service; (b) billing, fraud prevention, and abuse detection; (c) compiling aggregated and de-identified statistics about Service use; and (d) administering the contractual relationship with the Customer.
“Covered Data” means Personal Data that the Customer or its authorised users upload, transmit, store, generate, or otherwise process through the Service, and any Personal Data that NowRep processes on the Customer’s behalf in providing the Service. Service Usage Data processed for the Controller Purposes is not Covered Data.
“Customer’s Controller” means, where the Customer is itself a processor (clause 2.3), the controller on whose behalf the Customer processes Covered Data.
“Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
“GDPR” means Regulation (EU) 2016/679, including, where applicable, the “UK GDPR” as defined in section 3 of the UK Data Protection Act 2018.
“Personal Data” means any information that identifies or could reasonably identify a natural person, or that otherwise falls within the definition of “personal data,” “personal information,” or similar term under Applicable Data Protection Laws.
“Processing” has the meaning given in the GDPR, and includes any operation or set of operations performed on Personal Data, whether or not by automated means. “Process” and “Processed” are interpreted accordingly.
“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to Covered Data. Trivial or unsuccessful incidents (port scans, repelled phishing attempts, automated probes, and the like) are not Security Incidents.
“Sensitive Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data; biometric data used for unique identification; health data; data concerning sex life or sexual orientation; criminal-conviction or offence data; and any other category that is “sensitive personal information” or “special category data” under Applicable Data Protection Laws.
“Service Usage Data” means data generated by or relating to the operation of the Service (including telemetry, performance metrics, security logs, and aggregated usage statistics) that NowRep collects in connection with the Service.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914.
“Sub-processor” means any third party engaged by NowRep to process Covered Data on NowRep’s behalf in connection with the Service.

The terms “controller,” “processor,” “business,” “service provider,” and “third party” have the meanings given in Applicable Data Protection Laws.

2. Role of the parties

2.1 The parties acknowledge that, for Covered Data, NowRep acts as a processor (or service provider) and the Customer acts as a controller (or business).

2.2 For Service Usage Data processed for the Controller Purposes, NowRep acts as an independent controller. NowRep’s Privacy Policy describes this processing, which NowRep conducts in its own name, not on the Customer’s behalf.

2.3 Where the Customer itself acts as a processor on behalf of a Customer’s Controller, NowRep acts as a sub-processor to that Customer’s Controller. The Customer warrants that it has the necessary authorisations from its Customer’s Controller to engage NowRep on the terms of this DPA.

3. Customer instructions and prohibited processing

3.1 The Customer instructs NowRep to process Covered Data only as necessary to provide the Service, in accordance with the Agreement and this DPA, and in compliance with Applicable Data Protection Laws. The Agreement, this DPA, and the Customer’s lawful use of the Service together constitute the Customer’s documented processing instructions.

3.2 The Customer may issue further written instructions, provided they are consistent with the Service’s documented functionality. NowRep is not required to follow instructions that would require it to materially modify the Service or that conflict with Applicable Data Protection Laws.

3.3 NowRep will promptly inform the Customer if, in NowRep’s opinion, an instruction infringes Applicable Data Protection Laws.

3.4 NowRep will not, except as expressly permitted by the Agreement or required by law:

(a) sell Covered Data or otherwise make it available to a third party for monetary or other valuable consideration;
(b) share Covered Data with a third party for cross-context behavioural advertising;
(c) use Covered Data to train any artificial-intelligence or machine-learning model, whether NowRep’s own or any third party’s;
(d) retain, use, or disclose Covered Data for any purpose other than providing the Service in accordance with the Agreement or as otherwise permitted by Applicable Data Protection Laws;
(e) retain, use, or disclose Covered Data outside the direct business relationship between the parties; or
(f) combine Covered Data with personal data NowRep receives from or on behalf of any other person.

4. Customer obligations

4.1 The Customer shall comply with its obligations as a controller under Applicable Data Protection Laws. In particular, the Customer shall:

(a) provide all required notices and obtain all required consents from Data Subjects for the processing of their Covered Data in connection with the Customer’s use of the Service, including any consents required for the upload, storage, or sharing of Sensitive Data or imagery covered by the New York Fashion Workers Act or equivalent laws;
(b) ensure that the Customer’s processing of Covered Data through the Service has a valid legal basis under Applicable Data Protection Laws;
(c) maintain accurate records of its processing activities as required by Applicable Data Protection Laws;
(d) respond directly to Data Subject Requests it receives in respect of Covered Data, with NowRep providing assistance as set out in clause 7;
(e) where required by Applicable Data Protection Laws, conduct any data-protection impact assessment in respect of its use of the Service, with NowRep providing assistance as reasonably necessary; and
(f) not instruct NowRep to process Covered Data in a manner that would breach Applicable Data Protection Laws.

4.2 The Customer is solely responsible for the accuracy, quality, legality, and lawful basis of Covered Data and for the manner in which the Customer or its authorised users use the Service.

5. Confidentiality of personnel

5.1 NowRep shall ensure that personnel authorised to process Covered Data:

(a) are bound by appropriate duties of confidentiality, whether by contract or by law; and
(b) have access to Covered Data only on a need-to-know basis and only to the extent required to perform their assigned duties.

6. Sub-processors

6.1 The Customer generally authorises NowRep to engage Sub-processors to process Covered Data, subject to the conditions in this clause 6. The current list of authorised Sub-processors is maintained at nowrep.io/subprocessors.

6.2 NowRep shall:

(a) enter into a written agreement with each Sub-processor that imposes data-protection obligations no less protective of Covered Data than those imposed on NowRep under this DPA; and
(b) remain liable for each Sub-processor’s compliance with the obligations under this DPA.

6.3 Change-notification mechanism. Where NowRep intends to engage a new Sub-processor or replace an existing one in a way that materially changes how Covered Data is processed, NowRep shall provide the Customer with notice at least 14 days before the change takes effect. Notice will be given through an in-app notification visible to the Customer’s account owner and other administrators with subprocessor.notice access; NowRep will simultaneously update the public subprocessors page.

6.4 Objection. The Customer may object to a proposed Sub-processor change by emailing privacy@nowrep.io within the 14-day notice window, stating the grounds for the objection. The parties will work together in good faith to find a mutually acceptable resolution. If no resolution is reached within 30 days of the objection, the Customer may terminate the portion of the Agreement that depends on the affected processing, on written notice, and NowRep will refund any pre-paid fees relating to the affected portion of the Service for the period after termination.

7. Data Subject requests

7.1 Taking into account the nature of the Service, NowRep will provide reasonable assistance to enable the Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”). This assistance includes the in-Service export, deletion, and correction functions described in the Service documentation.

7.2 Where NowRep receives a Data Subject Request directly relating to Covered Data, NowRep will not respond to the request other than to acknowledge receipt and direct the Data Subject to the Customer, except where Applicable Data Protection Laws require NowRep to respond. NowRep will promptly notify the Customer of the request and provide the Customer with reasonable details.

7.3 Where the Data Subject is a Talent represented by the Customer and emails privacy@nowrep.io directly, NowRep will acknowledge the request, route it to the Customer, and copy the Talent on the routing so the Talent can see the handoff. This routing is described further in NowRep’s Privacy Policy.

8. Security

8.1 NowRep shall implement and maintain appropriate technical and organisational measures designed to protect Covered Data against unauthorised or unlawful processing and against accidental loss, destruction, alteration, or damage. The measures meet the minimum standards set out in Schedule 1.

8.2 NowRep evaluates and updates its security measures from time to time. NowRep will not materially diminish the protection of Covered Data over the term of the Agreement.

9. Audits and information

9.1 NowRep shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. This information includes:

(a) Schedule 1 (Technical and Organisational Measures);
(b) the public subprocessors page at nowrep.io/subprocessors;
(c) summaries of the third-party security and compliance reports of NowRep’s primary Sub-processors (including, where available, SOC 2 reports and ISO 27001 certifications held by Supabase, Stripe, Sentry, Cloudflare, and Fly.io); and
(d) on the Customer’s reasonable written request, responses to a standard security questionnaire of no more than 100 questions, no more than once per calendar year.

9.2 The information made available under clause 9.1 is intended to satisfy the Customer’s audit-information needs under Article 28(3)(h) of the GDPR and equivalent provisions of other Applicable Data Protection Laws. The Customer agrees that, where the information referenced in clause 9.1 reasonably addresses an audit request, no further audit is required.

9.3 Independent audits. Where Applicable Data Protection Laws require a further audit, or where the Customer has reasonable grounds to suspect NowRep’s material non-compliance with this DPA, the Customer may, no more than once per calendar year and subject to a confidentiality agreement reasonably acceptable to NowRep, conduct an audit of NowRep’s processing of Covered Data. Each audit will:

(a) be conducted on at least 60 days’ advance written notice;
(b) be conducted during NowRep’s normal business hours;
(c) be limited in scope to NowRep’s compliance with this DPA;
(d) not unreasonably interfere with NowRep’s operations or compromise the security of other customers’ data;
(e) be conducted at the Customer’s cost; and
(f) be conducted by the Customer or by a qualified independent third-party auditor that is not a competitor of NowRep, on terms agreed in writing in advance.

9.4 The results of any audit are NowRep’s confidential information.

10. Security incidents

10.1 NowRep shall notify the Customer in writing without undue delay, and in any event within 72 hours of NowRep’s confirmation of a Security Incident, where the Security Incident affects Covered Data of the Customer.

10.2 Each notification will include, to the extent then known: the nature of the Security Incident and the categories and approximate number of Data Subjects and records affected; the likely consequences; and the measures taken or proposed to address and mitigate it. NowRep will provide updates as further information becomes available.

10.3 NowRep shall provide reasonable assistance to the Customer in connection with the Customer’s obligations under Applicable Data Protection Laws regarding the Security Incident, including any notifications to supervisory authorities and Data Subjects.

10.4 NowRep’s notification of a Security Incident is not an acknowledgment of fault or liability.

11. Term, retention, deletion, and return

11.1 This DPA takes effect on the date the Customer enters into the Agreement and remains in force until NowRep has deleted all Covered Data in accordance with this clause 11.

11.2 During the term of the Agreement, the Customer may export Covered Data using the Service’s in-product export and integration functionality.

11.3 At the end of the Agreement:

(a) NowRep will retain Covered Data for a Retention Period of 90 days following the termination or expiry of the Agreement;
(b) during the Retention Period, the Customer may use the Service’s export functionality to download Covered Data, or may request that NowRep provide a packaged export in a commonly used format (NowRep may charge reasonable fees for non-self-service exports);
(c) on expiry of the Retention Period, NowRep will delete all Covered Data from active systems and, in accordance with NowRep’s backup-overwrite schedule, from backups; and
(d) the Customer may, at any time during the Retention Period, instruct NowRep to delete Covered Data earlier than the end of the Retention Period.

11.4 Sealed business records. Notwithstanding clause 11.3, NowRep retains immutable business records produced by the Customer in the Service, including sent invoice PDFs, statements, packaged artifacts, and similar records that the Customer has issued to third parties (collectively, “WORM artifacts”), on the Customer’s behalf for the longer of (i) the period required by the Customer’s applicable tax, accounting, and audit laws, and (ii) the seven-year default described in NowRep’s Privacy Policy. WORM artifacts remain in NowRep’s storage during this period but are not actively used to provide the Service.

11.5 NowRep may retain Covered Data after the Retention Period to the extent required by Applicable Data Protection Laws or other applicable law, in which case NowRep will continue to protect that Covered Data in accordance with this DPA until it is deleted.

12. International transfers

12.1 NowRep is established in the United States. The Customer authorises NowRep to transfer Covered Data to the United States and to other jurisdictions where NowRep or its Sub-processors operate, subject to the safeguards described in this clause 12 and in Schedule 2.

12.2 Where the transfer of Covered Data from the Customer to NowRep is subject to the GDPR, the UK GDPR, the Swiss FADP, or another Applicable Data Protection Law that requires a transfer mechanism, the parties agree that the Standard Contractual Clauses, the UK Addendum, and the Swiss Addendum set out in Schedule 2 apply to the transfer and form part of this DPA. Execution of the Agreement has the same effect as signing those clauses.

12.3 Where, during the term, a different transfer mechanism becomes available or required under Applicable Data Protection Laws, the parties will cooperate in good faith to adopt that mechanism in place of, or in addition to, the mechanisms set out in Schedule 2.

12.4 The Customer remains responsible for confirming that any transfer of Covered Data to NowRep is permitted under the laws applicable to the Customer.

13. Liability

13.1 Each party’s liability under this DPA is subject to the aggregate limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, the liability cap in the Agreement is a single, aggregate cap covering both the Agreement and this DPA; the existence of this DPA does not increase or duplicate the cap.

13.2 Nothing in this clause limits any liability that cannot be limited or excluded under Applicable Data Protection Laws.

14. General

14.1 Order of precedence. If this DPA and the Agreement conflict with respect to the processing of Personal Data, this DPA prevails. The SCCs in Schedule 2 prevail over both the Agreement and this DPA to the extent of any conflict and to the extent of the transfer they govern.

14.2 Amendments. The parties will negotiate in good faith any amendments to this DPA reasonably necessary to comply with changes in Applicable Data Protection Laws. NowRep may publish updated versions of this DPA at nowrep.io/dpa; updates that materially change the Customer’s rights or obligations take effect 14 days after notice through the in-app channel described in clause 6.

14.3 Notices. Notices to NowRep under this DPA are sent to privacy@nowrep.io. Notices to the Customer are sent through the in-app notification channel and, where the Customer has provided one, the email address of the Customer’s account owner.

14.4 Governing law. This DPA is governed by the same governing law as the Agreement (currently New Jersey, USA). For SCCs in Schedule 2, the governing law and forum follow Schedule 2.

14.5 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.

Schedule 1 — Technical and Organisational Measures

NowRep maintains the following technical and organisational measures to protect Covered Data. These measures are reviewed periodically and updated as the Service evolves. NowRep will not materially diminish these measures over the term of the Agreement.

Governance

A designated team is responsible for the determination, review, and implementation of security policies, including incident response, access management, and vendor risk review.
Security considerations are part of project initiation and design review for new Service features.
Personnel with access to Covered Data are subject to written confidentiality obligations and receive role-appropriate security training.

Access control

Access to production infrastructure is granted on a least-privilege basis, scoped to documented business need, and revoked when no longer required.
Production access requires multi-factor authentication.
Customer-facing access to Covered Data inside the Service is governed by row-level security in the database and a role-based access-control model documented in the Service. Customers can configure roles and permissions for their team members.
NowRep does not store Customer passwords in plaintext; passwords are stored using strong one-way hashing maintained by NowRep’s authentication subprocessor.
Multi-factor authentication is available to all Customer team members.

Encryption

Data in transit between Customer browsers, NowRep, and NowRep’s Sub-processors is protected by industry-standard TLS.
Data at rest is encrypted using AES-256 (or equivalent) by NowRep’s database and file-storage subprocessors. Encryption keys are managed by those subprocessors using FIPS-compliant key management systems.
Sensitive identity documents that a Customer chooses to upload may additionally be protected with a per-document password set by the Customer.

Pseudonymisation and segregation

Application logs and telemetry are configured to scrub Personal Data payloads. Named-field redaction rules apply to error-monitoring data.
WORM artifacts (sent invoices, statements, generated PDFs) are written once and cannot be modified through the application; the storage layer enforces integrity.

Availability and resilience

NowRep relies on its hosting and database Sub-processors to provide redundancy, automated backups, and recovery in line with their published service levels.
Backups are encrypted at rest and are stored separately from production data.

Bot, abuse, and intrusion protection

Authentication endpoints (sign-in, sign-up) and the marketing contact form are protected by a captcha provider that screens for automated abuse.
Suspicious-activity detection on authentication events is delegated to NowRep’s authentication subprocessor and supplemented by NowRep’s own logging.

Vulnerability and incident management

NowRep maintains a documented breach-response plan covering detection, containment, investigation, notification, and remediation.
Vulnerability reports can be sent to security@nowrep.io. NowRep acknowledges reports promptly and investigates each one.
NowRep relies on the testing and certification programmes of its primary infrastructure Sub-processors (SOC 2, ISO 27001 where applicable) and supplements them with its own internal review.

Vendor and Sub-processor management

NowRep performs reasonable diligence on Sub-processors prior to engagement and reviews their compliance posture from time to time.
NowRep enters into written agreements with each Sub-processor that impose data-protection obligations substantially equivalent to those in this DPA.

Schedule 2 — Standard Contractual Clauses

Part A — EU Standard Contractual Clauses

The EU SCCs (Commission Implementing Decision (EU) 2021/914) apply to transfers of Covered Data from the Customer (as data exporter) to NowRep (as data importer) where the GDPR applies to the Customer’s processing or to the transfer.

The SCCs are completed as follows:

Item	Completion
Module(s) that apply	Module Two (controller to processor) where the Customer acts as a controller. Module Three (processor to processor) where the Customer acts as a processor on behalf of a Customer’s Controller.
Clause 7 (Docking clause)	Does not apply.
Clause 9(a) (Sub-processor authorisation)	Option 2 (general written authorisation) applies. The notice period for changes to Sub-processors is 14 days, as set out in clause 6.3 of the DPA.
Clause 11 (Independent dispute resolution)	The optional language does not apply.
Clause 17 (Governing law)	Option 1 applies. Governing law is the law of Ireland.
Clause 18 (Choice of forum and jurisdiction)	Courts of Ireland.
Annex I.A (Parties)	Set out in Part 1 of this DPA.
Annex I.B (Description of transfer)	Set out in Part 1 of this DPA.
Annex I.C (Competent supervisory authority)	As identified in Part 1 of this DPA.
Annex II (Technical and organisational measures)	Schedule 1 of this DPA.
Annex III (List of Sub-processors)	Maintained at nowrep.io/subprocessors.

Execution of the Agreement has the same effect as signing the SCCs.

Part B — UK International Data Transfer Addendum

Where the UK GDPR applies to the Customer’s processing or to the transfer, the UK International Data Transfer Addendum to the EU SCCs (version B.1.0, issued under section 119A(1) of the UK Data Protection Act 2018 and laid before Parliament on 2 February 2022, as amended) applies and forms part of this DPA.

The UK Addendum is completed as follows:

Table 1 (Parties): Set out in Part 1 of this DPA.
Table 2 (Selected SCCs): The EU SCCs as incorporated under Part A of this Schedule.
Table 3 (Appendix Information): The information set out in Part 1 of this DPA and in Schedule 1.
Table 4 (Termination): Neither party may terminate the UK Addendum under Section 19 of the Addendum.

Execution of the Agreement has the same effect as signing the UK Addendum.

Part C — Swiss Addendum

Where the Swiss FADP applies to the transfer (alone or together with the GDPR), the SCCs apply with the following modifications:

References to “Member State” include Switzerland.
The competent supervisory authority for Swiss transfers is the Swiss Federal Data Protection and Information Commissioner (FDPIC).
For transfers governed exclusively by Swiss law, governing law is Swiss law and the forum is the courts of Switzerland.
The SCCs additionally protect Personal Data of Swiss legal entities until the revised Swiss FADP excludes legal-entity data.

Part D — Transfers governed by other laws

Where a transfer of Covered Data is subject to a data-protection law other than the GDPR, UK GDPR, or Swiss FADP and that law requires a written transfer mechanism, the SCCs in this Schedule are deemed to apply to that transfer with the references to “GDPR,” “Member State,” and the competent supervisory authority replaced with the equivalent under the relevant law. If and when the relevant authority adopts an approved transfer mechanism for that jurisdiction, the parties will cooperate in good faith to adopt that mechanism.

Schedule 3 — Sub-processors

The current list of NowRep’s authorised Sub-processors is maintained at nowrep.io/subprocessors. The page identifies each Sub-processor’s name, the purpose of its engagement, the categories of Covered Data it may process, and its primary processing location. Changes to the list are made in accordance with clause 6 of this DPA.

A point-in-time copy of the list as of the effective date of this DPA is held by NowRep and will be provided to the Customer on written request.

How this DPA is entered into

If this DPA and the Agreement conflict, this DPA controls only with respect to the processing of Personal Data. For all other matters, the Agreement controls.

Part 1 — Processing Details

Item	Description
Customer name and contact	The Customer’s account-holder name and the email address of record on the Customer’s NowRep account. For countersigned DPAs, supplied by the Customer at signing.
NowRep contact	`privacy@nowrep.io`
Customer’s role	Controller (or processor / service provider, where the Customer processes Personal Data on behalf of its own controller; see clause 2.3).
NowRep’s role	Processor (or sub-processor, where the Customer is itself a processor). NowRep is also an independent controller for the narrow Controller Purposes defined in clause 1.
Subject matter of processing	NowRep’s provision of the Service to the Customer: the talent-agency platform described in the Agreement, including roster management, bookings, packages, billing, generated artifacts, and portfolio-site syndication.
Duration of processing	The term of the Agreement, plus the post-termination Retention Period described in clause 11.
Nature of processing	Storage, retrieval, organisation, structuring, adaptation, alteration, indexing, transmission, deletion, anonymisation, and similar operations performed in providing the Service.
Purpose of processing	Provision of the Service in accordance with the Agreement and the Customer’s instructions.
Categories of data subjects	The Customer’s authorised users (agency staff); Talent represented by the Customer; the Customer’s clients and contacts (directory); recipients of shareable links and generated artifacts.
Categories of Personal Data	As described in §3 of NowRep’s Privacy Policy. Including: contact details, authentication factors, profile data (date of birth, gender, pronouns, nationality, measurements, biography), portfolio images and videos, identity documents (passport / visa / similar) where the Customer chooses to upload them, contracts and notes, booking and event records, directory contacts, invoice and payment records, generated artifacts.
Sensitive / special categories	The Service may receive Sensitive Data uploaded by the Customer at its discretion. The Customer is responsible for the lawful basis under which any Sensitive Data is uploaded (see clause 4).
Frequency of transfer	Continuous, throughout the term of the Agreement.
Sub-processors	As listed at nowrep.io/subprocessors and updated in accordance with clause 6.
Competent supervisory authority (EU/EEA Customers)	The supervisory authority of the EU/EEA Member State in which the Customer is established, or where the Customer has appointed an Article 27 representative, the supervisory authority of that representative’s Member State. For Customers established outside the EU/EEA, the supervisory authority of the Member State where data subjects whose Personal Data is transferred under this DPA in connection with the Customer’s use of the Service are predominantly located.

Part 2 — Data Processing Terms

1. Definitions

Capitalised terms not defined here have the meaning set out in the Agreement.

“Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR, the UK GDPR, the Swiss FADP, the CCPA, and other state, federal, and national privacy laws in force from time to time.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act.
“Controller Purposes” means NowRep’s processing of Service Usage Data, on its own behalf as a controller, for the limited purposes of: (a) operating, securing, monitoring, and improving the Service; (b) billing, fraud prevention, and abuse detection; (c) compiling aggregated and de-identified statistics about Service use; and (d) administering the contractual relationship with the Customer.
“Covered Data” means Personal Data that the Customer or its authorised users upload, transmit, store, generate, or otherwise process through the Service, and any Personal Data that NowRep processes on the Customer’s behalf in providing the Service. Service Usage Data processed for the Controller Purposes is not Covered Data.
“Customer’s Controller” means, where the Customer is itself a processor (clause 2.3), the controller on whose behalf the Customer processes Covered Data.
“Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
“GDPR” means Regulation (EU) 2016/679, including, where applicable, the “UK GDPR” as defined in section 3 of the UK Data Protection Act 2018.
“Personal Data” means any information that identifies or could reasonably identify a natural person, or that otherwise falls within the definition of “personal data,” “personal information,” or similar term under Applicable Data Protection Laws.
“Processing” has the meaning given in the GDPR, and includes any operation or set of operations performed on Personal Data, whether or not by automated means. “Process” and “Processed” are interpreted accordingly.
“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to Covered Data. Trivial or unsuccessful incidents (port scans, repelled phishing attempts, automated probes, and the like) are not Security Incidents.
“Sensitive Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data; biometric data used for unique identification; health data; data concerning sex life or sexual orientation; criminal-conviction or offence data; and any other category that is “sensitive personal information” or “special category data” under Applicable Data Protection Laws.
“Service Usage Data” means data generated by or relating to the operation of the Service (including telemetry, performance metrics, security logs, and aggregated usage statistics) that NowRep collects in connection with the Service.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914.
“Sub-processor” means any third party engaged by NowRep to process Covered Data on NowRep’s behalf in connection with the Service.

The terms “controller,” “processor,” “business,” “service provider,” and “third party” have the meanings given in Applicable Data Protection Laws.

2. Role of the parties

2.1 The parties acknowledge that, for Covered Data, NowRep acts as a processor (or service provider) and the Customer acts as a controller (or business).

3. Customer instructions and prohibited processing

3.3 NowRep will promptly inform the Customer if, in NowRep’s opinion, an instruction infringes Applicable Data Protection Laws.

3.4 NowRep will not, except as expressly permitted by the Agreement or required by law:

(a) sell Covered Data or otherwise make it available to a third party for monetary or other valuable consideration;
(b) share Covered Data with a third party for cross-context behavioural advertising;
(c) use Covered Data to train any artificial-intelligence or machine-learning model, whether NowRep’s own or any third party’s;
(d) retain, use, or disclose Covered Data for any purpose other than providing the Service in accordance with the Agreement or as otherwise permitted by Applicable Data Protection Laws;
(e) retain, use, or disclose Covered Data outside the direct business relationship between the parties; or
(f) combine Covered Data with personal data NowRep receives from or on behalf of any other person.

4. Customer obligations

4.1 The Customer shall comply with its obligations as a controller under Applicable Data Protection Laws. In particular, the Customer shall:

(a) provide all required notices and obtain all required consents from Data Subjects for the processing of their Covered Data in connection with the Customer’s use of the Service, including any consents required for the upload, storage, or sharing of Sensitive Data or imagery covered by the New York Fashion Workers Act or equivalent laws;
(b) ensure that the Customer’s processing of Covered Data through the Service has a valid legal basis under Applicable Data Protection Laws;
(c) maintain accurate records of its processing activities as required by Applicable Data Protection Laws;
(d) respond directly to Data Subject Requests it receives in respect of Covered Data, with NowRep providing assistance as set out in clause 7;
(e) where required by Applicable Data Protection Laws, conduct any data-protection impact assessment in respect of its use of the Service, with NowRep providing assistance as reasonably necessary; and
(f) not instruct NowRep to process Covered Data in a manner that would breach Applicable Data Protection Laws.

4.2 The Customer is solely responsible for the accuracy, quality, legality, and lawful basis of Covered Data and for the manner in which the Customer or its authorised users use the Service.

5. Confidentiality of personnel

5.1 NowRep shall ensure that personnel authorised to process Covered Data:

(a) are bound by appropriate duties of confidentiality, whether by contract or by law; and
(b) have access to Covered Data only on a need-to-know basis and only to the extent required to perform their assigned duties.

6. Sub-processors

6.2 NowRep shall:

(a) enter into a written agreement with each Sub-processor that imposes data-protection obligations no less protective of Covered Data than those imposed on NowRep under this DPA; and
(b) remain liable for each Sub-processor’s compliance with the obligations under this DPA.

7. Data Subject requests

8. Security

8.2 NowRep evaluates and updates its security measures from time to time. NowRep will not materially diminish the protection of Covered Data over the term of the Agreement.

9. Audits and information

9.1 NowRep shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. This information includes:

(a) Schedule 1 (Technical and Organisational Measures);
(b) the public subprocessors page at nowrep.io/subprocessors;
(c) summaries of the third-party security and compliance reports of NowRep’s primary Sub-processors (including, where available, SOC 2 reports and ISO 27001 certifications held by Supabase, Stripe, Sentry, Cloudflare, and Fly.io); and
(d) on the Customer’s reasonable written request, responses to a standard security questionnaire of no more than 100 questions, no more than once per calendar year.

(a) be conducted on at least 60 days’ advance written notice;
(b) be conducted during NowRep’s normal business hours;
(c) be limited in scope to NowRep’s compliance with this DPA;
(d) not unreasonably interfere with NowRep’s operations or compromise the security of other customers’ data;
(e) be conducted at the Customer’s cost; and
(f) be conducted by the Customer or by a qualified independent third-party auditor that is not a competitor of NowRep, on terms agreed in writing in advance.

9.4 The results of any audit are NowRep’s confidential information.

10. Security incidents

10.4 NowRep’s notification of a Security Incident is not an acknowledgment of fault or liability.

11. Term, retention, deletion, and return

11.1 This DPA takes effect on the date the Customer enters into the Agreement and remains in force until NowRep has deleted all Covered Data in accordance with this clause 11.

11.2 During the term of the Agreement, the Customer may export Covered Data using the Service’s in-product export and integration functionality.

11.3 At the end of the Agreement:

(a) NowRep will retain Covered Data for a Retention Period of 90 days following the termination or expiry of the Agreement;
(b) during the Retention Period, the Customer may use the Service’s export functionality to download Covered Data, or may request that NowRep provide a packaged export in a commonly used format (NowRep may charge reasonable fees for non-self-service exports);
(c) on expiry of the Retention Period, NowRep will delete all Covered Data from active systems and, in accordance with NowRep’s backup-overwrite schedule, from backups; and
(d) the Customer may, at any time during the Retention Period, instruct NowRep to delete Covered Data earlier than the end of the Retention Period.

12. International transfers

12.4 The Customer remains responsible for confirming that any transfer of Covered Data to NowRep is permitted under the laws applicable to the Customer.

13. Liability

13.2 Nothing in this clause limits any liability that cannot be limited or excluded under Applicable Data Protection Laws.

14. General

14.4 Governing law. This DPA is governed by the same governing law as the Agreement (currently New Jersey, USA). For SCCs in Schedule 2, the governing law and forum follow Schedule 2.

14.5 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.

Schedule 1 — Technical and Organisational Measures

Governance

A designated team is responsible for the determination, review, and implementation of security policies, including incident response, access management, and vendor risk review.
Security considerations are part of project initiation and design review for new Service features.
Personnel with access to Covered Data are subject to written confidentiality obligations and receive role-appropriate security training.

Access control

Access to production infrastructure is granted on a least-privilege basis, scoped to documented business need, and revoked when no longer required.
Production access requires multi-factor authentication.
Customer-facing access to Covered Data inside the Service is governed by row-level security in the database and a role-based access-control model documented in the Service. Customers can configure roles and permissions for their team members.
NowRep does not store Customer passwords in plaintext; passwords are stored using strong one-way hashing maintained by NowRep’s authentication subprocessor.
Multi-factor authentication is available to all Customer team members.

Encryption

Data in transit between Customer browsers, NowRep, and NowRep’s Sub-processors is protected by industry-standard TLS.
Data at rest is encrypted using AES-256 (or equivalent) by NowRep’s database and file-storage subprocessors. Encryption keys are managed by those subprocessors using FIPS-compliant key management systems.
Sensitive identity documents that a Customer chooses to upload may additionally be protected with a per-document password set by the Customer.

Pseudonymisation and segregation

Application logs and telemetry are configured to scrub Personal Data payloads. Named-field redaction rules apply to error-monitoring data.
WORM artifacts (sent invoices, statements, generated PDFs) are written once and cannot be modified through the application; the storage layer enforces integrity.

Availability and resilience

NowRep relies on its hosting and database Sub-processors to provide redundancy, automated backups, and recovery in line with their published service levels.
Backups are encrypted at rest and are stored separately from production data.

Bot, abuse, and intrusion protection

Authentication endpoints (sign-in, sign-up) and the marketing contact form are protected by a captcha provider that screens for automated abuse.
Suspicious-activity detection on authentication events is delegated to NowRep’s authentication subprocessor and supplemented by NowRep’s own logging.

Vulnerability and incident management

NowRep maintains a documented breach-response plan covering detection, containment, investigation, notification, and remediation.
Vulnerability reports can be sent to security@nowrep.io. NowRep acknowledges reports promptly and investigates each one.
NowRep relies on the testing and certification programmes of its primary infrastructure Sub-processors (SOC 2, ISO 27001 where applicable) and supplements them with its own internal review.

Vendor and Sub-processor management

NowRep performs reasonable diligence on Sub-processors prior to engagement and reviews their compliance posture from time to time.
NowRep enters into written agreements with each Sub-processor that impose data-protection obligations substantially equivalent to those in this DPA.

Schedule 2 — Standard Contractual Clauses

Part A — EU Standard Contractual Clauses

The SCCs are completed as follows:

Item	Completion
Module(s) that apply	Module Two (controller to processor) where the Customer acts as a controller. Module Three (processor to processor) where the Customer acts as a processor on behalf of a Customer’s Controller.
Clause 7 (Docking clause)	Does not apply.
Clause 9(a) (Sub-processor authorisation)	Option 2 (general written authorisation) applies. The notice period for changes to Sub-processors is 14 days, as set out in clause 6.3 of the DPA.
Clause 11 (Independent dispute resolution)	The optional language does not apply.
Clause 17 (Governing law)	Option 1 applies. Governing law is the law of Ireland.
Clause 18 (Choice of forum and jurisdiction)	Courts of Ireland.
Annex I.A (Parties)	Set out in Part 1 of this DPA.
Annex I.B (Description of transfer)	Set out in Part 1 of this DPA.
Annex I.C (Competent supervisory authority)	As identified in Part 1 of this DPA.
Annex II (Technical and organisational measures)	Schedule 1 of this DPA.
Annex III (List of Sub-processors)	Maintained at nowrep.io/subprocessors.

Execution of the Agreement has the same effect as signing the SCCs.

Part B — UK International Data Transfer Addendum

The UK Addendum is completed as follows:

Table 1 (Parties): Set out in Part 1 of this DPA.
Table 2 (Selected SCCs): The EU SCCs as incorporated under Part A of this Schedule.
Table 3 (Appendix Information): The information set out in Part 1 of this DPA and in Schedule 1.
Table 4 (Termination): Neither party may terminate the UK Addendum under Section 19 of the Addendum.

Execution of the Agreement has the same effect as signing the UK Addendum.

Part C — Swiss Addendum

Where the Swiss FADP applies to the transfer (alone or together with the GDPR), the SCCs apply with the following modifications:

References to “Member State” include Switzerland.
The competent supervisory authority for Swiss transfers is the Swiss Federal Data Protection and Information Commissioner (FDPIC).
For transfers governed exclusively by Swiss law, governing law is Swiss law and the forum is the courts of Switzerland.
The SCCs additionally protect Personal Data of Swiss legal entities until the revised Swiss FADP excludes legal-entity data.

Part D — Transfers governed by other laws

Schedule 3 — Sub-processors

A point-in-time copy of the list as of the effective date of this DPA is held by NowRep and will be provided to the Customer on written request.

Data Processing Addendum

How we process Customer data on your behalf

How this DPA is entered into

Part 1 — Processing Details

Part 2 — Data Processing Terms

1. Definitions

2. Role of the parties

3. Customer instructions and prohibited processing

4. Customer obligations

5. Confidentiality of personnel

6. Sub-processors

7. Data Subject requests

8. Security

9. Audits and information

10. Security incidents

11. Term, retention, deletion, and return

12. International transfers

13. Liability

14. General

Schedule 1 — Technical and Organisational Measures

Governance

Access control

Encryption

Pseudonymisation and segregation

Availability and resilience

Bot, abuse, and intrusion protection

Vulnerability and incident management

Vendor and Sub-processor management

Schedule 2 — Standard Contractual Clauses

Part A — EU Standard Contractual Clauses

Part B — UK International Data Transfer Addendum

Part C — Swiss Addendum

Part D — Transfers governed by other laws

Schedule 3 — Sub-processors

Data Processing Addendum

How we process Customer data on your behalf

How this DPA is entered into

Part 1 — Processing Details

Part 2 — Data Processing Terms

1. Definitions

2. Role of the parties

3. Customer instructions and prohibited processing

4. Customer obligations

5. Confidentiality of personnel

6. Sub-processors

7. Data Subject requests

8. Security

9. Audits and information

10. Security incidents

11. Term, retention, deletion, and return

12. International transfers

13. Liability

14. General

Schedule 1 — Technical and Organisational Measures

Governance

Access control

Encryption

Pseudonymisation and segregation

Availability and resilience

Bot, abuse, and intrusion protection

Vulnerability and incident management

Vendor and Sub-processor management

Schedule 2 — Standard Contractual Clauses

Part A — EU Standard Contractual Clauses

Part B — UK International Data Transfer Addendum

Part C — Swiss Addendum

Part D — Transfers governed by other laws

Schedule 3 — Sub-processors