AvatarMill
AvatarMill
Sign in Get started

Data Processing Agreement

Last updated: 27th April 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of, and is governed by, the Terms of Service between MALCOMSON BROTHERS LIMITED ("Processor", "we", "us", or "our"), a company registered in England and Wales whose registered office is at 63 Wickenden Road, Sevenoaks, England, TN13 3PN, and the customer that has accepted those Terms ("Controller", "Customer", or "you") in connection with use of the AvatarMill service at avatarmill.com (the "Service").

This DPA reflects the parties' agreement on the processing of Personal Data carried out by us on the Customer's behalf in the course of providing the Service, and is entered into to comply with Article 28 of the UK GDPR and EU GDPR. By accepting the Terms of Service, the Customer is deemed to have entered into and accepted this DPA.

2. Definitions

Capitalised terms not defined in this DPA have the meaning given in the Terms of Service. The terms "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", "Personal Data Breach", and "Supervisory Authority" have the meanings given to them in the UK GDPR and the EU GDPR (together, the "Data Protection Laws").

3. Roles and Scope

The Customer is the Controller of Personal Data they submit to, or generate through, the Service. MALCOMSON BROTHERS LIMITED is a Processor of that data, processing it solely to provide the Service in accordance with the Customer's documented instructions (which include configuration choices the Customer makes in the Service).

This DPA applies whenever we process Personal Data on the Customer's behalf, including:

  • Reference media (photographs, videos) of identifiable persons that the Customer or their authorised users upload
  • Workspace content the Customer's users create and store within the Service
  • Operational data the Customer's users generate while using the Service (for example, prompt history)

This DPA does not apply to Personal Data for which we are an independent Controller (such as billing, account-administration, and Service-telemetry data); that processing is governed by our Privacy Policy.

4. Subject Matter, Duration, Nature and Purpose

Subject matter: the processing of Personal Data submitted to the Service by or on behalf of the Customer.

Duration: the term of the Customer's subscription to the Service, plus the limited retention period set out in section 11 (Return and Deletion).

Nature and purpose: hosting, AI inference, content moderation, transcoding, presigned upload and delivery, search, and other Service functionality the Customer requests by configuring or using the Service.

The categories of Personal Data and Data Subjects are set out in Annex 1.

5. Customer Instructions and Obligations

We will process Personal Data only on the Customer's documented instructions, which include this DPA, the Terms of Service, and the Customer's lawful use of the Service's features. We will inform the Customer if, in our opinion, an instruction infringes Data Protection Laws.

The Customer warrants and undertakes that:

  • It has, and will maintain throughout the term, a valid lawful basis under the Data Protection Laws for the Processing it instructs us to carry out
  • It has, where required, obtained appropriate consents and provided transparency notices to Data Subjects (including subjects of any reference media uploaded to the Service)
  • It will not instruct us to process Personal Data that is unlawful for us to process, or that violates the Acceptable Use Policy

6. Confidentiality

We will ensure that personnel authorised to process Personal Data are bound by appropriate written confidentiality obligations or are under an appropriate statutory duty of confidentiality, and are made aware of the confidential nature of the data and their obligations under this DPA.

7. Security

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to Data Subjects, we will implement and maintain the technical and organisational measures set out in Annex 2 to ensure a level of security appropriate to the risk.

8. Sub-processors

The Customer provides general written authorisation for us to engage Sub-processors to assist in providing the Service, subject to the conditions in this section.

Categories of Sub-processor we currently engage are listed in Annex 3. The current list of named Sub-processors is available on request to hello@avatarmill.com.

Before engaging any new Sub-processor that processes Personal Data covered by this DPA, we will impose data-protection obligations on that Sub-processor that are no less protective than those set out in this DPA. We will notify the Customer at least thirty (30) days before adding or replacing a named Sub-processor (by email to the Customer's billing contact and/or via an in-Service notice). The Customer may object on reasonable data-protection grounds during that period; if the parties cannot resolve the objection in good faith, the Customer's sole remedy is to terminate the affected portion of the Service in accordance with the Terms of Service.

We remain liable to the Customer for the acts and omissions of any Sub-processor as if they were our own.

9. International Transfers

Personal Data may be transferred to, and processed in, countries outside the United Kingdom and the European Economic Area where we or our Sub-processors are established or operate. Where Personal Data is transferred outside a jurisdiction that the UK or EU recognises as providing an adequate level of protection, we will rely on an appropriate transfer mechanism, including (as applicable) the UK International Data Transfer Agreement, the EU Standard Contractual Clauses (2021/914) with the UK Addendum where required, or another mechanism permitted by the Data Protection Laws.

The Customer mandates us to enter into the relevant transfer mechanism with Sub-processors on its behalf where appropriate.

10. Assistance to Customer

Taking into account the nature of the Processing and the information available to us, we will provide reasonable assistance to the Customer to enable it to:

  • Respond to Data Subject requests under Articles 12 to 23 of the UK GDPR / EU GDPR (e.g. access, rectification, erasure, restriction, portability, objection)
  • Comply with its security, breach-notification, data-protection-impact- assessment and prior-consultation obligations under Articles 32 to 36 of the UK GDPR / EU GDPR

Where the Customer requests assistance that exceeds the functionality the Service provides, we may charge a reasonable fee based on time and materials.

11. Personal Data Breach Notification

We will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification will include the information required under Article 33(3) of the UK GDPR / EU GDPR to the extent then known, with further information provided as it becomes available.

12. Return and Deletion

On expiry or termination of the Customer's subscription, the Customer may export Personal Data using the Service's available export and download functionality during a thirty (30) day grace period. After that period, we will delete or anonymise Personal Data within ninety (90) days, except where retention is required by law or where data is held in routine encrypted backups, in which case we will continue to apply this DPA to that data until deletion in the ordinary backup-rotation cycle.

13. Audit Rights

We will make available to the Customer all information reasonably necessary to demonstrate compliance with our obligations under Article 28 of the UK GDPR / EU GDPR. Where the Customer has reasonable grounds to suspect non-compliance, and we have not provided sufficient evidence in response to a written request, the Customer (or an independent third-party auditor instructed by the Customer and reasonably acceptable to us) may, at the Customer's cost, conduct an audit of our processing activities, on at least thirty (30) days' written notice, no more than once per twelve (12) month period (other than where required by a Supervisory Authority), during normal business hours, and subject to reasonable confidentiality and security requirements.

14. Liability

Each party's liability under this DPA is subject to, and counts toward, the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under applicable law.

15. Term and Termination

This DPA takes effect on the date the Customer accepts the Terms of Service and continues for as long as we process Personal Data on the Customer's behalf. The provisions that by their nature are intended to survive termination (including sections 11, 12, 13 and 14) survive termination of this DPA.

16. Conflict

In the event of any conflict between this DPA, the Terms of Service, and the Privacy Policy in relation to the Processing of Personal Data on the Customer's behalf, the order of precedence is: (1) this DPA, (2) the Terms of Service, (3) the Privacy Policy.

17. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales, without regard to its conflict-of-law provisions, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, subject to the same consumer-rights and mandatory-jurisdiction carve-outs set out in section 12 of the Terms of Service.

Annex 1 - Details of Processing

Categories of Data Subjects

  • The Customer's authorised users (workspace members)
  • Identifiable persons depicted in reference media the Customer or its users upload to the Service
  • Identifiable persons named or described in prompts, captions or other user-supplied text

Categories of Personal Data

  • Identification and contact data of authorised users (name, email, role)
  • Authentication data (hashed credentials, session identifiers)
  • Image and video data of identifiable persons supplied as reference media
  • User-generated content (prompts, captions, scene descriptions, generated media)
  • Usage and operational data associated with the foregoing (timestamps, workspace membership)

The Service is not intended to process special-category data within the meaning of Article 9 of the UK GDPR / EU GDPR. The Customer must not upload special-category data without first agreeing additional safeguards with us in writing.

Nature and Purpose

Hosting, AI inference, content moderation, transcoding, search, presigned upload and delivery, and other Service functionality the Customer requests.

Duration

The term of the Customer's subscription, plus the retention and deletion periods set out in section 12.

Annex 2 - Technical and Organisational Measures

We implement and maintain technical and organisational measures appropriate to the risks of the Processing, including:

  • Access control: role-based access; multi-factor authentication for administrative access; least-privilege provisioning; regular access reviews
  • Encryption: TLS 1.2 or higher in transit; encryption at rest for object storage and database backups
  • Network security: firewalled production infrastructure; restricted egress; rate limiting; DDoS protection at the edge
  • Application security: dependency vulnerability scanning; code review; secret management; presigned-URL upload flow that keeps bytes off intermediate hops
  • Operational security: centralised logging and monitoring; incident response plan; routine encrypted backups with documented restoration procedures
  • Personnel: background-appropriate hiring practices; written confidentiality obligations; security training
  • Sub-processors: contractual data-protection commitments flowed down to each Sub-processor; periodic review of Sub-processor security posture
  • Resilience and recovery: automated backups; documented recovery procedures; redundancy at the storage and compute layers

Annex 3 - Sub-processors

We engage Sub-processors in the following categories to deliver the Service:

  • AI inference providers
  • Cloud hosting and content delivery
  • Object storage
  • Payment processing
  • Transactional email delivery
  • Error and performance telemetry

The current list of named Sub-processors within these categories is available on request to hello@avatarmill.com. We will notify the Customer in advance of any material change to this list as set out in section 8.

Contact

For data-protection enquiries relating to this DPA, contact us at hello@avatarmill.com.