1. Who needs a DPA
Individual creator accounts do not need a DPA — your relationship is governed by the Terms of Service and Privacy Policy. A DPA is typically requested when an organisation:
- Manages multiple creator accounts on behalf of clients and is the data controller for those clients
- Is established in the EU/UK and must comply with GDPR Article 28 processor obligations
- Has internal procurement requirements that mandate one
2. How to request one
Email legal@ugcframe.com with your organisation name, jurisdiction, and the UGCFrame account email(s) involved. We will respond within 7 business days with our standard template.
3. Standard terms
Our DPA template includes:
- GDPR Article 28(3) clauses for EU/UK customers
- Reference to our Subprocessors list
- Standard Contractual Clauses for international transfers
- Security commitments mirroring our Privacy Policy
- Sub-processor change notification on request
4. PDPA equivalent
For customers based in Malaysia, the Malaysian PDPA does not define a controller/processor structure identical to the GDPR, but our DPA includes equivalent commitments that satisfy PDPA section 9 (security of personal data) for shared-processing arrangements.