Skip to main content

Data Processing Agreement

InkReef  ·  Version 1.1  ·  Effective date: April 21, 2026  ·  Last updated: April 21, 2026

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the InkReef Terms of Service (available at app.inkreef.com/terms) between InkReef (“Processor” or “InkReef”) and the business entity that has accepted the Terms of Service (“Controller” or “Tenant”). This DPA governs the processing of Personal Data by InkReef on behalf of the Controller in connection with the InkReef platform and services. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the subject matter of data protection and processing.

1. Definitions

As used in this DPA:

  • “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data — in this context, the Tenant.
  • “Processor” means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller — in this context, InkReef.
  • “Personal Data”means any information relating to an identified or identifiable natural person (“Data Subject”), including without limitation names, email addresses, phone numbers, mailing addresses, and any other information that identifies or could reasonably identify an individual.
  • “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • “Data Subject”means the identified or identifiable natural person to whom Personal Data relates — typically the Controller’s customers or employees whose data is entered into the InkReef platform.
  • “Sub-processor” means any Processor engaged by InkReef who agrees to receive Personal Data from InkReef for Processing activities carried out on behalf of the Controller.
  • “Applicable Data Protection Law” means the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and any other applicable data protection or privacy laws and regulations to which the parties are subject.
  • “Security Incident” or “Data Breach” means any confirmed unauthorized access to, acquisition of, disclosure of, or loss of Personal Data maintained by InkReef.

2. Scope and Purpose of Processing

InkReef processes Personal Data solely to provide the services described in the Terms of Service. The subject matter, nature, and purpose of processing are as follows:

CategoryDetails
Subject matterOperation of the InkReef print-shop management platform
DurationFor the term of the Controller’s subscription, plus 30 days post-termination
Nature of processingStorage, retrieval, organisation, and transmission of Personal Data
PurposeDelivering quote, order, invoice, production, and customer management functionality
Types of Personal DataCustomer names, email addresses, phone numbers, mailing addresses, order and payment records, uploaded artwork files
Categories of Data SubjectsThe Controller’s customers and employees whose data is entered into the platform

InkReef will not process Personal Data for any purpose other than fulfilling its obligations under the Terms of Service and this DPA, unless required by applicable law, in which case InkReef will inform the Controller to the extent permitted by law.

3. Data Processor Obligations

InkReef, acting as Data Processor, agrees to:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required by applicable law.
  • Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organisational security measures as described in Section 7 of this DPA.
  • Not engage new Sub-processors without prior general or specific authorisation from the Controller, and ensure that Sub-processors are bound by data protection obligations at least equivalent to those set out in this DPA.
  • Assist the Controller, insofar as reasonably possible and taking into account the nature of the processing, in responding to requests by Data Subjects to exercise their rights under Applicable Data Protection Law.
  • Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to InkReef.
  • At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and confidentiality obligations.
  • Immediately inform the Controller if, in InkReef’s opinion, an instruction infringes Applicable Data Protection Law.

4. Sub-processors

The Controller grants InkReef general authorisation to engage the following Sub-processors, each of which has agreed to data protection obligations at least equivalent to those set out in this DPA:

Cloudflare, Inc.

Purpose: Infrastructure hosting, edge compute (Workers), relational database (D1), object storage (R2), and CDN. Data processed: All Personal Data stored on the InkReef platform. Location: United States.

cloudflare.com/privacypolicy →

Stripe, Inc.

Purpose: Subscription billing and payment processing for InkReef platform fees. Data processed:Billing name, email address, and billing address of the Tenant’s account holder. Location: United States.

stripe.com/privacy →

Resend, Inc.

Purpose:Transactional email delivery (account verification, password reset, quote and invoice notifications sent on behalf of the Tenant to the Tenant’s customers). Data processed: Recipient email addresses and email message content. Location: United States.

resend.com/legal/privacy-policy →

InkReef will inform the Controller of any intended changes to Sub-processors — by adding or replacing a Sub-processor — by updating this page and, where feasible, providing at least 30 days’ prior notice to allow the Controller to object to such changes. If the Controller objects and InkReef cannot reasonably accommodate the objection, the Controller may terminate the services upon written notice without penalty.

5. Data Subject Rights

The Controller, as Data Controller, is primarily responsible for responding to Data Subject rights requests (including rights of access, rectification, erasure, restriction, portability, and objection). InkReef will:

  • Promptly notify the Controller if InkReef receives a Data Subject rights request relating to Personal Data processed on behalf of the Controller, without responding to that request directly unless instructed by the Controller.
  • Provide the Controller with reasonable technical assistance — such as data export tools and deletion capabilities — to enable the Controller to fulfill Data Subject requests within applicable legal deadlines, generally 30 days from receipt of a verifiable request.
  • Not charge additional fees for standard Data Subject assistance covered by this DPA, unless the volume of requests is clearly excessive or abusive, in which case InkReef may charge reasonable administrative costs.

The Controller acknowledges that InkReef cannot independently verify the identity of Data Subjects on the Controller’s behalf, and the Controller remains responsible for verifying that a request is legitimate before instructing InkReef to act on it.

6. Data Retention and Deletion

InkReef retains Personal Data only as long as necessary to provide the services, subject to the following:

  • During active subscription:Personal Data is retained for the duration of the Tenant’s active subscription. Data is accessible to the Tenant through the platform at all times.
  • Post-termination grace period: Upon account termination or deletion, Personal Data is retained for a period of 30 days to allow recovery in the event of accidental deletion or billing dispute resolution.
  • Permanent deletion:At the end of the 30-day grace period, all Personal Data associated with the Tenant account — including customer records, orders, invoices, artwork files, and audit logs — will be permanently and irreversibly deleted from InkReef’s systems and those of its Sub-processors, where technically feasible.
  • Export before deletion: The Controller may export all Personal Data at any time via Settings → Account → Data Export before account termination. InkReef recommends performing a full export prior to initiating account deletion.
  • Legal holds: Notwithstanding the foregoing, InkReef may retain Personal Data for a longer period where required by applicable law, legal proceedings, or valid governmental orders. InkReef will notify the Controller of any such legal hold to the extent permitted by law.

The automatic deletion sequence deletes the tenant database (D1) first, then removes the control-plane tenant record. If the D1 deletion fails, the control-plane record is preserved so the deletion can be retried at the next scheduled run.

7. Technical and Organisational Security Measures

InkReef implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:

  • Encryption in transit: All data transmitted between clients and InkReef is encrypted using TLS 1.3 or higher. Connections that do not support TLS 1.2 minimum are rejected.
  • Encryption at rest: Personal Data stored in Neon Postgres and Cloudflare R2 is encrypted at rest using AES-256 encryption managed by Neon and Cloudflare infrastructure respectively.
  • Access controls: Access to tenant data is scoped per-tenant via an AsyncLocalStorage-based request context. No staff-level InkReef access to tenant data is possible without audit log evidence. Platform access is restricted to a small number of authorised personnel via the super-admin panel, protected by its own separate authentication layer.
  • Multi-tenant isolation:Each tenant’s data is stored in a dedicated Neon Postgres database instance, providing strong logical isolation between tenants.
  • Audit logging: All significant actions on Personal Data (create, update, delete, export, login) are recorded in an immutable audit log retained for 180 days.
  • Authentication: Staff accounts support multi-factor authentication (TOTP) and WebAuthn/passkey authentication. Tenant customer portal access uses time-limited magic links.
  • Rate limiting and abuse controls: API endpoints are rate-limited. Failed authentication attempts are throttled to prevent credential stuffing.
  • Vulnerability management: InkReef performs periodic reviews of dependencies and infrastructure. Critical security patches are applied on an expedited basis.
  • Personnel: InkReef personnel with access to Personal Data are subject to confidentiality obligations and receive appropriate data protection training.

InkReef will review and update these measures periodically to reflect changes in technology, risk, and regulatory requirements.

8. Data Breach Notification

In the event of a confirmed Security Incident affecting Personal Data processed on behalf of the Controller, InkReef will:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware that a Security Incident has occurred, to the extent that notification is feasible within that timeframe.
  • Provide the Controller with sufficient information to enable the Controller to meet any applicable breach notification obligations under Applicable Data Protection Law, including: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate number of Personal Data records affected; (d) a description of the likely consequences of the Security Incident; and (e) a description of the measures taken or proposed to address the Security Incident.
  • Cooperate with the Controller and take such commercially reasonable steps as directed by the Controller or required by Applicable Data Protection Law to investigate and remediate the Security Incident.
  • Not make any public statement regarding the Security Incident that references the Controller without the Controller’s prior written consent, unless disclosure is required by law.

Notification of a Security Incident is not an admission of fault or liability by InkReef. The Controller, as Data Controller, is responsible for any notification obligations to Data Subjects or regulatory authorities arising from a Security Incident, unless InkReef is separately required by law to provide such notification.

9. International Data Transfers

All Personal Data processed by InkReef is stored and processed in the United States, in Cloudflare’s US-region data centres. InkReef does not intentionally route or store Personal Data in other jurisdictions.

For Controllers established in the European Economic Area (EEA), the United Kingdom, or other jurisdictions that restrict transfers of Personal Data to countries outside their territory:

  • To the extent required, InkReef relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or their UK equivalent, as the lawful transfer mechanism. Execution of SCCs may be requested by contacting legal@inkreef.com.
  • Cloudflare, Inc. participates in the EU-U.S. Data Privacy Framework and maintains its own SCCs for EEA customers.
  • The Controller represents and warrants that it has an appropriate legal basis for transferring Personal Data to InkReef for processing in the United States.

10. Term and Termination

This DPA is effective from the date the Controller accepted the Terms of Service and continues for the duration of the Controller’s subscription to InkReef services. This DPA will automatically terminate upon expiry or termination of the Terms of Service.

Notwithstanding termination of the Terms of Service:

  • InkReef’s data deletion obligations under Section 6 of this DPA survive termination and remain in effect until Personal Data has been fully purged.
  • InkReef’s confidentiality obligations under Section 3 of this DPA survive termination indefinitely.
  • InkReef’s breach notification obligations under Section 8 of this DPA survive termination with respect to any Security Incident discovered prior to the completion of data deletion.

11. Governing Law

This DPA is governed by the laws of the State of California, USA, without regard to its conflict-of-law provisions, except to the extent that mandatory provisions of EU or other applicable data protection law require otherwise. Any disputes arising under this DPA will be resolved in the state or federal courts located in California, and the parties hereby consent to personal jurisdiction in those courts. Where the GDPR or UK GDPR applies, the parties acknowledge the primacy of those regulations over conflicting provisions of this DPA.

12. Contact

For data protection inquiries, requests to execute Standard Contractual Clauses, or to exercise rights under this DPA, contact InkReef at legal@inkreef.com. For general support, contact support@inkreef.com.

Version 1.1  ·  Last updated: April 21, 2026