footer artspoon logo
footer artspoon logo

Art Spoon DATA PROCESSING ADDENDUM

Effective Date: March 1, 2026

This Data Processing Addendum (“DPA”) is entered into by and between:

  1. Art Spoon Inc., a corporation organized under the laws of the State of Delaware, United States, with its principal place of business at 1111B S Governors Ave # 44069 Dover, DE 19904 (“Art Spoon”, “Provider”, “Processor”, “Service Provider”, or “Contractor”, as applicable); and
  2. the customer, client, gallery, artist, business, or other entity that is a party to the applicable services agreement with Art Spoon (“Client”, “Controller”, or “Business”, as applicable),

each a “Party” and together the “Parties.”

This DPA supplements and forms part of the agreement between the Parties governing Art Spoon’s provision of software, websites, applications, marketplace features, and related services (the “Products”) to Client (the “Agreement”).

1. Purpose and Scope

1.1 This DPA governs Art Spoon’s Processing of Personal Data on behalf of Client in connection with the Products.

1.2 This DPA applies to the extent Art Spoon Processes Personal Data:

(a) as a processor on behalf of Client under applicable U.S. state privacy law, including the Delaware Personal Data Privacy Act (“DPDPA”); and/or

(b) as a service provider or contractor on behalf of Client under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA/CPRA”).

1.3 This DPA does not apply to the extent Art Spoon Processes Personal Data as an independent controller or business for Art Spoon’s own operational purposes, including account administration, billing, fraud prevention, security monitoring, legal compliance, service analytics, abuse prevention, enforcement of the Agreement, and operation of Art Spoon-controlled platform functions, directories, and security logs, except to the extent required by Applicable Privacy Law.

1.4 This DPA applies only to Client Personal Data and not to data that Client makes intentionally public through the Products except to the extent Art Spoon continues to Process such data on Client’s behalf.

2. Definitions

2.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means ownership of more than fifty percent (50%) of the voting interests or the power to direct management.

2.2 “Applicable Privacy Law” means all U.S. federal, state, and local privacy, data protection, breach notification, and data security laws applicable to the Processing of Client Personal Data under the Agreement, including, where applicable, the DPDPA and the CCPA/CPRA.

2.3 “Agreement” means the governing services agreement between the Parties, including the General Terms & Conditions of Service, any applicable Product Terms, any signed Order Form, the Privacy Policy, and any other incorporated documents, as applicable.

2.4 “Business Purpose” has the meaning given under the CCPA/CPRA and includes the limited and specified purposes described in the Agreement, this DPA, and Schedule 1.

2.5 “Business User” means any user, gallery, company, organization, or person obtaining the Products primarily for business, commercial, institutional, or professional purposes.

2.6 “Client Personal Data” means Personal Data Processed by Art Spoon on behalf of Client in connection with the Products, including data uploaded, stored, managed, transmitted, or otherwise made available by or at the direction of Client through the Products.

2.7 “Consumer,” “Business,” “Service Provider,” “Contractor,” “Sell,” “Share,” and “Sensitive Personal Information” have the meanings given under the CCPA/CPRA, where applicable.

2.8 “Consumer User” means any individual obtaining the Products primarily for personal, family, or household purposes.

2.9 “Controller,” “Processor,” “Personal Data,” “Process” or “Processing,” and “Data Subject” (or analogous terms) have the meanings given under Applicable Privacy Law, including the DPDPA where applicable.

2.10 “Products” means the software-as-a-service, platform services, marketplace tools, websites, hosting features, search and discovery features, profile tools, and related subscription or transaction-based services made available by Art Spoon under the Agreement.

2.11 “Security Incident” means any actual confirmed unauthorized access to, acquisition of, disclosure of, or use of Client Personal Data in Art Spoon’s possession or control, excluding unsuccessful attempts or events that do not compromise the security of Client Personal Data.

2.12 “Subprocessor” means any third party engaged by or on behalf of Art Spoon to Process Client Personal Data in connection with the Products.

3. Order of Precedence

3.1 This DPA is incorporated into and supplements the Agreement.

3.2 In the event of a conflict between:

(a) this DPA and the Agreement, this DPA will control with respect to the Processing of Client Personal Data;

(b) this DPA and any applicable Product Terms, this DPA will control with respect to the Processing of Client Personal Data;

(c) a signed Order Form expressly overriding a provision of this DPA, the signed Order Form will control only to the extent of that express override.

3.3 Nothing in this DPA reduces either Party’s obligations under Applicable Privacy Law.

4. Roles of the Parties

4.1 The Parties acknowledge that, with respect to Client Personal Data Processed by Art Spoon on behalf of Client in providing the Products:

(a) Client acts as the Controller under the DPDPA (or analogous role under other Applicable Privacy Law), and Art Spoon acts as the Processor; and/or

(b) Client acts as the Business under the CCPA/CPRA, and Art Spoon acts as the Service Provider or Contractor, as applicable.

4.2 Client is responsible for:

(a) determining the purposes and lawful basis for Processing;

(b) providing all notices required by Applicable Privacy Law;

(c) obtaining all consents, permissions, and authorizations required by Applicable Privacy Law;

(d) determining which visibility settings, sharing permissions, publication settings, and access controls apply to Client Personal Data; and

(e) ensuring that its instructions to Art Spoon comply with Applicable Privacy Law.

4.3 If Art Spoon determines the purposes and means of a specific Processing activity beyond Client’s documented instructions, Art Spoon will act as a controller or business with respect to that Processing to the extent required by Applicable Privacy Law.

5. Client Instructions and Processing Limitations

5.1 Art Spoon will Process Client Personal Data only:

(a) on documented instructions from Client, as set out in the Agreement, this DPA, the applicable Product configuration settings selected by Client, or other written instructions;

(b) as necessary to provide the Products and perform the limited and specified Business Purposes set out in the Agreement and Schedule 1; and

(c) as otherwise required by Applicable Privacy Law, in which case Art Spoon will inform Client before such Processing unless prohibited by law.

5.2 Client’s use of the Products, including its selection of:

(a) public, gallery-only, private, password-protected, or other visibility settings;

(b) user roles and permissions;

(c) publication, search listing, and profile display settings;

(d) workflow settings for competition submissions, evaluations, and document generation; and

(e) retention, deletion, or export settings,

constitutes Client’s documented instructions to Art Spoon for the Processing of Client Personal Data as necessary to provide the Products.

5.3 Art Spoon will not:

(a) Sell or Share Client Personal Data;

(b) retain, use, or disclose Client Personal Data for any purpose other than the limited and specified purposes set out in the Agreement and this DPA, including any commercial purpose other than the Business Purposes specified herein, except as otherwise permitted by the CCPA/CPRA;

(c) retain, use, or disclose Client Personal Data outside the direct business relationship between Art Spoon and Client, except as permitted by Applicable Privacy Law; or

(d) combine Client Personal Data received from or on behalf of Client with personal information Art Spoon receives from or on behalf of another person, or collects from its own interaction with a consumer, except as expressly permitted by the CCPA/CPRA or other Applicable Privacy Law.

5.4 Art Spoon certifies that it understands the restrictions in this DPA and will comply with them.

5.5 To the extent Art Spoon receives Sensitive Personal Information or other sensitive Personal Data from Client, Art Spoon will use and disclose such data only as necessary to perform the Products and only in accordance with Client’s instructions and Applicable Privacy Law.

6. Confidentiality and Personnel

6.1 Art Spoon will ensure that all personnel authorized to Process Client Personal Data:

(a) are subject to a duty of confidentiality;

(b) receive appropriate privacy and security training; and

(c) access Client Personal Data only on a need-to-know basis for the purposes of providing the Products.

6.2 Art Spoon will take reasonable steps to ensure the reliability, integrity, and appropriate authorization of personnel with access to Client Personal Data.

7. Security Measures

7.1 Art Spoon will implement and maintain reasonable and appropriate administrative, technical, and physical safeguards designed to protect Client Personal Data against unauthorized or unlawful access, destruction, loss, alteration, disclosure, or use.

7.2 Such safeguards will take into account:

(a) the nature, scope, context, and purposes of Processing;

(b) the volume and sensitivity of Client Personal Data;

(c) the reasonably foreseeable risks to individuals; and

(d) the state of the art and cost of implementation.

7.3 Art Spoon’s security measures may include, where appropriate:

(a) access controls and role-based permissions;

(b) encryption in transit and at rest, where practicable;

(c) backup and recovery procedures;

(d) logging and monitoring;

(e) vulnerability management and patching;

(f) business continuity and disaster recovery measures;

(g) separation of tenant data through logical segregation; and

(h) controls over public vs. restricted visibility settings.

7.4 Art Spoon may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection for Client Personal Data during the applicable service term.

8. Assistance with Consumer and Data Subject Requests

8.1 Taking into account the nature of the Processing and the information available to Art Spoon, Art Spoon will provide reasonable assistance to Client, through appropriate technical and organizational measures, to enable Client to respond to:

(a) authenticated or verifiable consumer requests;

(b) requests to access, correct, delete, or obtain a copy of Personal Data;

(c) requests to opt out of selling, sharing, targeted advertising, profiling, or other rights under Applicable Privacy Law;

(d) requests to limit the use or disclosure of Sensitive Personal Information, where applicable; and

(e) requests concerning public profile information, search listing, or content visibility, where such data is controlled by Client through the Products.

8.2 Art Spoon is not required to respond directly to a consumer or data subject request except:

(a) where required by Applicable Privacy Law; or

(b) where expressly instructed in writing by Client.

8.3 If Art Spoon receives a request directly from a consumer or data subject relating to Client Personal Data, Art Spoon may:

(a) direct the requestor to Client;

(b) notify Client of the request; and/or

(c) respond only as required by law or as instructed by Client.

9. Security Incidents and Breach Cooperation

9.1 Art Spoon will notify Client without undue delay after becoming aware of a Security Incident involving Client Personal Data.

9.2 To the extent reasonably available, Art Spoon’s notice will include:

(a) a description of the nature of the Security Incident;

(b) the categories of Client Personal Data affected;

(c) the categories of affected individuals, if known;

(d) the likely consequences of the Security Incident, if known; and

(e) the measures taken or proposed to address and mitigate the Security Incident.

9.3 Art Spoon will take reasonable steps to:

(a) investigate the Security Incident;

(b) contain, mitigate, and remediate the effects of the Security Incident; and

(c) provide reasonable cooperation and information requested by Client to support Client’s compliance with applicable breach notification obligations.

9.4 Art Spoon’s notification of or response to a Security Incident is not an admission of fault or liability.

10. Subprocessors

10.1 Client authorizes Art Spoon to engage Subprocessors to Process Client Personal Data, provided that Art Spoon:

(a) enters into a written agreement with each Subprocessor requiring protections for Client Personal Data that are no less protective than the obligations imposed on Art Spoon under this DPA, as applicable to the nature of the services provided by the Subprocessor; and

(b) remains responsible for the acts and omissions of its Subprocessors to the extent required by Applicable Privacy Law and the Agreement.

10.2 Art Spoon will maintain a current list of Subprocessors, which may be made available by:

(a) a URL designated by Art Spoon;

(b) a support portal; or

(c) another reasonable written means.

10.3 Art Spoon will provide reasonable prior notice of a material addition or replacement of a Subprocessor, which may be provided by posting an updated Subprocessor list or by other written notice.

10.4 Client may object in writing to a new Subprocessor on reasonable data protection grounds within ten (10) business days after notice. If Client objects, the Parties will work in good faith to address the objection. If the Parties cannot resolve the objection in a commercially reasonable manner, Client may terminate the affected Products upon written notice, without penalty for the terminated portion only.

11. Audits, Assessments, and Demonstration of Compliance

11.1 Upon reasonable written request, Art Spoon will make available to Client information reasonably necessary to demonstrate Art Spoon’s compliance with this DPA.

11.2 To the extent required by Applicable Privacy Law and subject to appropriate confidentiality obligations, Art Spoon will allow and cooperate with reasonable assessments by Client or Client’s designated assessor.

11.3 In lieu of permitting an on-site audit, Art Spoon may satisfy its obligations under this Section by providing:

(a) a current third-party audit report;

(b) a security certification;

(c) a completed security questionnaire; and/or

(d) a summary of relevant technical and organizational measures,

provided such materials reasonably demonstrate compliance.

11.4 Any on-site audit or assessment by Client must:

(a) be on at least thirty (30) days’ prior written notice, unless a shorter period is required by law or justified by a confirmed Security Incident;

(b) occur during normal business hours;

(c) be limited to once in any twelve (12) month period, unless otherwise required by law or justified by a confirmed Security Incident;

(d) avoid unreasonable disruption to Art Spoon’s business; and

(e) be conducted under reasonable confidentiality, security, and safety controls.

11.5 Each Party will bear its own costs in connection with an audit, except that Client will bear any third-party auditor costs and any reasonable internal costs incurred by Art Spoon in supporting a Client-requested audit, unless the audit reveals a material breach of this DPA by Art Spoon.

11.6 To the extent required by the DPDPA, Art Spoon will provide, upon request, reports of assessments conducted by a qualified and independent assessor, where available.

12. Data Protection Assessments and Compliance Assistance

12.1 Taking into account the nature of the Processing and the information available to Art Spoon, Art Spoon will provide information reasonably necessary to enable Client to conduct and document any data protection assessments, risk assessments, or impact assessments required under Applicable Privacy Law.

12.2 Art Spoon will provide reasonable assistance to Client in connection with:

(a) compliance inquiries from regulators;

(b) investigations relating to Client’s Processing of Client Personal Data through the Products; and

(c) verification of Art Spoon’s Processing role and safeguards under this DPA.

13. Return and Deletion of Client Personal Data

13.1 Upon termination or expiration of the Agreement, and upon Client’s written request, Art Spoon will:

(a) return Client Personal Data in a commercially reasonable format;

(b) delete Client Personal Data; or

(c) do both, as requested by Client,

except to the extent retention is required by applicable law or reasonably necessary for security logging, backup retention cycles, fraud prevention, dispute resolution, or enforcement of legal rights.

13.2 If return is requested, Client must submit the request within the period specified in the Agreement, the applicable Product Terms, or Art Spoon’s standard offboarding process.

13.3 Where Art Spoon retains Client Personal Data as permitted by law, Art Spoon will continue to protect such retained data in accordance with this DPA and will not actively Process it except as required or permitted by law.

13.4 Upon request, Art Spoon may provide written confirmation that deletion has been completed in accordance with this Section, subject to technical limitations and retained backup systems.

14. Cross-Border and Interstate Data Transfers

14.1 Client authorizes Art Spoon and its Subprocessors to Process Client Personal Data in the United States and in other jurisdictions where Art Spoon or its Subprocessors maintain operations, systems, or support functions, provided that Art Spoon maintains protections required by Applicable Privacy Law and this DPA.

14.2 To the extent additional transfer mechanisms are required by law for a specific transfer scenario, the Parties will cooperate in good faith to adopt commercially reasonable supplemental terms.

15. California-Specific Service Provider / Contractor Terms

15.1 The Parties intend that, where the CCPA/CPRA applies and Client discloses Personal Information to Art Spoon for a Business Purpose, Art Spoon acts as a Service Provider and/or Contractor, and not as a Third Party, with respect to such Personal Information, except where Art Spoon expressly acts as a Business for its own independent purposes described in the Agreement.

15.2 The Parties agree that Personal Information is disclosed to Art Spoon only for the limited and specified purposes described in the Agreement, this DPA, and Schedule 1.

15.3 Art Spoon will comply with applicable obligations under the CCPA/CPRA and will provide the same level of privacy protection as required by the CCPA/CPRA for a Service Provider or Contractor.

15.4 Client has the right to take reasonable and appropriate steps to:

(a) help ensure that Art Spoon uses Personal Information in a manner consistent with Client’s obligations under the CCPA/CPRA; and

(b) upon notice, stop and remediate unauthorized use of Personal Information.

15.5 Art Spoon will promptly notify Client if Art Spoon determines that it can no longer meet its obligations under the CCPA/CPRA.

15.6 To the extent Art Spoon engages another person to assist in Processing Personal Information for a Business Purpose on behalf of Client, Art Spoon will notify Client as required under Section 10 and will bind that person by written contract to privacy obligations no less protective than those set out in this DPA, to the extent required by the CCPA/CPRA.

16. Delaware-Specific Processor Terms

16.1 To the extent the DPDPA applies, Art Spoon will adhere to Client’s instructions and assist Client in meeting Client’s obligations under the DPDPA, taking into account the nature of Processing and the information available to Art Spoon.

16.2 Such assistance includes, where reasonably practicable:

(a) assistance with consumer rights requests;

(b) assistance with security obligations and breach-related obligations; and

(c) providing information necessary for Client to conduct and document data protection assessments.

16.3 Art Spoon will, at Client’s direction, delete or return Personal Data at the end of the services, unless retention is required by law.

16.4 Art Spoon will make available to Client, upon reasonable request, information in Art Spoon’s possession necessary to demonstrate compliance with applicable processor obligations under the DPDPA.

16.5 Art Spoon will allow, and cooperate with, reasonable assessments by Client or Client’s designated assessor, or may arrange for a qualified independent assessor to conduct an assessment and provide a report to Client upon request.

17. Liability

17.1 This DPA does not independently expand either Party’s liability beyond what is provided in the Agreement, except to the extent liability cannot be limited under Applicable Privacy Law.

17.2 Each Party remains responsible for its own compliance with Applicable Privacy Law.

17.3 Nothing in this DPA relieves either Party of the liabilities imposed on it by Applicable Privacy Law by virtue of that Party’s role in the Processing relationship.

18. Governing Law

18.1 This DPA will be governed by the governing law stated in the Agreement, unless Applicable Privacy Law requires a different rule to apply to a specific claim or issue.

18.2 If the Agreement does not specify governing law, this DPA will be governed by the laws of the State of Delaware, without regard to conflict of law principles.

18.3 Nothing in this Section limits rights, remedies, or obligations that arise under non-waivable privacy laws, including California law where applicable.

19. General

19.1 This DPA remains in effect for as long as Art Spoon Processes Client Personal Data on behalf of Client under the Agreement.

19.2 If any provision of this DPA is held invalid or unenforceable, the remainder of this DPA will remain in full force and effect.

19.3 This DPA may be updated by written amendment signed by both Parties, except that Schedule 2 (Subprocessors) and security descriptions may be updated by Art Spoon in accordance with this DPA.

19.4 This DPA may be executed electronically and in counterparts, each of which will be deemed an original.

Schedule 1

Details of Processing

A. Subject Matter of Processing

Art Spoon’s provision of the Products to Client under the Agreement, including account administration features made available to Client, artwork and content storage, access and visibility controls, profile tools, website hosting features, document generation, search and discovery features, competition submission workflows, and related support functionality.

B. Nature of Processing

Collection, recording, storage, hosting, organization, structuring, consultation, retrieval, use, display, access control, transmission, publication at Client’s direction, internal indexing, search listing, sharing with authorized recipients selected by Client, generation of documents and hosted pages, deletion, export, and other Processing activities necessary to provide the Products.

C. Purpose of Processing

To provide, maintain, secure, support, and improve the Products for Client; to enable Client to manage artworks, profiles, CVs, exhibition histories, applications, evaluations, hosted pages, and related content; and to perform the specific limited and specified Business Purposes described in the Agreement.

D. Duration of Processing

For the duration of the Agreement, plus any post-termination retention period permitted under the Agreement, this DPA, or Applicable Privacy Law.

E. Categories of Data Subjects

As applicable to Client’s use of the Products, including:

  1. Client’s employees, administrators, users, agents, contractors, and authorized representatives;
  2. artists, galleries, curators, jurors, evaluators, applicants, collaborators, and invited viewers;
  3. Client’s customers, collectors, prospects, website visitors, subscribers, and professional contacts;
  4. vendors, suppliers, and service providers; and
  5. any other individuals whose Personal Data Client submits to the Products.

F. Categories of Personal Data

As applicable to Client’s use of the Products, including:

  1. identity data (name, stage name, title, account name, profile identifier);
  2. contact data (email, phone number, postal address);
  3. account and authentication data;
  4. professional and profile data (biography, artist CV, exhibition history, organization affiliation, role);
  5. artwork-related metadata and associated contact/profile data submitted by Client;
  6. competition and submission data (application content, statements, supporting materials, evaluation comments, rankings, workflow metadata);
  7. transaction and billing-related metadata;
  8. communication data;
  9. internet or device data (IP address, browser/device details, logs);
  10. preference, permission, and visibility-setting data; and
  11. any other Personal Data Client chooses to upload or make available through the Products.

G. Sensitive Personal Data / Sensitive Personal Information

Only to the extent Client chooses to upload or otherwise submit such information, and only where permitted by the Agreement and Applicable Privacy Law.

H. Art Spoon Feature-Specific Processing Contexts

To the extent enabled by Client, Processing may occur in the following contexts:

  1. Artwork Storage and Access Controls

Storage and management of artwork records, images, files, and associated metadata, with access and visibility settings selected by Client, including public, gallery-only, private, restricted, or password-protected access states.

  1. Artist and Gallery Profiles

Hosting and management of public or restricted profiles, including artist biographies, gallery information, CVs, exhibition histories, and profile media, as directed by Client.

  1. Document Generation

Creation, storage, export, and sharing of documents generated from Client-provided data, including portfolio materials, profile outputs, and workflow-related documents.

  1. Website Hosting and Public Pages

Hosting of profile pages, microsites, and website content that Client chooses to publish, together with the associated profile and contact information included by Client.

  1. Search and Discovery Features

Indexing and display of profile and content information that Client designates for search visibility, including /search and related internal or public discovery surfaces, as configured by Client.

  1. Competition and Open Call Submission

Collection, routing, storage, and display of application materials, supporting documents, profile information, and related workflow data submitted by or on behalf of Client.

  1. Evaluation and Review Workflows

Processing of scoring, ranking, comments, reviewer notes, review assignments, and related workflow metadata for galleries, jurors, evaluators, or other authorized users acting under Client’s configuration.

I. Client Instructions by Configuration

Client acknowledges that its use of Product settings—such as visibility controls, search listing options, publishing tools, user permissions, and workflow configuration—constitutes documented instructions for Art Spoon to Process Client Personal Data accordingly.

Schedule 2

Subprocessors

Art Spoon may maintain its current list of Subprocessors at: https://artspoon.io/legal/data-sub-processors

If no URL is provided, Art Spoon will make the current list available upon written request or through Client’s account or support portal.

Subprocessors may include, as applicable:

  1. cloud hosting and infrastructure providers;
  2. database and storage providers;
  3. email and communications providers;
  4. logging, monitoring, and security providers;
  5. customer support tools;
  6. payment and billing processors (to the extent applicable to Client Personal Data under Client’s instructions); and
  7. other vendors reasonably necessary to support the Products.

Schedule 3

Security Measures Summary

Art Spoon maintains commercially reasonable administrative, technical, and physical safeguards that may include:

  1. access controls, least-privilege permissions, and authentication controls;
  2. encryption in transit and, where appropriate, encryption at rest;
  3. system monitoring, audit logging, and incident response processes;
  4. secure software development and change management practices;
  5. vulnerability scanning, patching, and security maintenance;
  6. backup, redundancy, and disaster recovery procedures;
  7. workforce confidentiality obligations and role-based training;
  8. vendor and Subprocessor security review procedures;
  9. logical segregation of customer environments and data where appropriate; and
  10. controls supporting Client-configured visibility, sharing, and access restrictions.

Art Spoon may update these safeguards from time to time, provided that the overall level of security for the Products is not materially reduced during the applicable service term.