Data Processing Agreement

1. Parties and definitions

2. Subject matter and nature of processing

SonicBridge processes personal data on your behalf in order to provide the Services.

• Categories of data subjects: Artists, producers, and other music professionals whose data you submit to the platform.
• Categories of personal data: Names, email addresses, profile information, audio content, genre and music metadata, submission data.
• Nature and purpose: Hosting, routing, and delivering music submissions to tastemakers; generating Track Protection certificates; producing campaign one-sheets and performance reports.
• Duration: For the duration of your account plus any legally required retention period.

3. Processor obligations

SonicBridge undertakes to:

• Process personal data only on your documented instructions (as expressed through your use of the platform), unless required otherwise by EU or Slovak law.
• Ensure persons authorised to process the personal data have committed to confidentiality.
• Implement appropriate technical and organisational security measures as described in our Privacy Policy (Section 9).
• Not engage sub-processors other than those listed in our Privacy Policy (Section 4) without giving you prior notice and an opportunity to object.
• Assist you in responding to data subject requests and in meeting your GDPR obligations regarding security, breach notification, DPIAs, and prior consultation.
• Upon termination of the Services, delete or return all personal data and delete existing copies, unless retention is required by law.
• Make available all information necessary to demonstrate compliance with GDPR Article 28, and allow for audits or inspections by you or a mandated auditor, subject to reasonable advance notice and confidentiality obligations.

4. Controller obligations

You undertake to:

• Ensure you have a lawful basis for submitting personal data to SonicBridge.
• Provide appropriate privacy notices to data subjects whose data you submit.
• Ensure the data is accurate and limited to what is necessary for the Services.
• Not instruct SonicBridge to process personal data in a way that violates GDPR or applicable law.

5. Sub-processors

SonicBridge uses the sub-processors listed in Section 4 of the Privacy Policy. All sub-processors are bound by data processing agreements and, where applicable, Standard Contractual Clauses for transfers outside the EEA. You authorise the use of these sub-processors by accepting this DPA. SonicBridge will notify you of any new sub-processor additions.

6. International transfers

Transfers of personal data outside the EEA are governed by Standard Contractual Clauses (2021/914/EU — Module 3, Processor to Processor) or the EU-US Data Privacy Framework where applicable. Full details are available on request.

7. Security incidents

In the event of a personal data breach (as defined in GDPR Art. 4(12)), SonicBridge will notify you without undue delay and in any event within 72 hours of becoming aware, providing the information required under GDPR Article 33(3) to the extent available at that time.

8. Liability

Each party shall be liable for damages caused by processing in breach of this DPA. SonicBridge's total liability under this DPA is subject to the limitations in the Terms of Service.

9. Governing law

This DPA is governed by Slovak law and GDPR. Any disputes shall be resolved in the courts of Bratislava, Slovakia.

10. How to execute this DPA

Business customers who require a countersigned DPA should email legal@sonicbridge.io with subject line “DPA Request — [your company name]”. We will provide a countersigned copy within 5 business days.