Processor terms for band-uploaded data.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between BANDVOLT LTD ("Processor", "we", "us") and the band or organisation that uploads personal data about third parties through the BandVolt service ("Controller", "you", "your Band").

This DPA applies when your Band uploads personal data about individuals other than your own Band Members — for example, session-musician contact details in band files, or financial entries that name an individual. In those cases your Band is the controller and we act as processor on your documented instructions as set out in the Terms and this DPA.

Subject matter: processing of personal data uploaded by your Band about third parties within the Service.

Duration: for as long as your Band maintains an Account and the relevant User Content remains stored, plus any retention periods described in our Privacy Policy and the Terms.

Nature and purpose: hosting, storing, displaying, backing up, and transmitting such data to authorised Band Members and Collaborators you designate, and performing technical operations necessary to operate the Service.

Categories of data subjects: session musicians, producers, payees, and other individuals whose personal data your Band uploads.

Categories of personal data: names, contact details, financial entries, receipts, notes, and other identifiers or contact information you choose to store in band files, finances, or related workspace features.

Special categories: we do not require special-category data; your Band must not upload such data unless it has an appropriate lawful basis.

We will process personal data only on your documented instructions as set out in the Terms, this DPA, and your use of the Service (including uploads, sharing settings, and deletion requests you initiate). If we believe an instruction infringes UK GDPR or other applicable data-protection law, we will inform you without undue delay.

Your Band is responsible for ensuring it has a lawful basis for processing and for providing any required notices to data subjects.

We ensure that persons authorised to process personal data on our behalf are subject to confidentiality obligations or a statutory duty of confidentiality.

We implement appropriate technical and organisational measures as described in section 10 of our Privacy Policy, including encryption in transit, provider-level encryption at rest for stored files, access controls, presigned URLs, authentication, and rate limiting.

You authorise us to engage sub-processors listed on our Sub-processors page. We will impose data-protection terms on each sub-processor that are no less protective than this DPA. We will give reasonable notice of material changes and you may object by closing your Account if you reasonably believe a change materially increases risk.

Taking into account the nature of processing, we will assist your Band with responding to data-subject requests (access, rectification, erasure, restriction, portability, and objection) by providing appropriate technical measures and information available to us. Your Band remains responsible for responding to data subjects; contact us at [email protected] for assistance.

We will notify your Band without undue delay after becoming aware of a personal-data breach affecting data we process on your behalf, and provide information reasonably required for your breach notifications to supervisory authorities and data subjects.

On termination of the Service for your Band or on your documented request, we will delete or return personal data processed on your behalf within the timeframes in the Terms and Privacy Policy, except where retention is required by law or permitted for backup overwriting in the ordinary course.

We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits conducted by you or an independent auditor mandated by you, no more than once per year except where required by a supervisory authority or following a material breach. Audits will be subject to reasonable confidentiality and scheduling constraints and may be satisfied by third-party certifications or summaries where appropriate.

Where personal data is transferred outside the UK, we rely on lawful transfer mechanisms described in section 7 of our Privacy Policy (including the UK IDTA and UK Addendum to EU SCCs).

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms, except that nothing limits liability that cannot be limited under applicable data-protection law.

Data-protection enquiries: [email protected] (mark "FAO the Data Protection Lead").