Data Processing Agreement

1. Parties and Definitions

1.1 Parties

This Data Processing Agreement ("DPA") is entered into between:

• Controller:The individual or entity that has registered an account and/or label with the Record Label Registry ("you," "your," or "Controller"). The Controller determines the purposes and means of the processing of Personal Data submitted to the Service.
• Processor:THRY ARCHIVE LLC, a limited liability company organized under the laws of the United States, operating the Record Label Registry at recordlabelregistry.com ("THRY ARCHIVE," "we," "us," "our," or "Processor").

1.2 Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below:

• "Applicable Data Protection Law"means all laws and regulations applicable to the processing of Personal Data under this DPA, including, without limitation, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act ("CCPA"), and any other applicable data protection legislation.
• "Data Subject"means an identified or identifiable natural person whose Personal Data is processed by the Processor on behalf of the Controller. Data Subjects may include, without limitation, the Controller's employees, representatives, artists, and other individuals whose information is submitted to the Service.
• "Personal Data"means any information relating to a Data Subject that is submitted to, collected by, or processed through the Service, including but not limited to names, email addresses, business contact information, financial data, and any other data defined as "personal data," "personal information," or equivalent under Applicable Data Protection Law.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.
• "Supervisory Authority" means an independent public authority established by an EU Member State, the United Kingdom, or any other jurisdiction pursuant to Applicable Data Protection Law, which is responsible for monitoring the application of data protection legislation.
• "Service" means the Record Label Registry platform operated by THRY ARCHIVE LLC at recordlabelregistry.com, including all related APIs, tools, features, and functionality.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by the Processor.

1.3 Relationship to Terms of Service

This DPA supplements and forms an integral part of the Terms of Service. This DPA shall apply to all Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the Service. Where the Terms of Service conflict with this DPA on matters relating to data protection, this DPA shall take precedence.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller in order to provide the Record Label Registry services, which include label registration, public directory listing, verification, analytics, compliance checking, and related administrative functions.

2.2 Categories of Data Processed

In the course of providing the Service, the Processor may process the following categories of Personal Data:

• Label registration data, including label name, year founded, country of operation, genre classifications, and label descriptions.
• Business contact information, including names, email addresses, phone numbers, and mailing addresses of label representatives.
• Artist roster data, including artist names and associated label affiliations.
• Streaming analytics and digital service provider (DSP) profile data submitted by or on behalf of the Controller.
• Verification materials, including links to websites, social media profiles, DSP pages, and any documentation submitted in support of a verification application.
• Corporate entity filings and business registration information where voluntarily provided.
• Financial and billing data processed via Stripe, including transaction identifiers, billing addresses, and payment status (but not full payment card numbers, which are processed and stored exclusively by Stripe).

2.3 Purpose of Processing

The Processor shall process Personal Data solely for the following purposes:

• Providing and operating the Record Label Registry, including registration, directory listing, and search functionality.
• Processing and evaluating verification applications.
• Generating analytics reports and insights for the Controller.
• Conducting compliance checks and fraud prevention measures.
• Processing payments and managing billing through Stripe.
• Sending transactional communications, including account notifications, verification status updates, and service announcements via Resend.
• Maintaining the security and integrity of the Service.
• Complying with applicable legal obligations.

3. Data Categories and Data Subjects

The following table sets forth the categories of Personal Data processed, the Data Subjects affected, and the applicable retention periods.

The Processor shall not process Personal Data for any purpose other than those specified in this DPA and the Terms of Service, unless required by Applicable Data Protection Law. Where the Processor is required by law to process Personal Data for another purpose, it shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.

4. Obligations of the Processor

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Applicable Data Protection Law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest. The Controller's instructions are documented in this DPA, the Terms of Service, and any subsequent written instructions provided by the Controller.

4.2 Confidentiality

The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that access to Personal Data is limited to those personnel who require such access to perform their duties in connection with the Service.

4.3 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, as required by Article 32 of the GDPR and equivalent provisions of Applicable Data Protection Law. These measures are further described in Section 6 of this DPA.

4.4 Assistance with Data Subject Rights

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights as laid down in Chapter III of the GDPR or equivalent provisions of Applicable Data Protection Law. The Processor shall promptly notify the Controller if it receives a request from a Data Subject directly. The Processor shall not respond to any such request without the Controller's prior written authorization, unless required by Applicable Data Protection Law.

4.5 Assistance with Compliance Obligations

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 through 36 of the GDPR (or equivalent provisions of Applicable Data Protection Law), taking into account the nature of Processing and the information available to the Processor. This includes assistance with data protection impact assessments and prior consultations with Supervisory Authorities where required.

4.6 Data Deletion and Return

At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of the Service, and shall delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data. The procedures for data deletion and return are further described in Section 10 of this DPA.

4.7 Audit Information

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Article 28 of the GDPR (or equivalent provisions of Applicable Data Protection Law). The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the terms set forth in Section 11 of this DPA.

4.8 Notification of Instruction Violations

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR, UK GDPR, or other Applicable Data Protection Law. The Processor may suspend performance of the relevant instruction until the Controller confirms or modifies the instruction in writing.

5. Sub-processors

5.1 Authorized Sub-processors

The Controller hereby provides general written authorization for the Processor to engage the following Sub-processors in connection with the Service:

5.2 Obligations Regarding Sub-processors

The Processor shall:

• Impose on each Sub-processor, by way of a written contract, data protection obligations that are substantially similar to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures such that the Processing meets the requirements of Applicable Data Protection Law.
• Remain fully liable to the Controller for the performance of each Sub-processor's obligations. Where a Sub-processor fails to fulfill its data protection obligations, the Processor shall remain liable to the Controller for the performance of that Sub-processor's obligations.
• Conduct due diligence on each Sub-processor's data protection practices before engagement and on a periodic basis thereafter.

5.3 Changes to Sub-processors

The Processor shall notify the Controller in writing (including by email) at least fourteen (14) days prior to engaging any new Sub-processor or replacing an existing Sub-processor. The notification shall include the identity of the proposed Sub-processor, the location of Processing, and a description of the Processing activities.

The Controller may object to the appointment of a new or replacement Sub-processor by providing written notice to the Processor within fourteen (14) days of receiving the Processor's notification. The objection must state reasonable grounds relating to data protection. If the Controller objects, the Processor shall use reasonable efforts to make available to the Controller a change in the Service or recommend a commercially reasonable alternative. If the Processor cannot provide an alternative within thirty (30) days of receiving the objection, either party may terminate the affected portion of the Service by providing written notice to the other party.

6. Security Measures

6.1 Technical Measures

The Processor shall implement and maintain the following technical security measures:

• Encryption in Transit: All data transmitted between the Service and end users, as well as between the Service and Sub-processors, is encrypted using Transport Layer Security (TLS) version 1.2 or higher.
• Encryption at Rest: All Personal Data stored in the database (Neon PostgreSQL) is encrypted at rest using AES-256 encryption or equivalent industry-standard encryption algorithms.
• Access Controls: Role-based access control (RBAC) is implemented to restrict access to Personal Data to authorized personnel only. Administrative access requires multi-factor authentication.
• Password Security: User passwords are hashed using bcrypt or equivalent cryptographic hashing algorithms. Plaintext passwords are never stored or logged.
• Network Isolation: Database systems are deployed within isolated network environments and are not directly accessible from the public internet.
• Database Backups: Automated database backups are performed on a regular schedule. Backup data is encrypted and stored in geographically separate locations.

6.2 Organizational Measures

• Audit Logging: The Processor maintains audit logs of access to Personal Data, including timestamps, user identifiers, and actions performed. Audit logs are retained for a minimum of 12 months.
• Security Assessments: The Processor conducts regular security assessments, including vulnerability scanning and code review, to identify and remediate potential security risks.
• Incident Response: The Processor maintains documented incident response procedures, including identification, containment, eradication, recovery, and post-incident review. Incident response procedures are tested periodically.
• Personnel Training: All personnel with access to Personal Data receive training on data protection obligations and security best practices.
• Vendor Security Review: The Processor evaluates the security posture of all Sub-processors prior to engagement and on an ongoing basis.

6.3 Review and Update

The Processor shall regularly review and, where necessary, update the security measures described in this Section to ensure continued appropriateness in light of the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of Data Subjects.

7. Data Breach Notification

7.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Security Incident involving Personal Data processed under this DPA. Notification shall be made to the Controller's registered email address and, where applicable, to the email address designated for data protection matters.

7.2 Content of Notification

The notification shall include, to the extent reasonably available at the time of notification, the following information:

• A description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
• The name and contact details of the Processor's point of contact from whom further information may be obtained.
• A description of the likely consequences of the Security Incident.
• A description of the measures taken or proposed to be taken by the Processor to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

7.3 Supplemental Information

Where it is not possible to provide all information at the time of the initial notification, the Processor shall provide the information in phases without further undue delay as additional details become available. The Processor shall document all Security Incidents, including the facts surrounding the incident, its effects, and the remedial actions taken.

7.4 Processor Obligations Following a Breach

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Security Incident. The Processor shall not inform any third party of a Security Incident without first obtaining the Controller's prior written consent, unless notification is required by Applicable Data Protection Law, in which case the Processor shall, to the extent permitted by law, inform the Controller of such requirement before making the disclosure.

8. International Data Transfers

8.1 Primary Processing Location

Personal Data is primarily processed and stored in the United States. The Processor's primary infrastructure providers (Neon, Vercel, and Resend) operate data centers located in the United States. Stripe processes payment data in both the United States and the European Union, depending on the location of the Data Subject.

8.2 Transfers from the EEA and UK

To the extent that Personal Data originating from the European Economic Area ("EEA") or the United Kingdom is transferred to the United States or any other country not deemed to provide an adequate level of data protection, the Processor shall ensure that appropriate safeguards are in place in accordance with Article 46 of the GDPR or equivalent provisions of UK GDPR. Such safeguards may include:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, as supplemented where necessary by additional safeguards. The Controller may request execution of SCCs at any time by contacting the Processor at the address set forth in Section 14 of this DPA.
• Reliance on the EU-US Data Privacy Framework, where the Processor or its Sub-processors are certified participants. The Processor shall notify the Controller if any Sub-processor withdraws from or loses its certification under the Data Privacy Framework.
• Any other lawful transfer mechanism approved under Applicable Data Protection Law.

8.3 Transfer Impact Assessment

The Processor shall, upon the Controller's request, cooperate in conducting a transfer impact assessment to evaluate whether the laws and practices of the destination country provide an adequate level of protection for Personal Data. The Processor shall implement any additional supplementary measures identified as necessary through such an assessment.

9. Data Subject Rights

9.1 Scope of Assistance

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including but not limited to:

• Right of Access: Providing copies of Personal Data processed on behalf of the Controller.
• Right to Rectification:Correcting inaccurate or incomplete Personal Data upon the Controller's instruction.
• Right to Erasure:Deleting Personal Data in accordance with the Controller's instruction, subject to any legal retention obligations.
• Right to Restriction of Processing: Restricting Processing activities as directed by the Controller.
• Right to Data Portability: Providing Personal Data in a structured, commonly used, and machine-readable format upon request.
• Right to Object: Ceasing Processing activities where the Data Subject has exercised a valid objection, as directed by the Controller.

9.2 Response Timeline

The Processor shall respond to verified Data Subject requests within thirty (30) days of receipt. Where the complexity or volume of requests necessitates additional time, the Processor may extend this period by an additional sixty (60) days, provided that the Controller and the Data Subject are informed of such extension and the reasons for the delay within the initial thirty-day period.

9.3 Submitting a Data Subject Access Request (DSAR)

Data Subjects or Controllers may submit a DSAR through any of the following channels:

• Email: Send a request to privacy@recordlabelregistry.com with the subject line "Data Subject Access Request."
• Contact Form: Use the contact form and select "Privacy / Data Request" as the subject.
• Postal Mail: Send a written request to THRY ARCHIVE LLC, Attn: Data Protection (see Section 14 for details).

The Processor shall verify the identity of the Data Subject or the authority of the Controller's representative before processing any DSAR. The Processor may request additional information necessary to confirm identity where reasonable.

10. Data Retention and Deletion

10.1 Retention Policy

The Processor retains Personal Data in accordance with the retention periods set forth in Section 3 of this DPA and the Privacy Policy. The Processor shall not retain Personal Data for longer than is necessary for the purposes for which it is processed, except where retention is required by Applicable Data Protection Law or other applicable legal obligations (including, without limitation, tax and financial record-keeping requirements).

10.2 Upon Termination

Upon termination or expiration of the Service agreement, the following procedures shall apply:

• Export Window: The Controller shall have thirty (30) days from the date of termination to export all Personal Data using the data export functionality provided by the Service. The Processor shall make export tools available for this purpose during the export window.
• Deletion: Following the expiration of the thirty-day export window, the Processor shall delete all Personal Data within ninety (90) days, except where retention is required by Applicable Data Protection Law, financial record-keeping obligations, or other mandatory legal requirements.
• Backup Deletion:Personal Data contained in backup systems shall be deleted in accordance with the Processor's regular backup rotation schedule, which shall not exceed ninety (90) days from the date of deletion from primary systems.

10.3 Certification of Deletion

Upon written request from the Controller, the Processor shall provide a written certification confirming that all Personal Data has been deleted in accordance with this Section, except where retention is required by law. The certification shall specify any categories of data retained pursuant to legal obligations and the applicable retention period.

11. Audit Rights

11.1 Right to Audit

The Controller shall have the right to audit the Processor's compliance with this DPA no more than once per calendar year, unless a Security Incident or a reasonable suspicion of non-compliance necessitates an additional audit. The Controller shall provide the Processor with at least thirty (30) days prior written notice of any audit request.

11.2 Audit Procedures

Audits shall be conducted in a manner that minimizes disruption to the Processor's operations. The Processor shall:

• Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR (or equivalent provisions of Applicable Data Protection Law).
• Allow for and contribute to audits, including inspections, by the Controller or a qualified third-party auditor mandated by the Controller, provided that such auditor is bound by appropriate confidentiality obligations.
• Cooperate with reasonable requests for information, interviews with relevant personnel, and inspection of relevant systems and documentation.

11.3 Third-Party Audit Reports

The Controller agrees that, where available, a current SOC 2 Type II audit report (or equivalent third-party certification) conducted by a qualified independent auditor may be accepted in lieu of an on-site audit, provided that the report adequately addresses the Controller's audit objectives. The Processor shall make such reports available to the Controller upon written request, subject to confidentiality obligations.

11.4 Audit Costs

Each party shall bear its own costs in connection with any audit conducted under this Section. The Controller shall reimburse the Processor for reasonable time and expenses incurred by the Processor in connection with any audit that exceeds one business day in duration, at rates to be agreed upon in advance.

12. Term and Termination

12.1 Term

This DPA shall become effective on the date the Controller first accepts the Terms of Service or begins using the Service (whichever occurs first) and shall remain in effect for the duration of the Processor's Processing of Personal Data on behalf of the Controller.

12.2 Survival

This DPA shall survive termination or expiration of the Service agreement for as long as the Processor retains any Personal Data processed on behalf of the Controller. The obligations set forth in Sections 4 (Obligations of the Processor), 6 (Security Measures), 7 (Data Breach Notification), 10 (Data Retention and Deletion), and 11 (Audit Rights) shall survive termination of this DPA.

12.3 Termination for Breach

Either party may terminate this DPA if the other party materially breaches any provision of this DPA and fails to cure such breach within thirty (30) days of receiving written notice specifying the nature of the breach and the actions required to cure it. In the event of termination for breach by the Processor, the Controller's rights under Sections 10 (Data Retention and Deletion) and 11 (Audit Rights) shall remain in full force and effect until all Personal Data has been deleted or returned in accordance with this DPA.

13. Governing Law

13.1 Primary Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws provisions. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the State of Delaware, unless otherwise required by Applicable Data Protection Law.

13.2 GDPR Applicability

To the extent that the Processing of Personal Data is subject to the GDPR, the provisions of the GDPR shall apply in addition to the provisions of this DPA. Where the GDPR requires a higher standard of data protection than that provided by Delaware law, the GDPR standard shall prevail with respect to Personal Data of Data Subjects located in the European Economic Area.

13.3 UK GDPR Applicability

To the extent that the Processing of Personal Data is subject to the UK GDPR, the provisions of the UK GDPR and the UK Data Protection Act 2018 shall apply in addition to the provisions of this DPA. Where the UK GDPR requires a higher standard of data protection than that provided by Delaware law, the UK GDPR standard shall prevail with respect to Personal Data of Data Subjects located in the United Kingdom.

14. Contact

For all inquiries relating to this Data Processing Agreement, data protection matters, or the exercise of rights under this DPA, please contact:

The Processor shall respond to all data protection inquiries within thirty (30) days of receipt. For urgent matters relating to Security Incidents, please include "URGENT: Security Incident" in the subject line of your communication.

15. Agreement Acceptance

Record Label Registry is operated by THRY ARCHIVE LLC. This document is provided for informational and contractual purposes. Nothing in this DPA shall be construed as legal advice. The Controller is encouraged to seek independent legal counsel regarding its data protection obligations.