Skip to content

Data Processing Agreement

Last updated: 17 June 2026

This Data Processing Agreement ("DPA") sets out the terms on which Dawid Zbiński (the "Provider", "Processor") processes personal data entrusted by you ("Client", "Controller") when you use the Createen service (the "Service").

This DPA forms an integral part of the Terms of Service and is entered into when you accept the Terms (create an account). If you use the Service on behalf of an organization, you confirm you are authorized to enter into this DPA on its behalf. Matters not covered here are governed by the Privacy Policy and the Terms.

§1 Definitions

Capitalized terms have the meaning given in the Terms. In addition:

  • Personal Data — personal data within the meaning of Article 4(1) GDPR that the Client enters into the Service or otherwise provides to the Provider in order to perform the service contract.
  • GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
  • Controller — the Client (User) that determines the purposes and means of processing the Personal Data it entrusts to the Provider.
  • Processor — the Provider, processing Personal Data on behalf of the Controller.
  • Sub-processor — an entity to which the Provider entrusts further processing of Personal Data, as listed in Annex 1.
  • Service contract — the contract between the Client and the Provider under the Createen Terms of Service.

§2 Subject of the processing

Pursuant to Article 28(3) GDPR, the Controller entrusts the Provider with the processing of Personal Data in the scope and for the purposes set out in this DPA, and the Provider undertakes to process the entrusted Personal Data in accordance with this DPA, the GDPR and applicable law.

The Controller declares that it is entitled to process the entrusted Personal Data in the scope and for the purposes set out below and that it has a valid legal basis for such processing. The Provider processes Personal Data solely for, and to the extent necessary for, providing the Service and does not use it for its own purposes.

§3 Nature, purpose, scope and duration of processing

3.1 Nature and purpose

Processing is continuous and is carried out exclusively by means of IT systems (no paper files). The purpose of processing is to provide the Service in accordance with the Terms, including: hosting and storing workspace data, managing clients, projects and tasks, uploading and reviewing media, handling invoices and payments, content scheduling, maintaining a communication (CRM) history, and sending transactional notifications.

3.2 Types (categories) of Personal Data

  • Identification and contact data — name, business name, position/role, address, email address, phone number, tax identifiers (NIP, REGON, EU VAT ID);
  • Billing and transaction data — invoice files uploaded to the Service, fields read from invoices, payment records, amounts, currencies and dates;
  • Content and media — media files, documents, notes, comments, schedules and tasks, and other data entered by the Client;
  • Review data — the external reviewer's email address and the content of review comments and decisions;
  • Technical data — limited data associated with the above, necessary to operate and secure the Service.

The Client undertakes not to entrust, via the Service, special categories of data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR), unless it holds a separate valid legal basis and informs the Provider accordingly.

3.3 Categories of data subjects

  • the Client's clients managed within the Service, and their contractors and prospects (leads);
  • representatives, employees and collaborators of the Client and its clients;
  • external reviewers invited by the Client to review media;
  • persons who upload media via a public upload link shared by the Client.

3.4 Duration

The Provider processes the entrusted Personal Data for the term of the service contract. Upon its end, the Provider — at the Controller's choice — deletes or returns the Personal Data and deletes existing copies, unless further retention is required by law (see §4(9)).

§4 Obligations of the Provider

The Provider undertakes to:

  1. Process only on documented instructions. This DPA, the Terms, and the actions the Client takes in the Service constitute documented instructions. The Provider will promptly inform the Controller if, in its opinion, an instruction infringes the GDPR or other data-protection law.
  2. Ensure confidentiality — ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality, both during and after their engagement.
  3. Implement security measures — apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as referred to in Article 32 GDPR, taking into account the state of the art and the cost of implementation. The measures adopted are set out in Annex 2.
  4. Sub-processing — comply with the conditions for engaging sub-processors set out in §5.
  5. Assist with data-subject rights — insofar as possible, assist the Controller, through appropriate technical and organizational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR.
  6. Assist with Articles 32–36 GDPR — assist the Controller in ensuring security of processing, breach notification, data-protection impact assessments (DPIA) and prior consultation with the supervisory authority, taking into account the nature of processing and the information available to the Provider.
  7. Notify breaches — notify the Controller of any confirmed Personal Data breach without undue delay, and no later than 48 hours after becoming aware of it, to the email address associated with the Controller's account. The notification will include at least the information referred to in Article 33(3) GDPR, to the extent available to the Provider.
  8. Make available information and allow audits — make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits as set out in §6.
  9. Delete or return data — at the end of the provision of the Service, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless Union or national law requires continued storage. Where feasible, the Provider makes data export available to the Client for a reasonable period before deletion.

§5 Sub-processing

The Controller gives a general authorization for the Provider to engage the sub-processors listed in Annex 1, noting that not every one of them processes every Client's data — the actual involvement of a given sub-processor depends on the Service features the Client uses.

  • The Provider informs the Controller of intended changes concerning the addition or replacement of sub-processors (an update of Annex 1), giving the opportunity to raise a reasoned objection. A change to Annex 1 constitutes a change to this DPA under the procedure set out in the Terms.
  • The Provider imposes on each sub-processor, by contract, the same data-protection obligations as set out in this DPA. The Provider remains fully liable to the Controller for the sub-processor's performance of its obligations.
  • Transfers of Personal Data to a third country (outside the EEA) take place only with the appropriate safeguards required by Chapter V GDPR (Articles 44–50), in particular Standard Contractual Clauses (SCCs) or on the basis of an adequacy decision.
  • Disclosure to the Provider's legal, tax or audit advisors, to the extent necessary for their services, does not constitute sub-processing — those entities act as separate controllers bound by professional confidentiality.

§6 Audit rights

The Controller may verify the Provider's compliance with this DPA on the following terms:

  • an audit may be conducted no more than once a year and last no longer than one business day; each party bears its own audit costs;
  • the Controller gives the Provider at least 14 days' notice; the audit takes place on business days between 9:00 and 17:00, remotely, in a manner causing the least possible disruption to the Provider's operations;
  • auditors may not be competitors of, or entities related to, the Provider and must commit to confidentiality and respect the Provider's internal procedures and security policies;
  • the audit may not cover information or documents relating to the Provider's other Clients or its trade secrets;
  • the audit is documented in a report; the Controller may issue written recommendations to be implemented within a reasonable period of no less than 30 business days; recommendations must comply with the GDPR and be objectively justified and feasible.

The Provider may satisfy the obligation to make information available (§4(8)) by providing documentation, certificates or audit reports regarding the security measures it applies.

§7 Liability

The Provider's liability is governed by the Terms. The Provider is not liable to third parties for damage arising from processing of Personal Data inconsistent with this DPA where it results from the Controller's instructions infringing the GDPR or other law, or from the Controller's lack of a valid legal basis. The Controller indemnifies the Provider against third-party claims arising from such infringements.

§8 Final provisions

  • This DPA constitutes the parties' entire agreement on the entrustment of Personal Data processing for the purposes of providing the Service and supersedes prior arrangements on that subject.
  • Changes to this DPA and its Annexes follow the Terms-modification procedure. The Client may not terminate over a change concerning a sub-processor it does not use or a Service feature it does not use.
  • In the event of a conflict between this DPA and the Terms, this DPA prevails on matters concerning the processing of Personal Data.
  • Matters not covered are governed by the GDPR and Polish law.
  • Questions about this DPA may be directed to support@createen.pl.

Annex 1 — Sub-processors

A listing below does not mean a given entity processes every Client's data — actual involvement depends on the Service features the Client uses.

Sub-processor Location Purpose / scope of processing
netcup GmbH Germany (EEA) Server infrastructure hosting the application and database (PostgreSQL) — all Service data at rest
Cloudflare, Inc. (R2) USA / global network Object storage for uploaded media and invoice files
Anthropic, PBC USA / Ireland AI-assisted reading of fields from uploaded invoices
Resend, Inc. USA Delivery of email (transactional and, optionally, product) messages
PostHog, Inc. Hosted in the European Union Non-invasive in-app product analytics (session replay disabled; typed content not recorded)

Marketing-site analytics (Google Tag Manager / Google Analytics) operate only on the marketing surface and only with the visitor's consent; they do not process the Client's entrusted Personal Data and do not constitute sub-processing under this DPA (see the Cookie Policy).

Annex 2 — Technical and organizational measures

The Provider applies at least the following security measures (Article 32 GDPR):

  • encryption of data in transit (HTTPS/TLS);
  • passwords stored only in hashed form (argon2id), never as plain text;
  • token-based authentication in httpOnly cookies and optional two-factor authentication (TOTP);
  • role-based access control (RBAC) and strict data isolation between client workspaces;
  • file storage in object storage accessible only via short-lived, signed URLs (binary files never pass through the application server);
  • rate limiting on public and sensitive endpoints;
  • limited server logs with redaction of sensitive data;
  • regular software updates and database backups.