Get started

Legal

Data Processing Agreement

The data processing terms that apply when Reshot processes Customer Personal Data on behalf of customers.

Effective: May 10, 2026

Summary

This Data Processing Agreement ("DPA") applies when Reshot processes Customer Personal Data on behalf of a customer, including personal data that appears in screenshots, capture configurations, published assets, webhook payloads, documentation references, or related metadata. It is designed to satisfy GDPR and UK GDPR Article 28-style processor requirements, CCPA/CPRA service-provider requirements, and international transfer requirements using the EU Standard Contractual Clauses, UK transfer addendum/IDTA path, and Swiss adaptations where needed.

This summary is for convenience only. The full DPA below controls.

1. Scope and incorporation

This DPA forms part of the Terms of Service or other agreement between you ("Customer") and The Plain Works Co., Ltd. (주식회사 더플레인웍스), the operator of Reshot ("Reshot," "we," "us," or "our") (the "Agreement").

This DPA applies only to the extent we process Customer Personal Data on behalf of Customer in connection with the Service. It does not apply to personal data we process as an independent controller, such as account, billing metadata, support, security, and controller-side usage data, which is described in the Privacy Policy.

This DPA becomes effective when Customer accepts the Agreement, transmits Customer Personal Data to the Service, or signs this DPA, whichever occurs first.

2. Definitions

"Affiliate" means an entity that controls, is controlled by, or is under common control with a party.

"Customer Content" has the meaning given in the Terms and includes screenshots, capture configurations, baselines, diffs, project metadata, documentation references, published assets, webhook payloads, and related files or metadata submitted to or processed through the Service.

"Customer Personal Data" means personal data contained in Customer Content or otherwise processed by Reshot on behalf of Customer as processor or subprocessor.

"Data Protection Laws" means all data protection and privacy laws applicable to the processing of Customer Personal Data, including where applicable the EU GDPR, UK GDPR, UK Data Protection Act 2018, Swiss FADP, Korean PIPA, CCPA/CPRA, and ePrivacy/PECR rules.

"EU SCCs" means the standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914 of June 4, 2021.

"Personal Data Breach," "processing," "controller," "processor," "subprocessor," "data subject," and "supervisory authority" have the meanings given in applicable Data Protection Laws.

3. Roles

Customer is the controller of Customer Personal Data. If Customer processes Customer Personal Data on behalf of another controller, Customer is a processor and Reshot is Customer’s subprocessor.

Reshot is a processor or subprocessor for Customer Personal Data. Reshot will process Customer Personal Data only on Customer’s documented instructions, including the Agreement, this DPA, Customer’s product configuration, Customer’s use of the Service, and written instructions submitted to privacy@reshot.dev.

4. Processing details

Element Description
Subject matter Processing Customer Personal Data to provide documentation screenshot automation, storage, comparison, approval, publishing, export, APIs, webhooks, and support
Duration The term of the Agreement, plus deletion, export, backup, and legal-retention periods described in the Agreement and Privacy Policy
Nature of processing Hosting, storage, capture ingestion, comparison, versioning, rendering, publishing, transmission, export, deletion, support, security monitoring, logging, and troubleshooting
Purpose To provide, secure, support, and maintain the Service according to Customer’s instructions
Data subjects Customer’s account users, employees, contractors, reviewers, application users, end users, customers, prospects, or any other individuals whose personal data appears in Customer Content
Data categories Names, email addresses, profile images, account or role metadata, IP addresses, user agents, screenshots, UI text, documentation references, repository metadata, webhook payloads, CLI/API metadata, and any personal data Customer chooses to capture, upload, publish, or transmit through the Service
Sensitive data Not expected. The Service is not designed for special-category data, protected health information, government identifiers, payment card numbers, credentials, or other sensitive data. Customer must avoid submitting such data unless legally permitted and protected by appropriate safeguards.
Frequency Continuous or intermittent depending on Customer’s use of the Service
Retention As described in the Agreement, Privacy Policy, product configuration, and any order form

5. Customer responsibilities

Customer will:

  • comply with Data Protection Laws in its use of the Service;
  • provide all required notices and obtain all required rights, consents, authorizations, and lawful bases;
  • ensure Customer’s instructions are lawful;
  • avoid capturing, uploading, publishing, or transmitting sensitive data unless legally permitted and appropriately protected;
  • configure capture scenarios, integrations, webhooks, access controls, and published assets safely;
  • respond to data subject requests where Customer is the controller; and
  • maintain appropriate security for Customer’s accounts, CLI tokens, API keys, CI/CD systems, capture environments, and connected services.

6. Reshot processor obligations

Reshot will:

  1. process Customer Personal Data only on Customer’s documented instructions, unless applicable law requires otherwise;
  2. notify Customer if, in our opinion, an instruction infringes Data Protection Laws;
  3. ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
  4. implement appropriate technical and organizational measures described in Annex II;
  5. assist Customer, taking into account the nature of processing and information available to us, with data subject requests, security obligations, DPIAs, prior consultations, and regulatory inquiries;
  6. notify Customer of Personal Data Breaches under Section 9;
  7. maintain records required by Data Protection Laws for our processor activities;
  8. make available information reasonably necessary to demonstrate compliance with this DPA as described in Section 12; and
  9. delete or return Customer Personal Data as described in Section 10.

7. Subprocessors

Customer gives Reshot general written authorization to engage subprocessors to provide the Service. The current Subprocessor List is maintained at reshot.dev/legal/subprocessors.

We will provide at least 30 days’ notice before authorizing a new subprocessor to process Customer Personal Data, except where urgent replacement is needed for security, availability, legal compliance, or service continuity. Notice may be provided by updating the Subprocessor List and, for customers who have requested email notice or executed an order form, by email.

Customer may object to a new subprocessor on reasonable data protection grounds within 14 days after notice. If the parties cannot resolve the objection, Customer may terminate the affected Service and receive a prorated refund of prepaid unused fees for the affected Service.

We will enter into a written agreement with each subprocessor imposing data protection obligations no less protective than those imposed on us under this DPA. We remain responsible for our subprocessors’ performance of those obligations.

Customer-selected third-party integrations, customer-controlled storage, customer webhooks, and services Customer independently connects are not Reshot subprocessors merely because the Service sends data to them under Customer’s instructions.

8. International transfers

Customer authorizes Reshot and its subprocessors to process Customer Personal Data in Korea, the United States, the European Union, and other locations described in the Subprocessor List or applicable order form.

8.1 EU transfers

For transfers of Customer Personal Data from the EEA to a country without an adequacy decision, the EU SCCs are incorporated by reference and apply as follows:

  • Module Two applies where Customer is a controller and Reshot is a processor.
  • Module Three applies where Customer is a processor and Reshot is a subprocessor.
  • Clause 7 docking is not used unless the parties agree in writing.
  • Clause 9 Option 2 applies, using the general authorization and notice process in Section 7.
  • Clause 11 optional language is not used.
  • Clause 17 Option 1 applies, governed by the laws of Ireland unless the data exporter’s member-state law is required and allows third-party beneficiary rights.
  • Clause 18 disputes are resolved before the courts of Ireland unless another competent EU forum is required by the SCCs.
  • Annex I.A and I.B are completed by the parties’ details in the Agreement and Annex I below.
  • Annex I.C, the competent supervisory authority, is determined under Clause 13 and applicable Data Protection Laws based on the data exporter, data subjects, and any required representative, rather than being hard-coded globally.
  • Annex II is completed by Annex II below.
  • Annex III is completed by the Subprocessor List.

8.2 UK transfers

For restricted transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs, or the UK IDTA where appropriate, is incorporated by reference and applies to the EU SCCs. References to EU law and supervisory authorities are adapted to UK Data Protection Laws and the UK Information Commissioner where required.

8.3 Swiss transfers

For transfers from Switzerland, the EU SCCs apply with adaptations required by the Swiss FADP. References to the GDPR are interpreted to include the Swiss FADP, references to EU member states include Switzerland where applicable, and the competent Swiss authority is the FDPIC where required.

8.4 Korea and onward transfers

Transfers to Korea may rely on applicable adequacy decisions where available. Onward transfers from Korea or other locations to countries without an adequacy decision will use appropriate safeguards required by applicable Data Protection Laws.

8.5 Government access requests

If we receive a legally binding government, law-enforcement, or regulatory request for Customer Personal Data, we will, where legally permitted, notify Customer, redirect the requester to Customer, limit disclosure to what is legally required, and challenge requests where we reasonably determine there are grounds to do so.

9. Personal Data Breach

If we become aware of a Personal Data Breach affecting Customer Personal Data, we will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware.

The notice will include, to the extent known: the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, measures taken or proposed, and a contact point for follow-up. We will provide additional information as it becomes available and reasonably assist Customer with legally required notices.

A notice under this section is not an admission of fault or liability.

10. Deletion and return

Upon termination or Customer’s written request, we will delete or return Customer Personal Data within 30 days, unless law requires or permits retention, or the data is retained in backups, logs, security records, billing records, legal holds, or anonymized/aggregated form.

Backups are encrypted or protected by equivalent safeguards and are typically purged within 35 days after deletion from live systems. Until deletion, retained copies remain subject to this DPA.

We will provide deletion confirmation on reasonable written request.

11. CCPA/CPRA service-provider terms

To the extent the CCPA/CPRA applies, Reshot acts as a service provider or contractor for Customer Personal Data received from or on behalf of Customer.

Customer discloses Customer Personal Data to Reshot only for the following limited and specific business purposes:

  1. hosting, storing, transmitting, and displaying Customer Content;
  2. processing screenshot captures, baselines, diffs, approvals, published assets, and exports;
  3. operating APIs, CLI workflows, webhooks, workspace controls, and integrations configured by Customer;
  4. authenticating users and enforcing workspace access controls;
  5. securing the Service, preventing fraud and abuse, debugging errors, and maintaining availability;
  6. providing customer support under Customer’s instructions;
  7. deleting, returning, or exporting Customer Personal Data; and
  8. complying with law and enforcing the Agreement.

Reshot will not sell or share Customer Personal Data, retain/use/disclose it outside the direct business relationship except as permitted by the CCPA/CPRA, combine it with personal information from other sources except as permitted, or process it for targeted advertising. Reshot certifies that it understands and will comply with these restrictions.

12. Audits and compliance information

Upon reasonable written request, we will provide information reasonably necessary to demonstrate compliance with this DPA, such as security documentation, questionnaire responses, subprocessor information, retention information, and summaries of relevant controls.

If that information is insufficient for Customer’s legal obligations, Customer may request an audit by an independent, qualified auditor who is not a competitor. Audits require at least 30 days’ notice, must occur during normal business hours, must be limited to information relevant to Customer Personal Data, must not compromise other customers’ data or our security, and may occur no more than once in any 12-month period unless required by a regulator or following a Personal Data Breach affecting Customer Personal Data.

Customer bears audit costs unless the audit identifies a material breach of this DPA.

13. Liability

Liability under this DPA is subject to the limitations and exclusions in the Agreement, except to the extent prohibited by Data Protection Laws or the SCCs.

14. Term and precedence

This DPA continues for as long as Reshot processes Customer Personal Data.

If there is a conflict between documents regarding Customer Personal Data, the order of precedence is: (1) the SCCs or other mandatory transfer terms for the matters they cover; (2) this DPA; (3) the Agreement; and (4) the Privacy Policy.

15. Signatures

This DPA is accepted electronically when Customer accepts the Agreement or transmits Customer Personal Data to the Service. To request a counter-signed copy, contact privacy@reshot.dev.

Annex I — Parties and processing details

A. Data exporter

Customer, as identified in the Agreement, order form, account registration, or other applicable document.

Role: Controller, or processor where Customer processes personal data on behalf of another controller.

B. Data importer

The Plain Works Co., Ltd. (주식회사 더플레인웍스) Cheonan, Chungcheongnam-do, Republic of Korea Contact: privacy@reshot.dev

Role: Processor, or subprocessor where Customer is a processor.

C. Processing description

The processing description is set out in Section 4 of this DPA.

D. Competent supervisory authority

For the EU SCCs, the competent supervisory authority is determined under Clause 13 and applicable Data Protection Laws based on the data exporter, data subjects, and any required representative.

Annex II — Technical and organizational measures

1. Security governance

Reshot maintains an information security program designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access.

2. Access control

Access to production systems is restricted to authorized personnel and protected by role-based access, least-privilege principles, and multi-factor authentication for administrative access where supported. Access is granted only for legitimate operational, support, security, or legal purposes.

3. Authentication and authorization

Customer users must authenticate before accessing non-public workspace data. API and CLI access use tokens or keys. Workspace authorization controls restrict access based on roles and permissions configured by Customer.

4. Encryption

Data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted or protected using encryption provided by our infrastructure providers, such as AES-256 or equivalent storage-layer encryption where supported.

5. Data isolation

Customer Content is logically isolated by workspace, project, and access-control rules. Customers do not receive direct access to underlying infrastructure.

6. Logging and monitoring

We maintain logs and monitoring to detect errors, security events, abnormal behavior, and service reliability issues. Logs are access-restricted and retained according to operational and security needs.

7. Vulnerability management

We monitor dependencies and infrastructure for known vulnerabilities and apply critical security updates within a reasonable period based on severity and exploitability.

8. Network and edge protection

The Service uses edge, CDN, DDoS, bot-management, rate-limiting, and network controls provided by infrastructure vendors such as Cloudflare, Vercel, Supabase, and Upstash where applicable.

9. Backups and resilience

Customer Content and application data may be backed up using managed infrastructure provider controls. Backups are protected and retained for a limited period, typically up to 35 days after underlying deletion.

10. Incident response

We maintain an incident response process covering detection, triage, containment, investigation, notification, remediation, and post-incident review.

11. Personnel confidentiality

Personnel with access to Customer Personal Data are bound by confidentiality obligations and receive security guidance appropriate to their role.

12. Subprocessor oversight

We maintain written data protection commitments with subprocessors and periodically review subprocessor security and privacy posture based on risk.

Annex III — Subprocessors

The current Subprocessor List is maintained at:

reshot.dev/legal/subprocessors