code.to.design - Data Processing Addendum (DPA)

Last Updated: December 9th, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between DIV-RIOTS (“Processor” or “code.to.design”) and the customer or entity utilizing the Service (“Controller” or “Customer”).

By accessing or using the Service, or by executing an Order Form that references this DPA, the Customer accepts and agrees to be bound by this DPA.

1. Definitions

• “Applicable Data Protection Laws” means all laws and regulations, including the GDPR (General Data Protection Regulation (EU) 2016/679), UK GDPR, and CCPA (California Consumer Privacy Act), applicable to the processing of Personal Data under the Agreement.
• “Controller” means the entity that determines the purposes and means of the processing of Personal Data (i.e., the Customer).
• “Processor” means the entity that processes Personal Data on behalf of the Controller (i.e., code.to.design).
• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Input Data” means the HTML, CSS, and code snippets provided by the Controller to the Service for conversion.
• “Sub-processor” means any third party appointed by the Processor to process Personal Data.

2. Scope and Purpose

2.1.

The Processor shall process Personal Data only on the documented instructions of the Controller. The “documented instructions” consist of the Agreement (Terms of Service) and the Customer’s use of the API/Service functions (e.g., submitting code for conversion).

2.2.

The nature of the processing is the transformation of technical code (HTML/CSS) into design assets (Figma/Vector data).

2.3.

The Processor shall not process Personal Data for any other purpose, including the training of public AI models, unless explicitly authorized by the Controller.

3. Confidentiality and Security

3.1. Confidentiality

The Processor ensures that all personnel (employees, contractors) authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2. Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II. This includes measures to protect against unauthorized disclosure of data.

4. Sub-processing

4.1.

The Controller grants general authorization to the Processor to engage the Sub-processors listed in Annex III.

4.2.

The Processor shall ensure that any Sub-processor is bound by data protection obligations compatible with those in this DPA.

4.3.

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors. The Controller may object to such changes on reasonable grounds within 14 days.

5. International Transfers (Standard Contractual Clauses)

5.1.

To the extent that the processing involves the transfer of Personal Data from the European Economic Area (EEA), the UK, or Switzerland to a country that has not been recognized by the European Commission as providing an adequate level of data protection (e.g., the United States), the parties agree that the Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor) shall apply.

5.2.

By agreeing to this DPA, the Controller (as “data exporter”) and the Processor (as “data importer”) are deemed to have signed the SCCs, which are incorporated herein by reference.

6. Personal Data Breaches

6.1.

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a confirmed Personal Data Breach affecting the Controller’s data.

6.2.

The notification shall describe the nature of the breach, the likely consequences, and the measures taken or proposed to be taken to address the breach.

7. Audit Rights

7.1.

Upon written request, the Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.

7.2.

If the Controller requires an onsite audit, it shall be conducted at the Controller’s expense, during normal business hours, and with at least 30 days’ prior written notice, subject to the Processor’s security policies.

8. Term and Termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.

ANNEX I: Details of Processing

A. List of Parties

• Data Exporter: The Customer (Controller).
• Data Importer: DIV-RIOTS (Processor).

B. Description of Transfer

• Subject Matter: Provision of the code.to.design conversion services.
• Nature of Processing: Receiving HTML/CSS payloads via API, parsing the code structure, converting to Figma format, and returning the data.
• Categories of Data Subjects: The Controller’s employees - users of the Service
• Types of Personal Data:
  • Account Data: Names, email addresses, API keys, IP addresses.
  • Content Data: Any text, image URLs, or code contained within the HTML/CSS input.
• Frequency: Continuous basis (API calls).
• Duration: Anytime the Customer uses the Service (i.e. API call)

ANNEX II: Technical and Organizational Security Measures

The Processor currently observes the Security Measures described in this Annex II.

1. Ephemeral Processing: Input Data (HTML/CSS) is processed in volatile memory (RAM) or temporary ephemeral storage for the sole purpose of performing the conversion. It is not permanently stored in a database after the transaction is complete.
2. Encryption: All data in transit is encrypted via TLS 1.2 or higher (HTTPS).
3. Access Control: Access to production infrastructure is restricted to authorized engineering personnel via strong authentication.
4. Vulnerability Management: Regular updates and patching of underlying server infrastructure.
5. Physical Security: Hosting is provided by top-tier cloud providers (Google Cloud) which maintain ISO 27001 and SOC 2 Type II certifications for physical data center security.

ANNEX III: List of Sub-processors

The Controller authorizes the engagement of the following Sub-processors: