Tokens Studio Plugin DPA
Effective from: 15-01-2026
DATA PROCESSING ADDENDUM (DPA)
This Data Processing Addendum ("DPA") is entered into by and between Hyma B.V., a private limited liability company incorporated under the laws of the Netherlands, having its registered office at Lage Gouwe 92, 2801 LJ Gouda, The Netherlands, registered with the Dutch Chamber of Commerce under number 59750502 ("Processor" or "Tokens Studio"), and the entity identifying itself as the customer or user of the Services ("Controller" or "Customer").
This DPA is incorporated into and forms part of the Terms of Service or other such service agreement (the "Agreement") between the Parties.
1. Definitions
"GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" shall have the meanings given to them in the GDPR.
"Services" means the Tokens Studio Plugin for Figma, Apply Variables Plugin, and any related services provided by Hyma B.V.
2. Scope and Role of Parties
2.1 Roles. The Parties acknowledge that for the purposes of the GDPR, Customer is the Data Controller and Tokens Studio is the Data Processor.
2.2 Scope. This DPA applies to the Processing of Personal Data by Tokens Studio on behalf of the Customer in the course of providing the Services.
3. Obligations of the Processor
3.1 Instructions. Tokens Studio shall process Personal Data only on the documented instructions of the Customer, unless required to do so by Union or Member State law. The Agreement and this DPA constitute such documented instructions.
3.2 Confidentiality. Tokens Studio ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security. Tokens Studio shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Specific measures are detailed in Annex II.
3.4 Data Subject Rights. Tokens Studio shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject's rights.
3.5 Breach Notification. Tokens Studio shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach that poses risks to Data Subjects.
4. Subprocessing
4.1 Authorization. The Customer grants Tokens Studio a general authorization to engage third-party subprocessors. The current list of subprocessors is set out in Annex III.
4.2 Changes. Tokens Studio shall inform the Customer of any intended changes concerning the addition or replacement of other subprocessors at least 30 days in advance via email or website update, thereby giving the Customer the opportunity to object.
4.3 Obligations. Tokens Studio shall impose materially similar data protection obligations on its subprocessors as set out in this DPA.
5. International Transfers
5.1 Transfers. Personal Data may be transferred to locations outside the European Economic Area ("EEA").
5.2 Safeguards. Where Personal Data is transferred to a third country not ensuring an adequate level of protection, Tokens Studio ensures appropriate safeguards are in place, such as the EU-U.S. Data Privacy Framework or the Standard Contractual Clauses ("SCCs") approved by the European Commission.
6. Audit and Deletion
6.1 Audit. Tokens Studio shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. All audits will be at the expense of the Customer, and will be limited to once per calendar year.
6.2 Deletion/Return. Upon termination of the Services, Tokens Studio shall, at the choice of the Customer, delete or return all Personal Data to the Customer, unless Union or Member State law requires storage of the Personal Data.
ANNEX I: DETAILS OF PROCESSING
A. Subject Matter and Duration
The subject matter of the processing is the provision of the Tokens Studio plugins and related services. The duration of the processing shall be for the term of the Agreement plus the period required for data deletion or legal compliance.
B. Nature and Purpose
The processing involves collection, storage, and analysis of data to provide design token management, license verification, billing, and error tracking functionalities.
C. Categories of Data Subjects
Employees, contractors, and authorized users of the Customer.
D. Categories of Personal Data
Contact Information: Name, email address.
Account & Billing Data: Payment IDs, Figma IDs, billing address, VAT number, transaction history.
Technical & Usage Data: IP addresses, device information, usage logs, event metadata, error logs.
ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES (SECURITY)
Tokens Studio implements the following security measures to protect Personal Data:
Encryption: Use of HTTPS/TLS 1.2 (or higher) for data in transit and AES-256 or equivalent encryption for data at rest.
Access Control: Implementation of Role-Based Access Control (RBAC) and mandatory Multi-Factor Authentication (MFA) for all staff accounts with access to personal data.
Vulnerability Management: Continuous vulnerability scanning and regular penetration testing.
Hosting Security: Utilization of cloud providers with industry standard security measures (AWS, Google Cloud Platform) located primarily in the EU. For subprocessors that process data outside the EU, appropriate contractual and technical safeguards are in place.
ANNEX III: LIST OF SUBPROCESSORS
The Customer authorizes the engagement of the following subprocessors:
| Subprocessor | Service Provided | Location |
|---|---|---|
| Stripe | Payment processing & billing | EU & US |
| Keygen | License key management | USA |
| Mixpanel | Product analytics | EU |
| Sentry | Error tracking & debugging | EU |
| Google Workspace | Document editing & email | EU |
| HubSpot | CRM & marketing automation | EU |
| Slack | Customer Support communication | USA |
| Notion | Documentation & User research | USA |
| Firebase | Email-based authentication | Global |
| Heroku | License Key authentication | USA |
| Postmark | Subscription emails | USA |
| Supabase | Infrastructure (Design data) | USA |
| Vercel | Infrastructure | USA |
| WEA Midden-Holland Accountants & Adviseurs B.V. | Accounting & Finance | EU |
| Docusign | Contract Management | USA |
