Tokens Studio | Home

Products

Resources

Company

Pricing

Login

Start Free Trial

Tokens Studio | Home

Products

Resources

Company

Pricing

Login

Start Free Trial

Tokens Studio | Home

Products

Resources

Company

Pricing

Login

Start Free Trial

Tokens Studio Plugin DPA


Effective from: 17-09-2025
Part of: Tokens Studio Terms of Service

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

Hyma B.V. (trading as Tokens Studio)

Lage Gouwe 92, 2801 LJ Gouda, The Netherlands

Chamber of Commerce No. 59750502

(“Processor”, “we”, “us”)

and

The customer identified in the Tokens Studio subscription or order form

(“Controller”, “you”, “your”)

(each a “Party”, together the “Parties”).

This DPA supplements the Tokens Studio Terms of Service and governs the processing of personal data where we act as a Processor on your behalf.

2. Subject Matter & Purpose

We process Client Content containing personal data solely:

  • to provide, secure, maintain, and improve the Tokens Studio platform and related services,

  • to fulfill our contractual obligations under the Terms of Service, and

  • as otherwise documented in writing by you.

We will not process personal data for any other purpose, including our own marketing, unless explicitly permitted or required by law.

3. Roles & Responsibilities

You (Controller) determine the purposes and means of processing personal data within Client Content.

  • We (Processor) process such data only on your documented instructions, including as set forth in the Terms of Service, this DPA, or other written instructions you provide.

  • If we are legally required to process personal data, we will inform you before processing, unless prohibited by law.

4. Categories of Data & Data Subjects

Categories of personal data (as determined by you) may include:

  • Names, email addresses, roles, organizational details

  • Metadata of customer content

  • Usage and activity data

Data subjects may include:

  • Your employees, contractors, and collaborators

  • Your customers or end users (if you input their data into Tokens Studio)

We do not intentionally process special categories of data (Art. 9 GDPR). You are responsible for ensuring no such data is uploaded unless lawful grounds apply.

5. Duration

This DPA remains in effect for as long as we process personal data on your behalf, including during any subscription period and until all personal data is deleted or returned.

6. Confidentiality

We ensure that persons authorized to process personal data are bound by confidentiality obligations, whether by contract or statutory duty.

7. Security Measures

We implement appropriate technical and organizational measures as required by Art. 32 GDPR, including but not limited to:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)

  • Role-based access controls and MFA for staff

  • Network and application security measures

  • Logging, monitoring, and vulnerability scanning

  • Regular penetration testing

  • Business continuity and disaster recovery planning

Details are outlined in our Privacy Policy.

We may update security measures provided they do not materially decrease the protection of personal data.

8. Subprocessors

You authorize us to engage subprocessors listed in our Subprocessor List.

Obligations:

  • Subprocessors are bound by written contracts imposing data protection obligations equivalent to this DPA.

  • We will notify you at least 30 days in advance of any intended changes to the subprocessor list.

  • You may object in writing within this period. If the objection cannot be resolved, you may terminate the affected services without penalty.

9. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection) by:

  • Providing reasonable technical and organizational measures to enable you to access, correct, delete, or export data, or

  • Promptly forwarding any request we receive directly from a data subject.

10. Breach Notification

If we become aware of a personal data breach, we will notify you without undue delay and within 72 hours where feasible, including:

  • Nature of the breach

  • Categories and approximate number of affected data subjects and records

  • Likely consequences

  • Measures taken or proposed to address the breach

We will cooperate with you in meeting any notification obligations under Articles 33 and 34 GDPR.

11. Assistance & Impact Assessments

We will provide reasonable assistance:

  • With your obligations to perform data protection impact assessments (DPIAs) under Art. 35 GDPR

  • With consultations with supervisory authorities under Art. 36 GDPR

  • With demonstrating compliance with this DPA and Art. 28 GDPR

12. Return & Deletion of Data

Upon termination of the Services or at your written request, we will:

  • Make Client Content available for export for a limited time (if technically feasible), then

  • Delete all personal data related to the organization which has entered into a contract with us from our systems (including backups after their normal retention period), unless retention is required by law.

13. Audits & Compliance Reviews

Upon request, we will provide documentation necessary to demonstrate compliance with this DPA, including summaries of independent security audits or certifications (e.g. ISO 27001).

If this documentation is insufficient, you may conduct a reasonable audit (or appoint an independent auditor) at your cost, subject to:

  • At least 30 days’ advance notice

  • Non-disruption of our operations

  • Confidentiality obligations

Audits may occur no more than once per year unless required by a supervisory authority.

14. International Transfers

Where personal data is transferred outside the EEA, we will:

  • Rely on an adequacy decision (e.g. EU–US Data Privacy Framework) where available, or

  • Enter into Standard Contractual Clauses (SCCs) with the relevant subprocessor, plus any supplementary safeguards necessary to ensure GDPR compliance.

We will re-evaluate and update these measures if legal requirements change.

15. Liability

Liability under this DPA is governed by the limitation of liability in the Tokens Studio Terms of Service. In case of conflict, the liability cap in the Terms shall prevail.

16. Governing Law & Jurisdiction

This DPA is governed by Dutch law.

Disputes shall first be resolved amicably or via mediation, and if unresolved, submitted to the competent court in The Hague, the Netherlands.

17. Order of Precedence

In the event of a conflict between this DPA and the Tokens Studio Terms of Service, this DPA shall prevail with respect to the processing of personal data.

Build better systems—faster

Join the growing community of designers and engineers using Tokens Studio to drive consistency and scale.

Explore Studio

Product

Studio

Plugins

Elite coaching

Resources

Studio docs

Plugin docs

Blog

Help center

Company

About

Pricing

Plans

Trial

Get In Touch

Slack

GitHub

Contact

© 2026 Tokens Studio. All rights reserved.

Cookie Policy

Privacy Policy

Terms & Conditions

Build better systems—faster

Join the growing community of designers and engineers using Tokens Studio to drive consistency and scale.

Explore Studio

Product

Resources

Company

Pricing

Get In Touch

© 2026 Tokens Studio. All rights reserved.

Cookie Policy

Privacy Policy

Terms & Conditions