Legal information

This Data Processing Agreement ("DPA") forms part of the agreement between Mockuuups s.r.o. ("Processor", "we", "us") and you ("Controller", "Customer") for use of our services.

1. Scope

This DPA applies when we process personal data on your behalf in connection with Mockuuups services. For most users of our desktop application, plugins, and website, your content is processed locally on your device and this DPA does not apply to that content.

This DPA primarily applies to: Developer API users (where content is processed on our servers), and account and billing data we process for all customers.

2. Processing details

The following details describe the nature of our data processing activities:

• Subject matter: Mockup generation services

• Duration: Duration of your service agreement

• Nature: Automated image processing, account management

• Purpose: Generating device mockups, providing customer support

• Data types: Account data (name, email); API content (temporary)

• Data subjects: Your end users and employees

3. Our obligations

We will:

• Process personal data only on your documented instructions

• Ensure our personnel maintain confidentiality

• Implement appropriate security measures

• Use sub-processors only as listed in our List of Subprocessors

• Assist you with data subject requests

• Assist with your security and breach notification obligations

• Delete your data upon termination (self-service or on request)

• Provide information to demonstrate compliance on reasonable request

• Encryption in transit (TLS 1.2+)

4. Security measures

Our security measures include:

• Password hashing (bcrypt)

• Authentication via magic links, OAuth (Google, Apple, GitHub), and SAML SSO

• Desktop app and plugins use local processing – your images never leave your device

• The Developer API uses temporary server processing with content deleted after rendering

• Infrastructure hosted on Cloudflare, AWS, and DigitalOcean with industry-standard security

5. Sub-processors

We use the sub-processors listed on a separate page liked at the end of this document. We update this page when adding or removing sub-processors. You may check periodically or contact us to be notified of changes.

6. International transfers

Some sub-processors transfer data outside the EEA. These transfers rely on the EU-US Data Privacy Framework (for certified US companies) and Standard Contractual Clauses (2021 SCCs).

7. Data breach notification

We will notify you without undue delay (within 72 hours) upon becoming aware of a personal data breach affecting your data.

8. Termination

Upon termination of services, you may delete your data via your account settings at the account management area, or request deletion by using the contact methods listed below. We will delete your data within 30 days of termination.

9. Liability

Our liability under this DPA is subject to the limitations in our Terms of Service.

10. Governing law

This DPA is governed by the laws of the Czech Republic. Disputes will be resolved by the courts in Prague, Czech Republic.

Contact

For questions about this DPA, please contact us at [email protected] or use the contact form.