Counterpoint Studio Counterpoint Studio

Data Processing Agreement

Last updated: April 23, 2026

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Counterpoint Studio LLC (“Counterpoint Studio”, “we”, “us”) and you as a teacher, school, or organization (“Customer”, “you”) who uses Counterpoint Studio to process personal data of your students.

This DPA applies when you act as a data controller (or “business” under CCPA/CPRA) and Counterpoint Studio processes personal data on your behalf to deliver the service. It is designed to satisfy the requirements of Article 28 of the EU GDPR, the corresponding UK GDPR provisions, and comparable laws that require a written agreement between a controller and its processor.

2. Definitions

Terms not defined here have the meaning given in the Terms of Service or applicable data protection law. For purposes of this DPA:

  • Personal data, data subject, processing, controller, and processor have the meanings given in the EU GDPR.
  • Customer personal data means personal data that Counterpoint Studio processes on your behalf as a processor in providing the service.
  • Data protection laws means applicable privacy and data protection laws, including the EU GDPR, UK GDPR, the California Consumer Privacy Act (“CCPA”) as amended by the CPRA, and comparable laws in other jurisdictions.
  • Sub-processor means a third party engaged by Counterpoint Studio to process customer personal data.

3. Scope and roles

When you use Counterpoint Studio to add students, create materials assigned to students, or otherwise process information that identifies or relates to your students, you are the controller of that personal data and Counterpoint Studio is the processor. Counterpoint Studio processes customer personal data only to provide the service and only on your documented instructions as reflected in the Terms of Service, the Privacy Policy, this DPA, and your configuration of the service.

The subject matter, nature, and purpose of processing; the categories of data subjects; and the types of personal data are set out in Annex 1 to this DPA.

4. Counterpoint Studio’s obligations as processor

Counterpoint Studio will:

  • Process customer personal data only on your documented instructions and as required by applicable law. If we believe an instruction violates data protection law, we will inform you unless law prohibits us from doing so.
  • Ensure that personnel authorized to process customer personal data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect customer personal data, as described in the Privacy Policy §8 and Annex 2 to this DPA.
  • Assist you, taking into account the nature of processing and the information available to us, in responding to data subject rights requests and in complying with your obligations regarding security, breach notification, data protection impact assessments, and consultation with supervisory authorities.

5. Sub-processors

You authorize Counterpoint Studio to engage sub-processors to perform specific processing activities on our behalf. Our current sub-processors are listed in the Privacy Policy §3 and include Stripe, Resend, Fly.io, and Cloudflare.

We will impose on each sub-processor data protection obligations no less protective than those in this DPA. We remain responsible for each sub-processor’s performance of its obligations.

We will notify you of any intended changes to our list of sub-processors with a reasonable opportunity to object. You may object to the addition or replacement of a sub-processor on reasonable data protection grounds by notifying us in writing. If we cannot resolve the objection, you may terminate the affected portion of the service.

6. International transfers

Counterpoint Studio and its sub-processors may process customer personal data in the United States and in other jurisdictions where our sub-processors operate. Where we transfer customer personal data from the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction that has not received an adequacy decision, we will rely on appropriate transfer mechanisms, including the Standard Contractual Clauses approved by the European Commission and (where applicable) the UK International Data Transfer Addendum, which are incorporated into this DPA by reference.

7. Security

Counterpoint Studio implements the technical and organizational security measures described in the Privacy Policy §8 and Annex 2 to this DPA to protect customer personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

8. Breach notification

If we become aware of a personal data breach affecting customer personal data, we will notify you without undue delay. Our notification will include the information available to us at the time about the nature of the breach, the categories and approximate volume of data subjects and personal data affected, the likely consequences, and the measures we have taken or propose to take. You remain responsible for any notifications owed to data subjects and supervisory authorities where you are the controller.

9. Data subject rights

Counterpoint Studio will, to the extent permitted by law, promptly forward to you any request we receive from a data subject concerning personal data that you control. We will assist you, taking into account the nature of the processing and the information available to us, in fulfilling your obligations to respond to such requests.

10. Audit

We will make available to you the information reasonably necessary to demonstrate compliance with this DPA, including relevant certifications and audit reports. If this information is insufficient and an audit is required by applicable data protection law, we will cooperate in good faith to allow an audit of our relevant practices, subject to reasonable confidentiality, scoping, and scheduling requirements, at your expense.

11. Return and deletion

On termination of your subscription or on your request, Counterpoint Studio will delete or return customer personal data as described in the Terms of Service and Privacy Policy, subject to any obligation to retain information required by law.

12. Liability

Each party’s liability under this DPA is subject to the limitations in the Terms of Service, including Section 10 (Warranty and liability), except to the extent applicable data protection law does not permit those limitations.

13. Governing law

This DPA is governed by the laws specified in the Terms of Service, except where mandatory data protection law requires a different governing law.

Annex 1 — Details of processing

  • Subject matter: Counterpoint Studio’s provision of music-education materials and workflows under the Terms of Service.
  • Nature and purpose: Processing customer personal data to host, display, and transmit materials; to authenticate students and collaborators; to record practice activity and progress; and to provide the service to you and your students.
  • Duration: For the duration of your subscription and any retention period specified in the Terms of Service.
  • Categories of data subjects: Students and other collaborators whom you invite to the service.
  • Types of personal data: Name, email address, account credentials, materials assigned to or created by data subjects, practice activity, and any other personal data you choose to include in materials or account profiles.

Annex 2 — Security measures

  • Encryption of data in transit using TLS.
  • Password hashing using an industry-standard one-way algorithm.
  • Access controls restricting production system access to authorized personnel.
  • Logging and monitoring of application access and errors.
  • Use of reputable sub-processors that maintain their own security certifications (Stripe, Resend, Fly.io, Cloudflare).
  • Ongoing review of security practices in response to emerging threats.