Compliance · GDPR · RIAA · Deloy DNA

1. GDPR · European data protection regulation

We process European users' data under GDPR requirements. This means:

• Explicit legal basis for each processing (consent, contract performance, legitimate interest, legal obligation).
• Minimization: we only collect the data needed to operate the service.
• Rights of access, rectification, erasure, portability, objection and withdrawal of consent — exercisable via privacy@deloymusic.com.
• Breach notification within 72 hours to the competent supervisory authority and to those affected.
• Standard Contractual Clauses (SCC) for international transfers to providers outside the EEA.
• DPO designated for Enterprise clients; contact available in the signed contract.

2. RIAA recommendations on generative AI

We share the music industry's position on AI: responsible AI is the kind that respects human authorship and the existing catalog. That's why:

• We don't train models on third-party catalogs without authorization. Virtual Producers are trained only with the user's own references or with catalogs the Enterprise client has demonstrable rights to.
• Traceability of AI contribution. Every export carries a Deloy DNA certificate that spells out the AI and human contribution percentage. This lets labels and platforms distinguish between assisted works and predominantly generated ones.
• Voice cloning blocked. Deloy doesn't offer voice cloning features for recognized artists. References are used to capture aesthetic, not to imitate identities.
• Pull-down on request. If a rights holder identifies misuse of their material, we remove it from the service within a maximum of 7 days from notification.

3. Deloy DNA · cryptographic authorship certificates

Every track exported from Deloy carries a certificate signed with HMAC-SHA256 that records:

• SHA-256 hash of the exported audio file.
• AI Score — the AI contribution percentage measured at session time, not estimated at the end.
• UTC timestamp of the moment of export.
• Identifier of the virtual Producer used in the session.
• Cryptographic signature validated with a server-side key.

The certificate is verifiable by third parties: any label, platform, distributor or regulator can query the public verification API to confirm authenticity without accessing your original content.

Important: the certificate covers what Deloy observes inside the session. It doesn't certify what happens to the track after exporting it, nor stems imported from outside Deloy.

4. Data processing by providers

We maintain data processing agreements (DPA) with all our subprocessors. For Enterprise clients, the specific DPA is signed as an annex to the contract. An up-to-date list of subprocessors is available on request at compliance@deloymusic.com.

5. Audits and Enterprise reporting

Clients on the Enterprise plan receive:

• Quarterly reports on usage, access and relevant compliance events.
• Auditable logs of which users accessed which virtual Producers and when.
• The possibility of external audits with reasonable prior notice.
• Certified data deletion at the end of the contract, with written confirmation.

6. Authority requests

If we receive valid legal requirements (court order, letter rogatory) requiring us to hand over a user's data, we evaluate their validity before complying. When legally able, we notify the affected user before providing information.

7. Compliance contact

For compliance matters, audits, DPAs, regulatory requirements or pull-downs, write to compliance@deloymusic.com. We respond within 5 business days.