Data Processing Agreement

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller for the purpose of providing the Service as described in the Terms of Service. The duration of this DPA corresponds to the term of the Terms of Service.

2. Nature and purpose of processing

The processing consists of hosting, storing, transmitting, transcoding, backing up, retrieving, displaying, organising, searching, deleting, and otherwise making available personal data uploaded or generated by or on behalf of the Controller within the Service. Optional AI features (Documentary Mode) additionally involve speech-to-text transcription and theme/topic analysis where the Controller activates them.

3. Categories of data subjects

• The Controller's collaborators (crew, editors, producers).
• The Controller's clients and the persons authorised by them to use review links.
• Persons depicted, recorded, or otherwise identifiable in the User Content uploaded by the Controller (e.g. interview subjects, on-camera talent).
• Other persons whose personal data the Controller chooses to enter into the Service (e.g. contacts, vendors).

4. Categories of personal data

• Identification data (name, role, e-mail).
• Contact details and scheduling information.
• Postal addresses of third parties (shoot locations, unit-base addresses, crew home or pickup addresses, client / agency office addresses, vendor / rental-house / studio addresses).
• Production-management data (call sheets, shot lists, packing lists, budgets, crew assignments, field notes).
• Audio, image, and video footage and any associated metadata uploaded as User Content.
• Transcripts and analyses derived from User Content via opt-in AI features.
• Comments, approvals, and review actions left by collaborators or clients.

The Controller is responsible for ensuring that the Service is not used to process special categories of personal data within the meaning of Art. 9 GDPR or data relating to criminal convictions and offences within the meaning of Art. 10 GDPR, except where the Controller has implemented appropriate safeguards and notified the Processor in writing.

5. Documented instructions

The Processor processes personal data only on documented instructions from the Controller. The Terms of Service, this DPA, and the configuration choices the Controller makes within the Service constitute the Controller's standing instructions. Additional instructions must be issued in writing (including e-mail to info@tkammies.com) and may give rise to additional fees if they require effort beyond the standard service.

The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other Union or Member State data-protection provisions.

6. Confidentiality

The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR). Access is granted on a need-to-know basis and is logged.

7. Assistance to the Controller

The Processor assists the Controller, taking into account the nature of the processing and the information available to the Processor:

• by providing functionality (e.g. export, deletion, access logs, user management) that supports the Controller's response to requests by data subjects exercising their rights under Chapter III of the GDPR;
• in ensuring compliance with Art. 32–36 GDPR (security of processing, breach notification, data protection impact assessment, prior consultation), within the technical capabilities of the Service;
• by providing the information necessary to demonstrate compliance with Art. 28 GDPR.

Where assistance exceeds what is reasonably included in the Service, the Processor may charge a reasonable fee, communicated in advance.

8. Subprocessors

The Controller grants the Processor general written authorisation to engage subprocessors. The current list of subprocessors is published in the Privacy Policy at tkammies.studio/datenschutz and forms an integral part of this DPA.

The Processor will notify the Controller of any intended changes concerning the addition or replacement of subprocessors at least 30 days in advance via e-mail and via the in-app notification panel. The Controller may object on reasonable data-protection grounds within that period. If the parties cannot agree on an alternative arrangement, the Controller may terminate the affected Service for cause without additional cost; remaining prepaid fees will be refunded pro rata.

The Processor enters into written contracts with each subprocessor imposing data-protection obligations no less protective than those in this DPA, and remains fully liable to the Controller for the performance of the subprocessor's obligations.

9. Audit rights

The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

To minimise the burden on both parties:

• The Processor will, on reasonable notice, share independent third-party reports (e.g. ISO 27001 reports of subprocessors, SOC 2 reports where available, security questionnaires) and a current TOMs description.
• The Controller may conduct one remote audit per calendar year on at least 30 days' written notice. Additional audits may be conducted in response to a documented security incident, a regulator's request, or a material change in circumstances.
• On-site inspections require additional notice and coordination and must avoid disclosure of other Controllers' data.
• The Controller bears its own audit costs; the Processor may charge a reasonable fee for time spent supporting the audit beyond providing standard documentation.

10. Technical and organisational measures (TOMs)

The Processor implements appropriate technical and organisational measures pursuant to Art. 32 GDPR. The current measures include, but are not limited to:

• Confidentiality: physical access controls at hosting providers' data centres (delegated to certified subprocessors); logical access controls based on least-privilege accounts and individual credentials; multi-factor authentication for administrative access; principle-of-least-privilege for service-to-service communication.
• Integrity: input validation; signed and time-limited URLs for file downloads; protection against unauthorised modification through version-controlled deployments and audit logs; integrity-checked backups.
• Availability and resilience: hosted on infrastructure with redundancy across availability zones; automated backups with regular restore testing; monitoring and alerting on critical service health.
• Encryption: TLS 1.2 or higher for all data in transit; encryption-at-rest for stored files (Cloudflare R2, Supabase storage), database content (Supabase Postgres), and backups.
• Pseudonymisation and minimisation: internal identifiers (UUIDs) used in service-to-service contexts where direct identifiers are not required; PII scrubbing and IP truncation enabled in error-monitoring (Sentry).
• Restorability: documented restore procedures; soft-delete window of 30 days for restorable User Content.
• Procedures: regular dependency security updates; documented incident-response procedure; regular review of TOMs; data-protection-by-design and default-off configuration for opt-in features (e.g. AI submissions disabled by default).
• Order control: written contracts and DPAs in place with all subprocessors; documented subprocessor list maintained in the Privacy Policy.

The Processor reviews and updates the TOMs as the Service evolves and publishes changes via the Privacy Policy.

11. International transfers

Where the Processor or its subprocessors transfer personal data to a country outside the European Economic Area, the transfer is safeguarded by:

• An adequacy decision by the European Commission, in particular the EU-US Data Privacy Framework (Decision (EU) 2023/1795) where the recipient is certified; or
• The European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), with the Module appropriate to the recipient (Module 2 controller-to-processor or Module 3 processor-to-processor as applicable); together with
• Supplementary technical measures (encryption in transit and at rest, access controls).

By entering into this DPA, the parties agree to the SCCs being incorporated by reference where applicable. Copies are available on request.

12. Personal-data-breach notification

The Processor notifies the Controller without undue delay, and where feasible within 48 hours of becoming aware of a personal-data breach affecting the Controller's data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach and mitigate its effects. The Processor cooperates with the Controller as reasonably required for the Controller to fulfil its obligations under Art. 33–34 GDPR.

13. Deletion or return on termination

On termination of the Terms of Service, the Processor will, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless Union or Member State law requires storage of the personal data. Standard procedure: a 30-day soft-delete window for restoration, followed by permanent deletion within a further 60 days from operational backups. Export tooling provided in the Service (CSV/Excel export, file download) is available to the Controller before termination.

14. Liability

Each party's liability under this DPA is governed by the limitation of liability provisions of the Terms of Service. Claims by data subjects under Art. 82 GDPR remain unaffected.

15. Order of precedence

In the event of any conflict between this DPA and the Terms of Service regarding the processing of personal data on behalf of the Controller, this DPA prevails. Mandatory provisions of the GDPR and applicable national data-protection law prevail over either document.

16. Acceptance and signature

The Controller accepts this DPA by activating it in the Account settings. Once activated, the activation, the e-mail address used, the workspace identifier, and the timestamp serve as the record of acceptance. A countersigned PDF copy can be provided on request to info@tkammies.com.