Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the agreement between MyStdio Platform (Processor, we, us) and the organization using our services (Controller, you, your) for the processing of personal data as described below.

When this DPA applies: This DPA applies when your organization uses MyStdio and you are the controller of personal data that we process on your behalf. If you need a signed copy of this DPA for your records, please contact privacy@mystdio.com.

1. Definitions

1.1 "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection, and any other applicable data protection legislation.

1.2 "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf.

1.3 "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

1.4 "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.

1.5 "Data Subject" means an individual whose Personal Data is processed.

1.6 "Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose

2.1 This DPA applies to the processing of Personal Data by us on your behalf in connection with the MyStdio platform services.

2.2 The subject matter, duration, nature, and purpose of processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 to this DPA.

2.3 The duration of processing shall be for the term of your agreement with us, plus any retention period required by law or as specified in our Privacy Policy.

3. Obligations of the Processor

3.1 We shall process Personal Data only on your documented instructions, unless required to do so by applicable law.

3.2 We shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 We shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2.

3.4 We shall not engage another processor (Sub-processor) without your prior authorization. Our current list of Sub-processors is available in Appendix A below.

3.5 We shall notify you of any intended changes to Sub-processors, giving you the opportunity to object to such changes.

3.6 We shall assist you in responding to requests from Data Subjects exercising their rights under Data Protection Laws.

3.7 We shall assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

3.8 At your choice, we shall delete or return all Personal Data after the end of the provision of services, unless applicable law requires retention.

3.9 We shall make available to you all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

4. Obligations of the Controller

4.1 You shall ensure that you have a lawful basis to provide Personal Data to us for processing.

4.2 You shall provide us with documented instructions regarding the processing of Personal Data, ensuring such instructions comply with Data Protection Laws.

4.3 You shall inform us without undue delay if you become aware of any circumstances that may affect our processing of Personal Data.

4.4 You are responsible for informing Data Subjects about the processing of their Personal Data as required by Data Protection Laws.

5. Security Measures (Article 32 GDPR)

5.1 We implement the following technical and organizational measures:

Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
Access Controls: Role-based access control, multi-factor authentication for administrative access, and regular access reviews.
Data Isolation: Multi-tenant architecture with row-level security ensuring complete data isolation between tenants.
Logging & Monitoring: Comprehensive activity logging and security monitoring.
Backup & Recovery: Regular encrypted backups with tested recovery procedures.
Malware Protection: All uploaded files are scanned for malware before storage.
Secure Development: Security-focused development practices, code reviews, and regular security assessments.

6. Security Incident Notification

6.1 We shall notify you without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Personal Data.

6.2 Such notification shall include, to the extent available:

A description of the nature of the Security Incident
The categories and approximate number of Data Subjects affected
The categories and approximate number of Personal Data records affected
The likely consequences of the Security Incident
Measures taken or proposed to address the Security Incident

6.3 We shall cooperate with you and provide reasonable assistance in investigating and remediating any Security Incident.

7. Sub-processing

7.1 You hereby authorize us to engage the Sub-processors listed in Appendix A below.

7.2 We shall inform you of any intended changes to our Sub-processors at least 30 days in advance, giving you the opportunity to object.

7.3 If you object to a new Sub-processor on reasonable grounds related to data protection, we shall work with you to find a mutually acceptable solution.

7.4 We shall impose on each Sub-processor data protection obligations no less protective than those in this DPA.

7.5 We remain fully liable to you for the performance of each Sub-processor's obligations.

8. Data Subject Rights

8.1 We shall assist you in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object

8.2 If we receive a request directly from a Data Subject, we shall promptly forward it to you unless we are legally prohibited from doing so.

9. International Data Transfers

9.1 Personal Data may be transferred to and processed in countries outside your jurisdiction as described in Appendix A (Sub-processors) below.

9.2 For transfers to countries not recognized as providing an adequate level of data protection, we rely on:

Standard Contractual Clauses (SCCs): The European Commission's standard contractual clauses for international transfers.
UK IDTA/Addendum: For UK transfers, the UK International Data Transfer Agreement or UK Addendum to the EU SCCs.

9.3 Upon request, we shall provide you with copies of the relevant transfer mechanisms.

10. Audit Rights

10.1 We shall make available to you information reasonably necessary to demonstrate compliance with our obligations under this DPA.

10.2 Upon reasonable notice, you may audit our compliance with this DPA, subject to:

Reasonable advance notice (at least 30 days)
Audits during normal business hours
No more than one audit per year (unless required by law or supervisory authority)
Confidentiality obligations regarding any information obtained

10.3 We may satisfy audit requirements by providing relevant third-party certifications or audit reports (such as SOC 2 reports).

11. Data Deletion and Return

11.1 Upon termination of the services, we shall, at your election:

Return: Provide you with a copy of all Personal Data in a commonly used format; or
Delete: Securely delete all Personal Data in our possession.

11.2 Deletion shall occur within 90 days of termination, except where retention is required by applicable law or for the establishment, exercise, or defense of legal claims.

11.3 Upon request, we shall certify in writing that deletion has been completed.

12. Liability

12.1 Each party shall be liable for damages caused by processing that infringes Data Protection Laws or this DPA, as provided under applicable law.

12.2 The limitations of liability in our Terms of Service shall apply to this DPA, except to the extent prohibited by applicable law.

13. General Provisions

13.1 This DPA is governed by the same law that governs our Terms of Service, subject to mandatory provisions of Data Protection Laws.

13.2 This DPA shall remain in effect for the duration of the services and for as long as we process Personal Data on your behalf.

13.3 In the event of a conflict between this DPA and our Terms of Service, this DPA shall prevail with respect to data protection matters.

13.4 We may update this DPA from time to time. We will notify you of material changes at least 30 days in advance.

Annex 1: Details of Processing

Subject Matter:

Processing of Personal Data in connection with the provision of the MyStdio video production client portal platform.

Duration:

For the term of the agreement plus any legally required retention period (typically 2 years after account closure, 7 years for financial records).

Nature and Purpose of Processing:

Providing access to the platform
Facilitating video production project management
Enabling video review and approval workflows
Processing quotes, invoices, and payments
Sending transactional communications
Providing customer support
Platform security and fraud prevention

Types of Personal Data:

Identity data (name, job title)
Contact data (email, phone, address)
Account data (login credentials, preferences)
Transaction data (quotes, invoices, payments)
Project content (briefs, feedback, comments)
Technical data (IP address, device info, logs)
Video content and associated metadata

Categories of Data Subjects:

Your employees and contractors (platform users)
Your clients (project stakeholders, reviewers)
Guest reviewers (public review participants)

Annex 2: Security Measures

Encryption:

TLS 1.2+ for all data in transit
AES-256 encryption for data at rest
Encrypted database connections

Access Control:

Role-based access control (RBAC)
Multi-factor authentication for administrative access
Principle of least privilege
Regular access reviews and deprovisioning

Multi-Tenancy:

Row-level security (RLS) in database
Complete data isolation between tenants
Separate storage namespaces per tenant

Monitoring & Logging:

Comprehensive activity logging
Security event monitoring
Anomaly detection

Business Continuity:

Regular encrypted backups
Tested disaster recovery procedures
Geographic redundancy for critical systems

Appendix A: Sub-processors

We use the following third-party service providers (sub-processors) to help deliver our services. Each sub-processor has been selected for their strong privacy and security practices, and we have appropriate agreements in place to protect your data.

Updates: We will update this list when we add or remove sub-processors. For material changes, we will notify you at least 30 days in advance in accordance with Section 7.2 of this DPA.

Infrastructure & Hosting

Sub-processor	Purpose	Data Categories	Location
Supabase Privacy Policy	Database hosting, authentication, and backend infrastructure	Account data, project data, authentication tokens, user profiles	Australia, USA
Bunny.net Privacy Policy	Content delivery network (CDN), file storage, video hosting	Uploaded files, video content, company assets, project attachments	European Union

Video Hosting

Sub-processor	Purpose	Data Categories	Location
Bunny Stream Privacy Policy	Video hosting, streaming, transcoding, and playback analytics	Video files, video metadata, playback data, watch duration	European Union

Payment Processing

Sub-processor	Purpose	Data Categories	Location
Stripe Privacy Policy	Payment processing, subscription management, invoicing	Payment information, billing details, transaction history, subscription data	USA

Communications

Sub-processor	Purpose	Data Categories	Location
Resend Privacy Policy	Transactional email delivery	Email addresses, email content, delivery status	USA

AI Services

Sub-processor	Purpose	Data Categories	Location
Google (Gemini AI) Privacy Policy	AI-powered brief assistant for project planning	Project information, user prompts, AI conversation data (not stored permanently)	USA

Analytics & Marketing (with consent)

Sub-processor	Purpose	Data Categories	Location
Google Analytics Privacy Policy	Website analytics (requires consent)	Anonymized usage data, device information, page views	USA
Meta (Facebook Pixel) Privacy Policy	Advertising analytics (requires consent)	Anonymized usage data, conversion tracking	USA

Security

Sub-processor	Purpose	Data Categories	Location
Cloudflare Privacy Policy	Security, DDoS protection, bot detection (Turnstile)	IP addresses, security verification tokens	USA, Global

Self-Hosted Security Measures

The following security tools are self-hosted on our own infrastructure and do not involve third-party data processing:

ClamAV Malware Scanner: All file uploads are scanned for malware using our self-hosted ClamAV scanner before being stored. Only file hashes are processed; file contents are not sent to any external service.

International Data Transfers

When your data is transferred to sub-processors located outside your country of residence, we ensure appropriate safeguards are in place:

European Economic Area (EEA): Transfers to countries outside the EEA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
United Kingdom: Transfers are governed by the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.
Australia: We ensure overseas recipients handle your data in accordance with the Australian Privacy Principles.
New Zealand: We ensure recipients provide comparable privacy protection or obtain your explicit consent before transfer, in accordance with Principle 12 of the Privacy Act 2020.

Contact

For questions about this DPA or to request a signed copy, please contact us:

MyStdio Platform
Privacy Team
Email: privacy@mystdio.com