Data Processing Agreement

Data Processing Agreement

Comprehensive data processing transparency and security commitments

Last updated: January 20, 2025

1. Introduction

This Data Processing Agreement (DPA) governs the processing of personal data by SYNAPSE SPARK STUDIO LTD (operating as Vidflow) on behalf of our customers. This agreement ensures compliance with applicable data protection laws including GDPR, CCPA, and other regional privacy regulations.

By using our services, you agree to the data processing terms outlined in this agreement.

2. Parties and Roles

Data Controller

Company: SYNAPSE SPARK STUDIO LTD

Registration: 87654321

Address: Office 13464, 182-184 High Street North, East Ham, London, E6 2JA, United Kingdom

DPO Contact: privacy@vidflow.online

Data Subject Rights

As the data controller, we ensure data subjects can exercise their rights including access, rectification, erasure, restriction, portability, and objection. We respond to requests within 30 days.

3. Processing Activities

Account Management

Purpose

User authentication, account administration, billing

Legal Basis

Contractual necessity

Data Types

  • Name
  • Email address
  • Billing information
  • Usage history

Recipients

  • Payment processors
  • Customer support systems
Retention: Account lifetime + 3 years

Content Processing

Purpose

Video translation, voice synthesis, editorial services

Legal Basis

Contractual necessity

Data Types

  • Video/audio files
  • Voice samples
  • Text content
  • Processing metadata

Recipients

  • AI processing partners
  • Human editors (when applicable)
Retention: 30 days post-processing

Service Analytics

Purpose

Performance monitoring, error tracking, service improvement

Legal Basis

Legitimate interest

Data Types

  • Usage patterns
  • Error logs
  • Performance metrics
  • Feature utilization

Recipients

  • Analytics platforms
  • Technical support teams
Retention: 2 years for analytics, 30 days for logs

Communication

Purpose

Customer support, service notifications, marketing

Legal Basis

Consent / Legitimate interest

Data Types

  • Contact information
  • Communication preferences
  • Support tickets

Recipients

  • Support platforms
  • Email service providers
Retention: 3 years post-interaction

4. Security Measures

Encryption

End-to-end encryption for all data transfers and storage

Implementation: AES-256 encryption, TLS 1.3 for transmission

Access Controls

Role-based access with multi-factor authentication

Implementation: RBAC, MFA, principle of least privilege

Data Isolation

Customer data processed in isolated environments

Implementation: Containerized processing, network segmentation

Audit Logging

Comprehensive logging of all data access and processing

Implementation: Immutable audit trails, real-time monitoring

Data Minimization

Only collect and process necessary data

Implementation: Automated deletion, data retention policies

5. International Transfers

Cross-Border Data Processing

When processing data outside the EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for certain countries (UK, Canada)
  • ISO 27001 and SOC 2 Type II certified processors
  • Binding Corporate Rules where applicable

6. Sub-Processors

We may engage sub-processors to provide specific services. All sub-processors are bound by data protection obligations equivalent to those in this DPA.

AI Processing Partners

  • • Cloud AI platforms (Google Cloud AI, AWS AI)
  • • Speech processing services
  • • Translation engines

Infrastructure Providers

  • • Cloud hosting (AWS, Google Cloud)
  • • CDN services
  • • Monitoring and analytics

Sub-Processor Changes

We will notify customers at least 30 days before adding new sub-processors. You may object to new sub-processors and terminate the agreement if we cannot accommodate your objection.

7. Data Breach Procedures

Incident Response

Detection & Assessment (0-4 hours)

Immediate detection, containment, and risk assessment

Customer Notification (4-24 hours)

Notification to affected customers with incident details

Authority Notification (24-72 hours)

Regulatory notification where required by law

Investigation & Remediation

Full investigation, remediation, and prevention measures

8. Data Subject Rights Support

Rights We Support

  • Access to personal data
  • Data rectification
  • Data erasure (right to be forgotten)
  • Restriction of processing
  • Data portability
  • Objection to processing

Response Process

1
Request received and verified
2
Data located and assessed
3
Action taken within 30 days
4
Confirmation sent to data subject

9. Audit and Compliance

We maintain comprehensive audit capabilities to demonstrate compliance:

Regular Audits

  • • Annual SOC 2 Type II audits
  • • ISO 27001 certification
  • • GDPR compliance assessments
  • • Penetration testing

Documentation

  • • Processing records
  • • Security policies
  • • Incident response logs
  • • Training records

10. Contact and Requests

For data processing questions, requests, or concerns:

Data Protection Officer:privacy@vidflow.online
Legal Requests:legal@vidflow.online

Response Time: We respond to all data processing requests within 30 days as required by GDPR. Complex requests may require an extension, which we will communicate within the initial 30-day period.