Data Processing Addendum

Last updated: April 22, 2026

This DPA forms part of the Terms of Service between Clypmint ("Processor") and Customer ("Controller") when Customer processes personal data of its own end-users through the Service.

1. Subject Matter

Processor will process personal data only to provide the video-editing Service as described in the Terms.

2. Nature of Processing

  • Types of personal data: video/image/audio content, account identifiers, usage events, IP/device metadata.
  • Categories of data subjects: Customer's team members + anyone appearing in the content Customer uploads.
  • Processing activities: upload, transcription, style analysis, rendering, storage, delivery.

3. Sub-processors

See Privacy §3 for the current sub-processor list. We notify Customer by email (or in-product banner) at least 15 days before adding a new sub-processor; Customer may terminate the subscription before the change takes effect if they reasonably object.

4. Security Measures

  • HTTPS/TLS in transit for all endpoints.
  • Encryption at rest via sub-processors (Supabase Postgres + managed storage).
  • Row-Level Security on all customer tables.
  • Principle-of-least-privilege API keys; service-role tokens only in server-side code.
  • Logging + audit trail for billing events and authentication.

5. Data Breach Notification

Processor will notify Controller of any confirmed personal data breach affecting Controller's data within 72 hours of becoming aware, and will cooperate in good faith on remediation.

6. Data Subject Rights

Processor will promptly forward any data-subject requests it receives (access, deletion, rectification) to Controller. Processor will assist Controller in responding within the legally-required timeframe.

7. International Transfers

Personal data is stored in the United States (Supabase us-west-2, DigitalOcean US datacenter). For EU customers, Standard Contractual Clauses are incorporated by reference.

8. Deletion & Return

On termination or written request, Processor will delete all Controller personal data within 30 days except as required to be retained by law (see Privacy §4 on billing retention).

9. Contact

Data Protection Inquiries: parkernuttall99@gmail.com