Data Processing Agreement.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the business customer (the "Controller") and Halo sp. z o.o. (the "Processor"), registered at ul. Warszawska 40/2A, 40-008 Katowice, Poland, KRS 0001145505. It applies whenever the Processor processes personal data on behalf of the Controller under GDPR.
1. Subject matter and duration
The Processor provides AI video generation and analytics (the "Service"). In doing so it processes personal data on the Controller's behalf for the duration of the Service agreement.
2. Nature and purpose of processing
Hosting, rendering, analytics, support, billing, and security operations necessary to provide the Service.
3. Categories of data and data subjects
- Data subjects: end users of the Controller (including the Controller's own employees).
- Categories of personal data: identifiers (name, email), technical data (UA, hashed IP, device), content (prompts, uploaded references, generated outputs), usage and analytics data.
- Special categories: none processed by default. The Controller must not upload special-category data without prior written agreement.
4. Controller's instructions
The Processor processes personal data only on documented instructions from the Controller, including those set out in the Terms of Service, our Privacy Policy, and this DPA, unless required to do otherwise by EU or Member-State law.
5. Confidentiality
All Processor personnel with access to personal data are bound by confidentiality obligations.
6. Security measures (Art. 32 GDPR)
- TLS 1.2+ for all data in transit.
- AES-256 encryption for data at rest (databases, backups).
- Role-based access control with least privilege and audit logging.
- Quarterly credential rotation and mandatory SSO/2FA for admin access.
- Regular dependency scanning and patching.
- Documented incident response with 72-hour notification targets.
- Backups encrypted and tested for restorability.
- IP addresses are hashed server-side before storage.
7. Sub-processors
The Processor uses the following sub-processors. We will give notice of any new sub-processor at least 14 days before they start processing, and the Controller may object in writing on reasonable grounds.
| Sub-processor | Purpose | Location |
|---|---|---|
| Render.com | Web hosting + managed Postgres | EU (Frankfurt) |
| Cloudflare | CDN, DNS, DDoS protection | Global |
| Stripe | Payment processing | EU |
| Postmark | Transactional email | US (SCCs) |
| Sentry | Error monitoring | EU (Frankfurt) |
| ipapi.co | IP geolocation | EU |
| Mixtape Render Cluster | GPU inference | EU (Frankfurt) |
8. International transfers
Where personal data is transferred outside the EEA, such transfers are protected by EU Standard Contractual Clauses (module 3, processor-to-sub-processor, as applicable) and any necessary supplementary measures (encryption, minimisation, access control).
9. Data subject rights
The Processor will, upon the Controller's request, assist the Controller in responding to data-subject requests within 72 hours.
10. Personal data breach
The Processor will notify the Controller without undue delay, and in any event within 72 hours, of any confirmed personal- data breach, and will provide information required under Art. 33(3) GDPR.
11. Audit
The Controller is entitled, once per 12-month period, to audit the Processor's compliance with this DPA on reasonable notice, during normal business hours, and subject to confidentiality. The Processor may satisfy audit requirements by providing recent third-party certifications or reports where applicable.
12. Return and deletion
On termination of the Service, the Processor will, at the Controller's choice, delete or return all personal data, and delete existing copies within 90 days, unless EU or Member-State law requires storage.
13. Governing law
This DPA is governed by the laws of the Republic of Poland.
14. Signing
Business customers who require a countersigned DPA may request one by emailing legal@videogenai.io.