Data Processing Agreement (DPA)

Last updated: [BLANK: publication date]

This Data Processing Agreement ("DPA") forms part of the Terms of Service between [BLANK: legal entity name] ("Processor", "Dolfinn") and the customer ("Controller", "you") and governs Dolfinn's processing of personal data on your behalf. It applies where, in using the Service, you upload or enter personal data of third parties (for example, cast and crew). Where terms conflict, this DPA prevails on data-protection matters.

1. Roles

You are the controller of the personal data contained in your production content. Dolfinn is the processor. Dolfinn processes that data only on your documented instructions, which include your use of the Service's features and this DPA. Dolfinn remains an independent controller for account/billing data as described in its Privacy Policy.

2. Subject matter, duration, nature and purpose

  • Subject matter: processing of personal data contained in your production content to provide the Service.
  • Duration: for as long as you use the Service, plus any deletion/return period below.
  • Nature and purpose: hosting, storing, organising, displaying and processing production data (breakdowns, schedules, cast/crew details), including automated extraction of information from uploaded scripts.

3. Categories of data subjects and personal data

  • Data subjects: cast, crew, contacts and other individuals named in your productions; your own team members you invite.
  • Personal data: names (including actor names), email addresses, roles, location details, and any personal data you include in scripts, notes or other content.
  • No special-category data is required by the Service; you should avoid entering it unless you have a valid basis. [BLANK: state if special categories are prohibited.]

4. Dolfinn's obligations

Dolfinn shall:

  1. Process personal data only on your documented instructions, including for transfers, unless required by EU/Member-State law (in which case it will inform you unless legally prohibited).
  2. Ensure persons authorised to process the data are bound by confidentiality.
  3. Implement appropriate technical and organisational security measures (see Annex 2).
  4. Respect the conditions in section 5 for engaging subprocessors.
  5. Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your obligations under GDPR Art. 32–36 (security, breach notification, DPIAs, prior consultation).
  6. Notify you without undue delay after becoming aware of a personal-data breach.
  7. At your choice, delete or return all personal data at the end of the services, and delete existing copies unless retention is required by law (see section 7).
  8. Make available information needed to demonstrate compliance and allow for and contribute to audits (see section 6).

5. Subprocessors

You provide general authorisation for Dolfinn to engage the subprocessors listed at Subprocessors, currently:

SubprocessorPurposeLocation
NeonDatabase hostingFrankfurt, EU
VercelApplication hosting & deliveryCompute in Frankfurt (fra1); US parent
ResendTransactional emailUnited States
StripePayments (billing accounts only)United States
Mistral AIAI script extractionFrance, EU

Dolfinn imposes data-protection obligations on each subprocessor equivalent to those in this DPA. Dolfinn will give [BLANK: e.g. 30 days'] notice of any intended addition or replacement of a subprocessor, during which you may object on reasonable data-protection grounds; the notice mechanism is described on the Subprocessors page.

6. Audits

Dolfinn will make available the information necessary to demonstrate compliance with Art. 28 and allow audits [BLANK: e.g. once per year, on reasonable notice, or by provision of third-party certifications/reports], subject to confidentiality and not unreasonably disrupting operations.

7. Return and deletion

On termination, or on your request, Dolfinn will delete or return the personal data. Where you delete a production or account, associated content is deleted (including via cascade deletion). Dolfinn may retain data where required by law (e.g. billing records for 7 years under Belgian accounting law) and will protect it for the retention period.

8. International transfers

Data is primarily processed in the EU. Where a subprocessor is in the US (Vercel, Resend, Stripe), transfers are covered by EU Standard Contractual Clauses and/or the EU-U.S. Data Privacy Framework. Dolfinn will not transfer personal data outside the EEA except in compliance with GDPR Chapter V.

9. Liability and general

Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by Belgian law. If any provision conflicts with the GDPR, the GDPR prevails.


Annex 1 — Details of processing

  • Categories of data subjects: see section 3.
  • Categories of personal data: see section 3.
  • Processing operations: hosting, storage, organisation, display, AI-assisted extraction.
  • Duration: term of the Service plus deletion/return period.

Annex 2 — Technical and organisational measures

  • Encryption of data in transit (TLS).
  • Hashed passwords; HTTP-only, secure session cookies.
  • Tenant isolation at the database level (row-level security).
  • Role- and capability-based access controls within productions.
  • Access limited to authorised personnel under confidentiality.
  • [BLANK: add backups, logging/monitoring, incident-response process, pen-testing cadence as applicable.]

Annex 3 — Subprocessors

As listed in section 5 and maintained at Subprocessors.


Signatures / acceptance: [BLANK: describe how the DPA is accepted — e.g. "accepted electronically on account creation" or a countersigned copy for enterprise customers.]