Data Processing Agreement
Version 1.0 (template) | Effective Date: May 6, 2026
1. Parties & Roles
This Data Processing Agreement ("DPA") supplements the SceneSmith Terms of Service entered into between you (the "Customer" or "Controller") and SceneSmith ("we", "us", or "Processor").
- Controller — the Customer, who determines the purposes and means of the processing of Personal Data submitted to the Service.
- Processor — SceneSmith, which processes Personal Data on the Customer's behalf in accordance with this DPA and the Customer's documented instructions.
- Where the Customer is itself a processor for an upstream controller, SceneSmith acts as a sub-processor and the same obligations apply.
2. Subject Matter & Duration
The subject matter is the provision of the SceneSmith AI video shot planning and generation platform. Processing continues for the duration of the Customer's subscription and any post-termination retention period set out in Section 8.
3. Categories of Data Subjects
- The Customer's end users and account holders
- Individuals depicted, voiced, or otherwise identifiable in content uploaded or generated through the Service
- The Customer's employees, contractors, and collaborators
4. Categories of Personal Data Processed
- Account data — name, email address, hashed password, date of birth, OAuth identifiers, billing address.
- Usage data — log records, IP address, device and browser information, interaction events.
- Content data — prompts, scripts, uploaded images and audio, generated images, video, and audio assets.
- Biometric data (special category, GDPR Art. 9) — voiceprints derived from voice clones, facial reference data derived from character training. Processed only with explicit consent.
- Payment data — handled directly by Stripe; SceneSmith stores only customer identifiers and metadata, not full card numbers.
5. Purposes of Processing
- Providing the AI shot planning, generation, and editing service
- Authenticating users and securing the Service
- Billing, fraud prevention, and tax compliance
- Customer support and incident response
- Service quality monitoring, analytics, and abuse detection
- Legal compliance, including responding to lawful requests and DSA obligations
6. Sub-processors
The Customer authorises SceneSmith to engage the sub-processors listed below. SceneSmith remains responsible for each sub-processor's performance under this DPA. We will give the Customer at least 30 days' notice (via the Service or email) of any new sub-processor or material change, during which the Customer may object on reasonable, documented data-protection grounds.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payments, tax calculation, fraud screening | United States |
| Resend (Drift Net Inc.) | Transactional email delivery | United States |
| Fal.ai (Features & Labels Inc.) | Image and video model inference | United States |
| OpenAI, L.L.C. | Optional language and vision model inference | United States |
| Google LLC (Gemini) | Planning and validation model inference | United States / Global |
| ElevenLabs, Inc. | Voice synthesis and voice cloning | United States |
| Cloudflare, Inc. (R2 storage & CDN) | Object storage, content delivery, edge security | Global edge network |
| Vercel, Inc. | Application hosting and serverless compute | United States / Global |
| Upstash, Inc. | Rate limiting and ephemeral cache | United States / EU |
| PostHog, Inc. | Product analytics (where enabled) | United States / EU options available |
Up-to-date sub-processor information is also available on request to legal@scenesmith.ai.
7. Security Measures
SceneSmith implements appropriate technical and organisational measures designed to protect Personal Data, including:
- Encryption in transit — TLS 1.2+ for all customer traffic, internal service-to-service traffic, and sub-processor communication.
- Encryption at rest — managed encryption for the primary database, object storage (Cloudflare R2), and backups.
- Access controls — least-privilege role-based access, MFA on all administrative accounts, audit logging of production access.
- Network security — managed WAF, DDoS protection, and per-route rate limiting.
- Vulnerability management — dependency scanning, secret scanning, and routine review of platform alerts.
- Backups — automated database backups with point-in-time recovery, tested restores.
- Personnel — confidentiality obligations for all personnel with access to Personal Data; security awareness training.
8. Data Retention & Deletion
- Account data is retained while the account is active and for up to 12 months after closure for legal and audit purposes.
- Content data (projects, generated assets) is retained while the account is active. On account deletion, content is queued for deletion within 30 days.
- Biometric data (voice clones, facial reference data) is deleted within 30 days of consent withdrawal or account deletion.
- Server logs are typically retained for 90 days.
- On request, we will return or delete Customer Personal Data after the end of the provision of services, save where retention is required by law.
9. International Transfers
Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, SceneSmith relies on the European Commission's Standard Contractual Clauses (SCCs, Module 2 — Controller to Processor — or Module 3 — Processor to Sub-processor, as applicable) and the UK International Data Transfer Addendum. Where a sub-processor offers Binding Corporate Rules or an adequacy decision, those mechanisms apply in addition.
On request, SceneSmith will provide a transfer impact assessment (TIA) and copies of the executed SCCs.
10. Data Subject Rights Assistance
SceneSmith will, taking into account the nature of the processing, assist the Customer through appropriate technical and organisational measures, insofar as possible, in fulfilling its obligations to respond to requests for exercising data-subject rights under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making).
11. Personal Data Breach Notification
SceneSmith will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data, and will provide reasonable information to enable the Customer to meet its own notification obligations under GDPR Article 33.
12. Audits
SceneSmith will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. Where the Customer has a legitimate audit need that cannot be satisfied by standard documentation (e.g. SOC 2 Type II report when available), the Parties will agree the scope and timing of the audit in good faith, on no less than 30 days' notice and at the Customer's expense, subject to confidentiality and operational safeguards.
13. Liability
The liability of each Party under or in connection with this DPA is subject to, and counts towards, the aggregate limitations of liability set out in the SceneSmith Terms of Service, except to the extent that applicable law prohibits limitation of liability for the relevant claim.
14. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. Where SCCs are signed, the SCCs prevail over this DPA to the extent of any conflict.
15. Signing & Contact
To execute a counter-signed copy of this DPA — including SCCs and a customer-specific Annex — please email legal@scenesmith.ai with:
- Your legal entity name, jurisdiction, and registered address
- The signatory's name, title, and email
- Any Customer-specific addenda required (e.g. UK IDTA, Swiss adjustments, US state addenda)
We will return a counter-signed PDF, typically within 10 business days.
16. Updates
We may update this template DPA from time to time to reflect changes in our processing posture, sub-processors, or applicable law. The version and effective date at the top of this page indicate the current revision. Material changes will be communicated to executed DPA holders directly.