LEGAL
Data Processing Agreement (DPA)
Last updated: April 2026
This Data Processing Agreement forms part of the Terms of Service between KlipFast and the Customer.
1. Definitions
"Controller" — means the Customer who determines the purposes and means of processing Personal Data.
"Processor" — means KlipFast who processes Personal Data on behalf of the Controller.
"Personal Data" — means any information relating to an identified or identifiable natural person.
"Processing" — means any operation or set of operations performed on Personal Data.
"GDPR" — means the EU General Data Protection Regulation 2016/679.
2. Scope and Purpose
KlipFast processes personal data only:
- To provide the video processing services described in the Terms of Service
- As instructed by the Customer
- As required by applicable law
Types of personal data processed: email addresses, uploaded video content, usage data.
Categories of data subjects: Customer's end users and employees.
3. KlipFast Obligations
KlipFast agrees to:
- Process personal data only on documented instructions from the Customer
- Ensure that persons authorized to process personal data are under confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Customer in responding to data subject requests
- Delete or return all personal data upon termination of the service
- Provide all information necessary to demonstrate compliance with this DPA
4. Customer Obligations
The Customer agrees to:
- Ensure a lawful basis exists for processing personal data
- Provide appropriate privacy notices to data subjects
- Ensure data subjects' rights can be exercised
- Only upload data that the Customer has the right to process
5. Sub-processors
KlipFast uses the following sub-processors to deliver the service:
| Sub-processor | Purpose | Location |
|---|
| Supabase Inc. | Database | United States |
| Cloudflare Inc. | Storage & CDN | United States |
| Anthropic PBC | AI Processing | United States |
| Resend Inc. | Email | United States |
| Stripe Inc. | Payments | United States |
Customers will be notified of sub-processor changes with 30 days notice.
6. International Transfers
Data may be transferred to and processed in countries outside the European Economic Area (EEA). KlipFast ensures appropriate safeguards are in place via Standard Contractual Clauses (SCCs) as approved by the European Commission.
7. Security Measures
Technical measures:
- Encryption in transit (TLS 1.2+)
- Encryption at rest
- Access controls and authentication
- Regular security assessments
- Incident response procedures
Organizational measures:
- Staff confidentiality agreements
- Data protection training
- Vendor security assessments
8. Data Breach Notification
KlipFast will notify the Customer within 72 hours of becoming aware of a personal data breach affecting Customer data.
Notification will include: the nature of the breach, categories and approximate number of data subjects and records affected, and the measures taken or proposed to address the breach.
9. Data Subject Rights
KlipFast will assist the Customer in fulfilling obligations to respond to requests from data subjects exercising their rights, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to object
10. Term and Termination
This DPA is effective for the duration of the service agreement between KlipFast and the Customer.
Upon termination: all personal data will be deleted within 30 days unless KlipFast is required by applicable law to retain it.
Need a signed DPA for your organization?
Contact us at legal@klipfast.com and we will provide an executed copy within 2 business days.
Email Us