Data Processing Agreement (DPA)

Effective Date: February 24, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and PromoNexAI B.V. ("Data Processor") and governs the processing of personal data under GDPR.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person
"Processing" means any operation performed on personal data
"GDPR" means the General Data Protection Regulation (EU) 2016/679
"Sub-processor" means any third party engaged by the Processor to process Personal Data

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor will process Personal Data on behalf of the Controller to provide video generation services as described in the Terms of Service.

2.2 Duration

Processing will continue for the duration of the subscription and for 30 days after termination, after which all Personal Data will be deleted.

2.3 Nature and Purpose

Processing product information to generate marketing videos
Storing data for service delivery and customer support
Analyzing usage for service improvement

2.4 Types of Personal Data

Shop owner contact information (email, shop domain)
Product data (titles, descriptions, prices, images)
Usage data and logs

2.5 Data Subjects

Shopify store owners and their authorized users.

3. Processor's Obligations

Process Personal Data only on documented instructions from the Controller
Ensure persons authorized to process Personal Data are bound by confidentiality
Implement appropriate technical and organizational security measures
Engage Sub-processors only with prior written consent from the Controller
Assist the Controller in responding to data subject requests
Assist the Controller in ensuring compliance with GDPR
Delete or return all Personal Data after termination of services
Make available all information necessary to demonstrate compliance

4. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

Sub-processor	Service	Location
Amazon Web Services	Cloud hosting	EU, US
Google Cloud Platform	Data processing	EU, US
Shopify	E-commerce platform	CA, US, EU
Stripe	Payment processing	US, EU
Storyblocks	Stock media	US
Runway ML	AI processing	US
Remove.bg/PhotoRoom	Image processing	EU, US

The Processor will notify the Controller of any intended changes concerning addition or replacement of Sub-processors, giving the Controller the opportunity to object.

5. Security Measures

The Processor implements the following technical and organizational measures:

Encryption: TLS 1.3 in transit, AES-256 at rest
Access Control: Role-based access, MFA for administrative access
Pseudonymization: Where applicable and appropriate
Data Minimization: Only necessary data is collected and processed
Backup: Daily encrypted backups with 30-day retention
Monitoring: 24/7 security monitoring and logging
Incident Response: Documented procedure for data breaches
Staff Training: Regular security and privacy training
Testing: Regular penetration testing and security audits

6. Data Breach Notification

In the event of a Personal Data breach, the Processor shall: notify the Controller without undue delay and within 72 hours of becoming aware; provide details of the nature of the breach, affected data, and likely consequences; describe measures taken or proposed to address the breach; assist the Controller in complying with its obligations to notify authorities and data subjects.

7. International Data Transfers

Where Personal Data is transferred outside the EEA, the Processor ensures adequate protection through: EU-US Data Privacy Framework participation for US transfers; Standard Contractual Clauses (SCCs) approved by the European Commission; adequacy decisions for transfers to countries with adequate data protection.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under GDPR, including: right of access; right to rectification; right to erasure; right to restrict processing; right to data portability; right to object.

9. Deletion of Data

Upon termination of services or upon Controller's request, the Processor shall: delete all Personal Data within 30 days; provide certification of deletion upon request; return Personal Data to Controller if requested before deletion; ensure Sub-processors also delete all Personal Data.

10. Audit Rights

The Controller has the right to conduct audits and inspections to verify compliance with this DPA. The Processor shall: make available all information necessary to demonstrate compliance; allow for and contribute to audits conducted by the Controller or an auditor; provide reasonable assistance during audits at mutually agreed times.

11. Liability and Indemnification

Each party shall be liable for damages caused by its processing of Personal Data in violation of GDPR. The Processor shall indemnify the Controller against fines, penalties, and claims arising from the Processor's breach of GDPR or this DPA.

12. Contact for Data Protection

Data Processor:
PromoNexAI B.V.
Dongen, Netherlands
Email: support@promonexai.com

Data Protection Contact:
Email: support@promonexai.com
Response time: Within 48 hours

This Data Processing Agreement is incorporated into and forms part of the Terms of Service between the Controller and the Processor.