सब्सक्राइब करें
← Legal

Data Processing Addendum

v1.0.0 · Effective 2026-06-15 · Audience: platform | vendor | business customer

Translation pending. The English-language source is shown below until a reviewed translation is available.

Data Processing Addendum

Last revised: 2026-06-15 · Version: 1.0.0

Table of contents

  1. Parties and roles
  2. Definitions
  3. Subject matter, duration, nature and purpose of the processing
  4. Categories of personal data and data subjects
  5. Processor obligations
  6. Sub-processors
  7. International data transfers
  8. Audit and inspection rights
  9. Personal data breach notification
  10. Data subject rights assistance
  11. Deletion or return of personal data
  12. Liability and limits
  13. Order of precedence
  14. Schedule 1, Description of processing
  15. Schedule 2, Technical and organisational measures
  16. Schedule 3, Approved sub-processors
  17. Annex A, EU SCCs incorporation by reference
  18. Annex B, UK ICO IDTA Addendum (B1.0) incorporation by reference
  19. Contact
  20. Version history

1. Parties and roles

This Data Processing Addendum ("DPA") supplements the underlying agreement (the "Principal Agreement") between:

  • PYLON Film Pty Ltd ("PYLON"), an Australian proprietary limited company having its registered office at Level 2, 111 Harrington Street, THE ROCKS NSW 2000, Australia, ABN: 14 698 990 215; and
  • the Counterparty identified in the Principal Agreement.

This DPA may be issued by PYLON to a vendor (in which case PYLON acts as the controller and the vendor acts as the processor) or accepted by PYLON from a business customer (in which case the customer acts as the controller and PYLON acts as the processor). The capitalised labels below ("Controller", "Processor") map to the role each party takes under the Principal Agreement.

Where the parties' roles are joint (joint controllers, or controller- to-controller), this DPA does not apply and a separate joint-controller agreement is required.

2. Definitions

Capitalised terms used in this DPA but not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the Australian Privacy Act 1988 (Cth), or the CPRA, as applicable to the parties' relationship.

  • Applicable Data Protection Law, every privacy and data protection law that applies to the processing of Personal Data under the Principal Agreement, including GDPR, UK GDPR, the Privacy Act 1988 (Cth) and the Australian Privacy Principles, the CPRA, and any other equivalent law in any relevant jurisdiction.
  • Authorised Persons, the personnel of the Processor and its approved Sub-processors that have a need to know the Personal Data in order to provide the Services.
  • Personal Data Breach, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the Services.
  • SCCs, the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • Services, the services provided under the Principal Agreement.
  • Sub-processor, any third party engaged by the Processor to process Personal Data on behalf of the Controller.

3. Subject matter, duration, nature and purpose of the processing

  • Subject matter: the Personal Data described in Schedule 1.
  • Duration: the term of the Principal Agreement plus any retention obligation in Schedule 1.
  • Nature: the operations described in Schedule 1, performed electronically.
  • Purpose: the provision of the Services.

4. Categories of personal data and data subjects

Set out in Schedule 1.

5. Processor obligations

The Processor:

  • shall process Personal Data only on documented instructions from the Controller, including in respect of transfers to a third country, unless required to do otherwise by Applicable Data Protection Law;
  • shall ensure that Authorised Persons are bound by appropriate obligations of confidentiality;
  • shall implement and maintain the technical and organisational measures set out in Schedule 2;
  • shall not engage a Sub-processor except in accordance with §6;
  • shall, taking into account the nature of the Services, assist the Controller by appropriate technical and organisational measures in responding to data subject requests under §10;
  • shall, taking into account the nature of the Services, assist the Controller in ensuring compliance with the Controller's obligations under Articles 32 to 36 of the GDPR (and equivalent provisions of other Applicable Data Protection Law);
  • shall, at the Controller's choice, delete or return all Personal Data on termination of the Services in accordance with §11;
  • shall make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in §8.

6. Sub-processors

The Controller authorises the Processor's engagement of the Sub-processors listed in Schedule 3 as of the effective date of this DPA.

For any new Sub-processor proposed after the effective date, the Processor shall:

  • give the Controller at least 30 days' prior written notice identifying the Sub-processor, its location and the processing it will perform;
  • impose data-protection terms on the Sub-processor that are no less protective than those in this DPA;
  • remain liable for the acts and omissions of the Sub-processor as for its own.

The Controller may object to a new Sub-processor on reasonable grounds within the notice period. Where the parties cannot resolve the objection within 30 days of the objection being raised, the Controller may terminate the affected portion of the Services on written notice without further liability.

7. International data transfers

Where the processing involves a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not covered by an adequacy decision, the parties incorporate:

  • the EU SCCs (Commission Implementing Decision (EU) 2021/914) by reference (see Annex A);
  • the UK ICO IDTA Addendum (B1.0) by reference (see Annex B);
  • the Swiss FADP equivalent provisions.

The applicable SCC modules are set out in Annex A.

For Australian transfers under APP 8 (cross-border disclosure of personal information), the Processor takes reasonable steps to ensure that any overseas recipient does not breach the APPs in relation to the information.

8. Audit and inspection rights

The Processor shall make available to the Controller, on the Controller's reasonable request and no more than once per twelve month period (except where required following a Personal Data Breach or by a supervisory authority), the information necessary to demonstrate compliance with this DPA.

The Processor will accept independent third-party audit reports, including SOC 2, ISO 27001 reports, or equivalent, where available, in lieu of on-site audit. PYLON does not currently hold a SOC 2 or ISO 27001 certification; we will provide our internal control documentation in lieu where applicable.

On-site audits, where reasonably necessary, are conducted on at least 30 days' notice, during business hours, in a manner that does not unreasonably disrupt the Processor's operations, and subject to a non-disclosure agreement.

9. Personal data breach notification

The Processor shall notify the Controller of a Personal Data Breach without undue delay, and in any event within 72 hours of becoming aware. The notification shall include, to the extent known:

  • the nature of the breach, including categories and approximate number of data subjects and records affected;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and to mitigate its possible adverse effects;
  • the name and contact details of a point of contact for further information.

The Processor shall promptly take all reasonable steps to mitigate the breach and shall not make any public statement about the breach without the Controller's prior written consent, except where required by Applicable Data Protection Law.

10. Data subject rights assistance

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection). The Processor shall not respond directly to a data subject request that has been routed through the Controller, except on the Controller's documented instructions or as required by Applicable Data Protection Law.

11. Deletion or return of personal data

On termination or expiry of the Services, the Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller, including any copies, within 90 days of termination or expiry. Deletion shall be conducted in a manner consistent with the Schedule 2 measures.

The Processor may retain Personal Data only to the extent required by Applicable Data Protection Law, and shall ensure the confidentiality of any retained Personal Data and shall not actively process it for any other purpose.

12. Liability and limits

Liability under this DPA is governed by the liability provisions of the Principal Agreement, except that nothing in the Principal Agreement excludes or limits liability for any obligation that cannot be excluded or limited under Applicable Data Protection Law.

13. Order of precedence

In the event of a conflict between this DPA and the Principal Agreement, this DPA controls in respect of the processing of Personal Data. In the event of a conflict between the SCCs (or the UK Addendum) and any other term, the SCCs (or the UK Addendum) control.

14. Schedule 1, Description of processing

Field Detail (illustrative, completed per agreement)
Subject matter Provision of the Services described in the Principal Agreement.
Duration Term of the Principal Agreement plus retention noted below.
Nature of processing Storage, retrieval, transmission, deletion, and any operation reasonably necessary to provide the Services.
Purpose of processing Service provision, abuse prevention, billing, support, audit.
Categories of data subjects Subscribers, filmmakers, end-users of subscribers' end-services.
Categories of personal data Identifiers (email, name); account metadata (locale, country); session and device data; payment metadata (Stripe customer id, last4, brand, never full PAN); date of birth (for age gating); content provenance metadata.
Special-category data None expected. AI provenance attestations may include statements about real-person likenesses (consent records).
Processing locations Cloudflare global edge; D1 primary in [region: TBD]; sub-processors per Schedule 3.
Retention As specified in the Privacy Policy at /legal/privacy-policy and per the GDPR Art. 17 grace window (users.deletion_scheduled_at, 30-day grace).

15. Schedule 2, Technical and organisational measures

The Processor implements and maintains the following technical and organisational measures (TOMs). The list reflects current production posture as of 2026-04-26 and is updated as posture evolves.

15.1 Encryption

  • In transit: TLS 1.2 minimum on every external endpoint; HSTS enforced with max-age=63072000; includeSubDomains on every in-scope subdomain (preload pending submission to hstspreload.org).
  • At rest, application-layer:
    • two_factors.secret encrypted with AES-256-GCM keyed off TOTP_ENCRYPTION_KEY (see packages/auth/src/totp-crypto.ts).
    • users.dob encrypted with AES-GCM under a separate key.
    • All other data is stored in Cloudflare D1, R2, KV and Queues with the platform's at-rest encryption (AES-256 per Cloudflare documentation). PYLON does not currently apply application-layer encryption to fields beyond those listed above.

15.2 Access control

  • All staff access to the admin app (apps/admin) is gated by Better Auth + role-based authorisation (role IN ('admin', 'senior_curator')).
  • Two-factor authentication is enforced on every authenticated session for admin and senior_curator roles (packages/trpc/src/routers/two-factor.ts + mfaProcedure).
  • Wrangler secret hygiene: production secrets are rotated quarterly and on staff offboarding; access is audit-logged in the Cloudflare dashboard.
  • Database access in production is via the Cloudflare API surface only; no direct D1 console outside the Cloudflare-managed perimeter.

15.3 Logging and audit

  • Every state change in moderation, DMCA, GDPR, payments and curator decisions writes to the immutable audit_log table.
  • Sentry captures application errors with PII scrubbing.
  • PostHog captures product-analytics events with consent gating.
  • A system:* actor_id pattern is coerced to NULL at the audit-log insert layer to prevent automated transitions from impersonating a human signoff.

15.4 Network and edge

  • All ingress goes through Cloudflare; the WAF is enabled on customer-facing subdomains.
  • The CSP baseline is applied via apps/api/src/middleware/security-headers.ts and replicated in the static _headers files for apps/web and apps/admin.
  • Rate limiting is applied per-IP and per-account on the major expensive paths.

15.5 Backup and continuity

  • D1 daily backups retained for 30 days (Cloudflare-managed).
  • R2 lifecycle policies retain published-title masters for the contractual licence term.
  • Disaster-recovery runbook at docs/RUNBOOKS/ (internal).

15.6 Personnel

  • All staff sign confidentiality undertakings.
  • Background checks for staff with admin role.
  • Mandatory security training on onboarding.

16. Schedule 3, Approved sub-processors

The following sub-processors are approved as of the effective date. Vendor names are limited to those actually integrated in the codebase.

Sub-processor Service Location of processing Privacy / DPA URL
Cloudflare, Inc. Edge / Workers / D1 / R2 / KV / Queues Global edge; primary DB region [TBD] https://www.cloudflare.com/cloudflare-customer-dpa/
Stripe, Inc. Payments and payouts US, EU https://stripe.com/legal/privacy-centre
Mux, Inc. Video encoding and delivery US https://www.mux.com/privacy
Resend Transactional email US, EU https://resend.com/legal/privacy-policy
SignatureAPI E-signature workflows EU https://signatureapi.com/privacy
PostHog Inc. Product analytics US (US Cloud) https://posthog.com/privacy
Functional Software, Inc. (Sentry) Error monitoring US https://sentry.io/privacy/

A change to this list follows the §6 Sub-processor procedure.

17. Annex A, EU SCCs incorporation by reference

The EU Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference into this DPA and form part of it.

The applicable Module is determined by the parties' respective roles in the relevant transfer:

  • Module One (controller-to-controller), not applicable to a Processor relationship.
  • Module Two (controller-to-processor), applies where Controller is in the EEA and Processor is outside.
  • Module Three (processor-to-processor), applies where Controller is also a processor and Processor is a sub-processor.
  • Module Four (processor-to-controller), applies where Processor is in the EEA and Controller is outside.

The optional clauses are completed as follows: docking clause, applicable; redress, Clause 11 option, deletion of complaint to independent body deselected; governing law, Ireland; choice of forum, Ireland.

The information required by the SCC Annexes is drawn from Schedules 1, 2 and 3 of this DPA.

18. Annex B, UK ICO IDTA Addendum (B1.0) incorporation by reference

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (B1.0) issued by the UK Information Commissioner's Office is incorporated by reference for any transfer of Personal Data subject to the UK GDPR.

The Addendum's tables are completed by reference to this DPA's Schedules 1, 2 and 3 and Annex A.

Contact

  • Privacy / DPA execution: [email protected]
  • Legal: [email protected]; postal PYLON Film Pty Ltd, Level 2, 111 Harrington Street, THE ROCKS NSW 2000, Australia
  • Sub-processor change notifications: subscribe at /legal/subprocessors-feed (TBD)

Version history

Version Date Author Summary
0.1.0 2026-04-26 engineering Initial publication. Standard GDPR Art. 28 + UK IDTA + AU APP 8 shape; sub-processor list grounded in actual codebase integrations.