Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Agreement between you ("Customer", acting as Data Controller) and Omelas, operator of DemoScreen ("Processor"). It applies whenever Customer's use of DemoScreen involves the processing of personal data subject to the EU General Data Protection Regulation (GDPR) or the UK GDPR. By using DemoScreen on a Pro plan, Customer accepts this DPA.

1. Definitions

"Personal data", "processing", "data subject", "controller", "processor", "sub-processor", and "supervisory authority" have the meanings given in the GDPR.

2. Subject matter and duration

Processor processes personal data on Customer's behalf for the duration of the Agreement and for the limited purpose of delivering the DemoScreen service (rendering product demo videos with voiceover and captions, storing the underlying project, sending transactional email).

3. Nature, purpose, and categories

Nature: hosting, storage, automated rendering of supplied screenshots and outlines; LLM-assisted scene planning; text-to-speech voiceover synthesis; transmission of email notifications; billing through a third-party payment processor.

Categories of data subjects: Customer's authenticated end users of DemoScreen and, where Customer uploads screenshots depicting third parties, those third-party data subjects.

Categories of personal data: account identifiers (email), billing data, and any personal data embedded in screenshots or outline text that Customer uploads. DemoScreen does not request and does not require special-category data.

4. Processor obligations

Processor will:

• process personal data only on Customer's documented instructions, including transfers, unless required by EU or Member-State law (in which case Processor will inform Customer);
• ensure personnel authorised to process the data are bound by confidentiality;
• implement appropriate technical and organisational measures (see Section 7);
• assist Customer in responding to data-subject rights requests and in meeting obligations under Articles 32–36 GDPR;
• on termination of the Agreement, delete or return all personal data as Customer chooses, subject to legal retention obligations;
• make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by Customer or a mandated auditor.

5. Sub-processors

Customer grants general authorisation for Processor to engage the sub-processors listed at /legal/subprocessors. Processor will give Customer at least 30 days' notice of any intended addition or replacement and provide Customer the opportunity to object. If Customer objects on reasonable grounds, Customer may terminate the Agreement with a pro-rata refund.

Processor imposes data-protection terms on each sub-processor that are no less protective than those in this DPA and remains fully liable to Customer for sub-processor performance.

6. International transfers

Where transfers to a third country occur (notably to Google for Firebase Authentication, Stripe for payments, and DeepSeek for LLM-assisted scene planning), Processor relies on the European Commission's Standard Contractual Clauses (Module 3) or, where applicable, the EU-US Data Privacy Framework. Processor will conduct and document a Transfer Impact Assessment for each non-EU sub-processor.

7. Security measures (Art. 32)

• TLS 1.2+ for every connection; HSTS enforced on web.
• Postgres + Cloudflare R2 encrypted at rest by the provider; age-encrypted DB backups in a dedicated bucket.
• API keys stored as sha256 hashes; Stripe webhooks signature-verified; one-time bearer tokens for sign-in links.
• Principle of least privilege: tier-1 admin access limited to two named operators; quarterly access review.
• Hard-purge 30 days after account deletion; idempotency keys auto-expire after 24 hours.
• Audit log of sensitive operations: account delete, data export, plan change, API key creation/revocation.
• Vulnerability monitoring via Dependabot-style alerts and internal error capture.

8. Personal data breach

Processor will notify Customer without undue delay, and in any case within 48 hours of becoming aware of a personal-data breach affecting Customer's data, with at least the information required by Art. 33(3) GDPR. Notice is sent to the admin email on Customer's account.

9. Data-subject requests

Customer can self-serve access, export, and deletion via /account/data and /account. For requests Processor cannot fulfil through these tools (or where Customer needs Processor's assistance with a request from one of Customer's own end users), email hello@demoscreen.co.

10. Liability and term

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA terminates automatically when the Agreement terminates.

11. Governing law

This DPA is governed by the law of the Agreement, except where GDPR or Member-State law mandatorily applies.

12. Signature

No counter-signature is required. Customer's continued use of DemoScreen on a Pro plan after this DPA's effective date constitutes acceptance. A counter-signed PDF is available on request to hello@demoscreen.co for procurement processes that require one.