Data Processing Agreement

Last updated: March 27, 2026

Effective Date: January 1, 2026

Last Updated: January 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Webliska Technologies ("Processor," "we," "us," or "our") and you ("Controller," "you," or "your") for the use of ClipsMate AI (the "Service"). This DPA is entered into to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and any other applicable data protection legislation.

This DPA applies to the extent that Webliska Technologies processes Personal Data on behalf of the Controller in the course of providing the Service. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Terms not defined herein shall have the meanings given to them in the GDPR or the Terms of Service, as applicable.

  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Sub-Processor" means any third party engaged by the Processor to assist in the Processing of Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • "Supervisory Authority" means an independent public authority established by an EU or UK member state pursuant to the GDPR or UK GDPR.
  • "Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only on behalf of and in accordance with the documented instructions of the Controller, except where required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such notification on important grounds of public interest.

The scope, nature, and purpose of the Processing, the types of Personal Data processed, and the categories of Data Subjects are as follows:

  • Purpose: To provide the ClipsMate AI video creation platform, including account management, video rendering, AI content generation, billing, customer support, and analytics.
  • Types of Personal Data: Name, email address, IP address, billing information, user-generated content (including images, video, audio, and text uploaded by Data Subjects), usage data, device information, and any other Personal Data submitted by the Controller through the Service.
  • Categories of Data Subjects: The Controller's end users, customers, employees, contractors, and any other individuals whose Personal Data is submitted to the Service by the Controller.
  • Duration: The Processing shall continue for the duration of the Terms of Service, plus any post-termination retention period specified in this DPA or the Privacy Policy.

3. Processor Obligations

The Processor warrants and undertakes to:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law.
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set out in Section 6 of this DPA.
  • Respect the conditions for engaging Sub-Processors as set out in Section 4 of this DPA.
  • Taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under the GDPR.
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Sub-Processors

4.1 General Authorization

The Controller hereby grants the Processor general written authorization to engage Sub-Processors for the Processing of Personal Data in connection with the Service. The Processor shall maintain an up-to-date list of Sub-Processors, which is available upon request by contacting support@clipsmateai.com.

4.2 Sub-Processor Obligations

When engaging a Sub-Processor, the Processor shall:

  • Enter into a written contract with the Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA.
  • Conduct appropriate due diligence to ensure that the Sub-Processor is capable of providing the level of protection for Personal Data required by this DPA and applicable law.
  • Remain fully liable to the Controller for the performance of the Sub-Processor's obligations.

4.3 Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors at least thirty (30) days in advance, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds related to data protection, the parties shall discuss the matter in good faith. If the objection cannot be resolved within a reasonable period, the Controller may terminate the affected portion of the Service without penalty.

4.4 Current Sub-Processors

The following Sub-Processors are authorized as of the effective date of this DPA:

  • Amazon Web Services (AWS) — Cloud hosting and data storage (EU, US regions)
  • Stripe — Payment processing (US, EU)
  • Google Cloud Platform — AI/ML infrastructure and video rendering (EU, US regions)
  • Postmark — Transactional email delivery (US)
  • Cloudflare — Content delivery and DDoS protection (Global)

5. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Chapter III of the GDPR, including requests for access, rectification, erasure, restriction of Processing, data portability, and objection. Specifically, the Processor shall:

  • Promptly notify the Controller if it receives a request directly from a Data Subject, and shall not respond to such request without the Controller's prior written authorization, unless required to do so by applicable law.
  • Provide the Controller with the technical capability to access, export, rectify, and delete Personal Data through the Service's account settings and administrative tools.
  • Provide reasonable assistance to the Controller in responding to Data Subject requests that cannot be fulfilled through the Service's self-service tools, within ten (10) business days of the Controller's request.

6. Security Measures

The Processor shall implement and maintain the following technical and organizational security measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, or disclosure:

  • Encryption: All Personal Data in transit is encrypted using TLS 1.2 or higher. Personal Data at rest is encrypted using AES-256 encryption. Encryption keys are managed using dedicated key management services with automatic rotation.
  • Access Control: Role-based access controls (RBAC) are implemented to ensure that only authorized personnel have access to Personal Data, limited to what is necessary for their job function. Multi-factor authentication (MFA) is required for all administrative access.
  • Network Security: Firewalls, intrusion detection and prevention systems (IDS/IPS), and network segmentation are in place to protect the infrastructure. Regular vulnerability scans and penetration tests are conducted.
  • Physical Security: Personal Data is stored in data centers that maintain SOC 2 Type II certification, with physical access controls including biometric authentication, 24/7 surveillance, and environmental protections.
  • Logging and Monitoring: All access to Personal Data is logged and monitored. Logs are retained for a minimum of twelve (12) months and are reviewed regularly for anomalous activity.
  • Employee Security: All employees and contractors with access to Personal Data undergo background checks, receive data protection training, and are bound by confidentiality agreements.
  • Business Continuity: Regular data backups are performed with tested recovery procedures. The Service maintains a disaster recovery plan with a recovery time objective (RTO) of four (4) hours and a recovery point objective (RPO) of one (1) hour.

7. Personal Data Breach Notification

In the event of a Personal Data Breach, the Processor shall:

  • Notify the Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of the Personal Data Breach. The notification shall be sent to the Controller's designated contact email address and, if applicable, through the Service's notification system.
  • Provide the Controller with sufficient information to enable the Controller to meet its obligations under Articles 33 and 34 of the GDPR, including:
    • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
    • The name and contact details of the Processor's data protection officer or other contact point where more information can be obtained.
    • A description of the likely consequences of the Personal Data Breach.
    • A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
  • Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.
  • Not notify any third party of the Personal Data Breach without first obtaining the Controller's prior written consent, unless notification is required by applicable law.

8. Data Deletion and Return

Upon termination or expiration of the Terms of Service, or upon the Controller's written request, the Processor shall:

  • Cease all Processing of Personal Data on behalf of the Controller, except as necessary to comply with applicable law.
  • At the Controller's choice, either return all Personal Data to the Controller in a structured, commonly used, machine-readable format, or securely delete all Personal Data from the Processor's systems and those of its Sub-Processors.
  • Complete the return or deletion within thirty (30) days of the termination date or the Controller's request, whichever is applicable.
  • Provide written certification to the Controller confirming that all Personal Data has been returned or deleted, as applicable.
  • Notwithstanding the above, the Processor may retain Personal Data to the extent required by applicable law, provided that the Processor ensures the confidentiality of such Personal Data and processes it only for the purpose required by law.

9. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:

  • The Controller shall provide at least thirty (30) days' written notice before conducting an audit, specifying the scope and duration of the proposed audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
  • The Controller may engage a qualified, independent third-party auditor to conduct the audit on its behalf, provided that the auditor enters into a confidentiality agreement acceptable to the Processor.
  • The Processor shall cooperate with the audit and provide reasonable access to relevant facilities, systems, personnel, and documentation.
  • The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the reasonable costs of the audit.
  • As an alternative to an on-site audit, the Processor may provide the Controller with a copy of its most recent SOC 2 Type II report or equivalent third-party audit certification, which shall satisfy the Controller's audit rights under this section, unless the Controller has reasonable grounds to believe that the certification does not adequately address its concerns.

10. International Data Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) or the United Kingdom unless appropriate safeguards are in place as required by applicable data protection law. The following transfer mechanisms are used:

  • Standard Contractual Clauses: Where Personal Data is transferred to Sub-Processors located outside the EEA or UK, the Processor ensures that Standard Contractual Clauses (as approved by the European Commission and/or the UK Information Commissioner's Office) are in place with each Sub-Processor.
  • Adequacy Decisions: Where the European Commission or the UK government has issued an adequacy decision for the recipient country, transfers may rely on such adequacy decision.
  • Supplementary Measures: Where required by the assessment of the laws of the recipient country, the Processor implements supplementary technical and organizational measures to ensure that the level of protection of Personal Data is not undermined, including encryption, pseudonymization, and access controls that prevent access by authorities of the recipient country.

The Processor shall conduct and document transfer impact assessments for all international data transfers and make these assessments available to the Controller upon request.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that neither party excludes or limits its liability for:

  • Breaches of its obligations under this DPA that result in a fine or penalty imposed by a Supervisory Authority, to the extent that the breach is attributable to the liable party's failure to comply with its obligations.
  • Damages arising from the Processing of Personal Data in violation of the GDPR or UK GDPR, to the extent that the party is responsible for such non-compliant Processing.
  • The Processor's obligation to indemnify the Controller against claims by Data Subjects or Supervisory Authorities arising from the Processor's breach of this DPA or its Processing of Personal Data outside the scope of the Controller's instructions.

The Processor shall be liable for any damage caused by Processing that infringes the GDPR or UK GDPR only where it has not complied with obligations of the GDPR or UK GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller.

12. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service. The obligations of the Processor under this DPA shall survive the termination or expiration of the Terms of Service to the extent necessary to complete the return or deletion of Personal Data and to comply with applicable law. The provisions regarding confidentiality, liability, and audit rights shall survive termination indefinitely.

13. Contact Us

If you have any questions about this Data Processing Agreement, please contact us:

  • Email: support@clipsmateai.com
  • Data Protection Officer: dpo@clipsmateai.com
  • Company: Webliska Technologies
  • Website: https://clipsmateai.com
Back to Home