1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person processed on behalf of Client.

Applicable Data Protection Law: New Zealand Privacy Act 2020, GDPR (where applicable), CCPA/CPRA (where applicable), and any mandatory local law.

Subprocessor: Third party engaged by Processor to process Personal Data.

2. Subject Matter & Duration

Processing relates to creation, management, optimization, storage and delivery of short-form video assets from Client-provided materials for the term of the underlying Agreement until deletion per Section 10.

3. Nature & Purpose of Processing

(a) Organizing and storing source media; (b) Editing and rendering; (c) Generating derivative video formats; (d) Providing access via secure dashboard; (e) Optional scheduling/posting automation.

4. Types of Personal Data & Data Subjects

Data Subjects: Client employees, contractors, customers or other individuals appearing in provided footage.

Data Types: Names, likeness, voice recordings, branding assets, contact details (limited), project metadata, analytics identifiers.

5. Roles & Responsibilities

Controller: Determines purposes & means. Warrants legal basis and lawfulness of content supplied.

Processor: Processes Personal Data only per documented instructions (order brief, platform selections, written communications).

6. Processor Obligations

• Process only on documented instructions.
• Maintain confidentiality commitments for personnel.
• Implement appropriate technical & organizational measures (Annex A).
• Assist with data subject rights (respond within Controller timelines).
• Assist with DPIAs and consultations where required.
• Notify Controller of Personal Data Breach without undue delay (aim: within 24 hours of confirmation).
• Maintain records of processing activities where required.

7. Subprocessors

Controller authorizes use of the following categories: hosting (Vercel), storage (AWS/GCP or Wasabi S3-compatible), auth & database (Firebase), payments (Stripe), analytics (Google Analytics – only after consent). Processor maintains an up-to-date list at /subprocessors.

Processor ensures each Subprocessor is bound by written terms imposing data protection obligations no less protective than this DPA (including confidentiality, security, and restricted purpose). Material changes: we will update /subprocessors and, for materially new personal-data impacting subprocessors, provide advance notice (aim: ≥15 days) to current Controllers who may object within 10 days of notice.

If Controller reasonably objects (e.g. documented security concern) and parties cannot reach mitigation within a commercially reasonable period, Controller may terminate only the affected processing (or if not severable, the Agreement) with pro‑rated refund for unused pre-paid fees relating to the terminated portion. Current security practices are summarized at /security-compliance.

8. International Transfers

Where transfers occur outside New Zealand or the originating jurisdiction, Processor relies on: (a) Adequacy decisions; (b) Standard Contractual Clauses; (c) Other lawful transfer mechanisms. Additional safeguards (encryption in transit & at rest) are applied.

9. Security Measures (Summary)

• Encryption in transit (TLS 1.2+) & at rest.
• Role-based access control & least privilege.
• Audit logging of administrative actions.
• Daily backups & tested restore procedures.
• Vulnerability patch management policy.
• Incident response runbook & 24/7 monitoring.

10. Return & Deletion

Upon termination or written request, Processor deletes or returns Personal Data (standard deletion within 60 days; backups within 120 days) unless retention required by law. Controller may export data before closure.

11. Audits

Processor will provide reasonable information (security summary, SOC / external reports if available) to demonstrate compliance. On-site audits only if legally required and with 30 days notice, limited to once per 12-month period.

12. Liability & Conflict

Liability under this DPA follows and does not expand the limitation provisions of the primary Agreement. In case of conflict, the primary Agreement prevails except where directly required by Applicable Data Protection Law.

13. Contact & Notices

Data protection inquiries: alex@zuvohq.com. Security incidents: support@zuvohq.com. Legal notices: alex@zuvohq.com.

14. Annex A – Technical & Organizational Measures (TOMs)

• Access Control: SSO enforcement for internal systems, MFA for privileged accounts.
• Data Segregation: Logical separation of client data within multi-tenant services.
• Encryption: AES-256 at rest; TLS 1.2+ in transit.
• Monitoring: Centralized logging, anomaly alerting, integrity monitoring.
• Personnel: Background checks (where legally permissible), least privilege, annual security & privacy training.
• Resilience: Daily backups, geo-redundant infrastructure, disaster recovery testing.
• Change Management: Tracked deployments with automated CI/CD and rollback.
• Incident Response: Defined triage severity matrix; post-incident review with corrective actions.