# Data Processing Agreement (DPA) — VideoDB > VideoDB Data Protection Addendum. Forms part of the Agreement between Customer (Controller) and VideoDB (Processor) to comply with EU GDPR for the processing of Personal Data. --- ## Key terms Defines Data Transfer, EU GDPR, Standard Contractual Clauses, Controller, Processor, and Sub-processor. Where the Agreement and this DPA conflict, the DPA prevails. ## Obligations - **Controller** — warrants it has rights and legal basis to provide Personal Data, supplies privacy notices, requests purges where required, and promptly notifies the Processor of complaints, data-subject requests, or legal process. - **Processor** — acts only on documented Instructions, assists with data-subject and regulator requests, and ensures onward transfers meet equal-or-higher protection standards. ## Data secrecy, audit, transfers Personnel are trained and bound by confidentiality. Controller may audit (15 days' notice, at its expense). Transfers outside the EEA follow Schedule 1 / Standard Contractual Clauses. ## Sub-processors, breach, deletion Processor may engage approved sub-processors (listed in Annex III) and remains liable for them. Personal Data breaches are notified without undue delay. On termination, Personal Data is returned or deleted (within ~30 days), and all copies deleted as soon as practicable. ## Schedule 1 — Annex I (Parties & Transfer) - **Data Exporter** — Customer (Controller); **Data Importer** — Spext Labs Inc., operating under the brand name VideoDB (Processor), 45 Lansing Street, #2111, San Francisco 94105 USA; contact Ashish Choithani, Lead Engineer, contact@videodb.io. - **DPO** — Ashutosh Trivedi, ashu@spext.co. - **Data subjects** — Customer's authorized users. **Data categories** — name, address, DOB, age, education, email, gender, image, job, language, phone, related person/URL, user ID, username. **Sensitive data** — none. **Frequency** — continuous. ## Annex II — Technical & Organisational Measures Security management system, personnel security, access controls (least-privilege, MFA/SSO), and data-centre/network security (AWS, multi-AZ resiliency, disaster recovery, vulnerability management, TLS/HTTPS encryption, multi-tenant isolation, secure destruction). Aligned to ISO/IEC 27001:2022. ## Annex III — Sub-processors Amazon Web Services, Cloudflare, Google Cloud, OpenAI, Slack, SolarWinds, AssemblyAI, Linear, and GitHub. See the page for nature of processing, data categories, location, and each vendor's security resources.