Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement" or "ToS") between:

NamiLink Kft, registered at 2856 Szákszend, Móra Ferenc utca 8/c, Hungary, company registration number 11-09-030788 ("Processor" or "CrewMailer"),

and

The Customer agreeing to the CrewMailer Terms of Service ("Controller" or "Customer").

This DPA is effective from the date the Customer agrees to the CrewMailer Terms of Service.

WHEREAS

• (A) The Controller acts as a Data Controller (or as a Processor acting on behalf of another Controller) regarding certain Personal Data.
• (B) The Controller wishes to engage the Processor to provide the CrewMailer services as described in the Agreement (the "Services"), which involve the Processing of Personal Data on behalf of the Controller.
• (C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – "GDPR").

IT IS AGREED AS FOLLOWS

1. Definitions

• Terms defined in the Agreement shall have the same meaning in this DPA unless otherwise specified.
• "Data Protection Laws" means the GDPR and any other applicable EU or Member State data protection laws and regulations.
• "Personal Data", "Data Subject", "Processing", "Data Controller", "Data Processor", "Personal Data Breach", and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.
• "Controller Personal Data" means any Personal Data Processed by the Processor on behalf of the Controller pursuant to or in connection with the Agreement, specifically including data within User Content and Recipient Data as defined in the Privacy Policy.
• "Subprocessor" means any third-party Data Processor engaged by CrewMailer to Process Controller Personal Data.
• "Services" means the CrewMailer watermarking and secure document distribution services provided by the Processor to the Controller under the Agreement.

2. Processing of Controller Personal Data

2.1. Roles of the Parties

The Controller is the Data Controller (or a Processor for another Controller) and the Processor (CrewMailer) is the Data Processor of the Controller Personal Data.

2.2. Processor's Obligations

The Processor shall Process Controller Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. The Controller's instructions for the Processing of Controller Personal Data shall comply with Data Protection Laws. The Controller's use of the Services configuration options and functionalities constitutes documented instructions.

2.3. Details of Processing

The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects involved, are set out in Annex 1 (Details of Processing).

2.4. Controller's Obligations

The Controller warrants that it has all necessary rights, consents, and lawful bases (pursuant to Articles 6 and 9 of GDPR) to permit the Processor to Process the Controller Personal Data through the Services according to this DPA and the Agreement. The Controller is responsible for the accuracy, quality, and legality of the Controller Personal Data and the means by which it acquired the Personal Data.

3. Confidentiality

The Processor shall ensure that its personnel authorized to Process the Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Security

4.1. General Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

4.2. Specific Measures

These measures shall include, as appropriate, the measures referred to in Article 32(1) of the GDPR. A description of the Processor's current security measures is set out in Annex 2 (Security Measures). Processor may update these measures from time to time, provided the updates do not materially decrease the overall security of the Services.

5. Subprocessing

5.1. General Authorization

The Controller grants the Processor general written authorization to engage Subprocessors to Process Controller Personal Data on the Controller's behalf.

5.2. Subprocessor List

The Processor shall maintain a list of its current Subprocessors, including their locations and the services they provide, as set out in Annex 3 (Subprocessors). The Processor shall make this list available to the Controller (e.g., via its website or this DPA).

5.3. Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving the Controller the opportunity to object to such changes. Such notification shall be provided with reasonable advance notice (e.g., via email or platform notification). If the Controller reasonably objects to a new Subprocessor, the Parties shall discuss the objection in good faith. If the objection cannot be resolved, the Controller may terminate the Agreement in accordance with its terms.

5.4. Subprocessor Agreements

The Processor shall ensure that it enters into a written agreement with each Subprocessor containing data protection obligations equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR.

5.5. Liability

The Processor shall remain fully liable to the Controller for the performance of that Subprocessor's obligations.

6. Data Subject Rights

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR (e.g., access, rectification, erasure, restriction, portability, objection). If a Data Subject contacts the Processor directly, the Processor shall promptly notify the Controller, unless otherwise prohibited by law.

7. Assistance to the Controller

Taking into account the nature of Processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of Processing, Personal Data Breach notification, Data Protection Impact Assessments).

8. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller Personal Data. The Processor shall provide the Controller with sufficient information (as reasonably available) to allow the Controller to meet its obligations under Article 33 and 34 of the GDPR.

9. Data Return and Deletion

9.1. Data Handling on Termination

Upon termination of the Agreement or upon the Controller's written request, the Processor shall, at the choice of the Controller, delete or return all Controller Personal Data to the Controller, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

9.2. Data Retention Policy Adherence

The Processor shall adhere to the data retention and deletion timelines specified in its Privacy Policy (e.g., deletion of original files and recipient data 90 days after project archiving, immediate deletion of watermarked files post-transmission), unless otherwise agreed or legally required.

10. Audit Rights

10.1. Information Availability

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR.

10.2. Audit Process

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (who is not a competitor of the Processor). Such audits shall be subject to:
- a) Reasonable prior written notice (at least 30 days unless legally required otherwise or following a confirmed security incident);
- b) A written non-disclosure agreement between the Controller (or its auditor) and the Processor;
- c) Conducted during Processor's normal business hours and in a manner that does not unreasonably interfere with Processor's business operations;
- d) Limited to once per year unless mandated by a Supervisory Authority or following a confirmed security incident affecting Controller Personal Data;
- e) The Controller bearing all costs associated with the audit.

10.3. Alternative Audit Reports

As an alternative to an on-site audit, the Processor may provide current third-party audit reports (e.g., ISO 27001, SOC 2 if available for the specific services) to demonstrate compliance, where applicable.

11. International Transfers

11.1. Primary Processing Location

The Processor shall Process Controller Personal Data primarily within the European Economic Area (EEA).

11.2. Transfer Restrictions

The Processor shall not transfer Controller Personal Data outside the EEA unless it ensures compliance with the provisions of Chapter V of the GDPR (e.g., by implementing Standard Contractual Clauses approved by the European Commission, or relying on an adequacy decision, or other appropriate safeguards).

11.3. Subprocessor Locations and Safeguards

The Controller acknowledges that certain Subprocessors (as listed in Annex 3) may be headquartered outside the EEA (e.g., USA), but Processing of Controller Personal Data by these Subprocessors is conducted within the EEA as specified in Annex 3. Any required access from outside the EEA by such Subprocessors (e.g., for support) shall be subject to appropriate safeguards compliant with GDPR.

12. Liability

Liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability towards Data Subjects under GDPR.

13. Term and Termination

This DPA shall remain in effect for as long as the Processor Processes Controller Personal Data under the Agreement. Termination of the Agreement shall automatically terminate this DPA. Provisions which by their nature should survive termination (e.g., confidentiality, data deletion) shall survive.

14. Governing Law and Jurisdiction

This DPA shall be governed by the laws of Hungary. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts specified in the Agreement ([Komárom-Esztergom County, Hungary OR Budapest, Hungary] - Ensure this matches ToS).

15. Incorporation

This DPA is incorporated into and forms an integral part of the Agreement. In case of conflict between this DPA and the Agreement, the terms of this DPA shall prevail concerning the subject matter of data protection.

---

Annex 1: Details of Processing

• (a) Subject Matter: The provision of the CrewMailer secure document watermarking and distribution services as described in the Agreement.
• (b) Duration: For the term of the Agreement, plus the period until deletion of all Controller Personal Data by the Processor in accordance with the DPA and Privacy Policy.
• (c) Nature and Purpose
  • To enable Controller to upload, store, manage, and organize production documents (including PDFs).
  • To enable Controller to create and manage lists of recipients (project members, distribution groups).
  • To apply unique watermarks to PDF documents based on recipient identity as configured by the Controller.
  • To transmit documents (watermarked PDFs and other attached files) via email to recipients designated by the Controller.
  • To track email delivery status.
  • To provide associated support and troubleshooting services.
  • Processing initiated and controlled by the Controller through the Service interface.
• (d) Types of Personal Data Processed
  • Contact information of recipients added by the Controller (e.g., Name, Email Address).
  • Personal Data contained within the documents uploaded by the Controller (User Content). The specific types are determined solely by the Controller but may include names, roles, contact details, schedules, etc. of cast, crew, and other production personnel.
  • Metadata related to document distribution (e.g., recipient, sender, timestamp, delivery status, IP address).
• (e) Categories of Data Subjects
  • Individuals whose Personal Data is contained within the documents uploaded by the Controller (e.g., cast, crew, production staff, vendors).
  • Individuals added by the Controller as recipients for document distribution (project members, distribution group members).

---

Annex 2: Security Measures

The Processor implements and maintains the following technical and organizational security measures:

1. Data Encryption
   • Encryption of data in transit using industry-standard protocols (TLS 1.2 or higher) for all external communications (web access, API calls, email transmission via ZeptoMail).
   • Encryption of sensitive data at rest (e.g., database storage), where appropriate, using industry-standard algorithms (e.g., AES-256).
2. Access Control
   • Authentication controls for user access to the Service (password hashing).
   • Role-based access controls within the Processor's organization to limit access to Controller Personal Data to authorized personnel on a need-to-know basis.
   • Logging and monitoring of access to production systems.
3. Infrastructure Security
   • Hosting infrastructure provided by reputable providers (Hetzner, Neon/AWS) located within secure data centers in the European Union (Germany).
   • Network security measures (firewalls, intrusion detection/prevention systems where applicable).
   • Regular patching and vulnerability management for systems supporting the Services.
4. Data Minimization
   • Watermarked files are deleted immediately after successful email transmission.
   • Data retention policies are implemented as described in the Privacy Policy and DPA.
5. Resilience and Availability
   • Implementation of backup procedures for Controller Personal Data stored within the Service (database backups).
   • Service infrastructure designed for high availability (consistent with the 99.9% uptime target in ToS).
6. Personnel Security
   • Confidentiality agreements with personnel authorized to access Controller Personal Data.
   • Security awareness training for relevant personnel.
7. Testing and Auditing
   • Regular internal security reviews.
   • Potential engagement of third parties for security testing (e.g., penetration testing) as deemed appropriate.
8. Incident Management
   • Procedures in place to detect, respond to, and report Personal Data Breaches as required by GDPR.

---

Annex 3: Subprocessors

The following Subprocessors are engaged by CrewMailer to provide the Services as of the DPA Effective Date:

Subprocessor Entity Name	Service Provided	Location of Processing (Country/Region)
Neon Inc. (via AWS)	Managed PostgreSQL Database Hosting	Germany (AWS EU Frankfurt Region)
Hetzner Online GmbH	Application Backend & Frontend Server Hosting	Germany (Falkenstein)
Zoho Corporation B.V.	Transactional Email Gateway (ZeptoMail)	Netherlands (EU)
Auth0 by Okta	Authentication Services	Global (with EU-US Privacy Shield)