Data Processing Addendum (DPA)
Summary: This DPA ensures compliance with GDPR, UK GDPR, Swiss FADP, PIPEDA, and other data protection laws. It defines how we process personal data on your behalf, our security obligations, sub-processor management, and international transfer safeguards.
1. Parties and Roles
- Controller: You (the Customer) using 4ShootOps who determines the purposes and means of processing
- Processor: YourDigitalExpert Inc., processing Personal Data on behalf of the Controller
Effective Date: Aug 01, 2025
Processor Details:
YourDigitalExpert Inc.
Corporation Number: 16916023
200 – 185 Carlton St, Winnipeg MB R3C 3H7, Canada
2. Processing Details
2.1 Subject Matter
Processing of Personal Data submitted through the 4ShootOps platform for project management, media storage and delivery, communication, billing, analytics, and service operations.
2.2 Duration
Processing continues for the term of the service agreement and thereafter only as necessary for legal compliance or as agreed.
2.3 Nature and Purpose
Storage, hosting, transmission, backup, transformation, metadata extraction, analytics, delivery, customer support, payment reconciliation, and security monitoring.
2.4 Categories of Data Subjects
- Photographers, videographers, studio staff, clients
- End users whose information is included in project files
- Administrative and billing contacts
2.5 Categories of Personal Data
- Identity and contact data (names, emails, phone numbers)
- Media content (photos, videos, audio) including metadata
- Contract and project information
- Authentication credentials and account identifiers
- Payment and billing information
- Usage telemetry and logs
3. Processor Obligations
3.1 Instructions
Processor shall process Personal Data only on documented instructions from Controller, unless required by law (with notice where permitted).
3.2 Confidentiality
All persons authorized to process Personal Data are bound by confidentiality agreements with access limited on a need-to-know basis.
3.3 Security Measures
We implement appropriate technical and organizational measures including:
- TLS encryption in transit
- Encryption at rest for backups and sensitive storage
- Role-based access controls and least privilege
- Regular security updates and vulnerability scanning
- Logging, monitoring, and anomaly detection
- Incident response processes
- Secure key management and credential rotation
3.4 Data Breach Notification
We will notify Controller within 48 hours of becoming aware of a Personal Data breach, providing nature of breach, categories affected, likely consequences, and mitigation measures.
3.5 Assistance
We assist Controller with:
- Data subject requests (access, rectification, erasure, portability)
- Security assessments and impact assessments
- Regulatory compliance and breach notifications
3.6 Deletion or Return
Upon termination, we will delete or return all Personal Data at Controller's option, unless retention is required by law. Deletion includes secure purging within 30 days.
4. Sub-processors
4.1 Authorized Sub-processors
Controller consents to the following sub-processors:
| Service | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA |
| Backblaze B2 | Storage/backup | CA/USA/EU |
| Amazon S3/Glacier | Archival storage | Multi-region |
| IDrive® e2 Cloud | Storage/backup | Multi-region |
| Hetzner | Infrastructure | USA/EU |
| Cloudflare | CDN/Security | Global |
| SendGrid | Email delivery | USA |
| Twilio | SMS/Voice | USA |
4.2 New Sub-processors
We provide 10 business days notice before adding new sub-processors. Controller may object on reasonable data protection grounds.
5. International Transfers
Personal Data may be transferred internationally. We ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs) for EEA transfers
- UK Addendum to SCCs for UK data
- Swiss-specific mechanisms where required
- Supplementary technical measures as needed
6. Data Subject Rights
If we receive requests from data subjects, we will promptly notify Controller and assist in fulfilling the request as directed.
7. Audit Rights
Controller may audit our compliance with this DPA:
- Minimum 30 days notice required
- May rely on third-party certifications (SOC 2, ISO 27001)
- Conducted to avoid disruption to operations
- Subject to confidentiality agreements
8. Liability
Liability for data protection breaches is governed by the underlying agreement and applicable law. Each party indemnifies the other for breaches of their obligations.
9. Term and Termination
This DPA continues for the duration of the service agreement. Obligations regarding confidentiality and data protection survive termination.
10. Contact Information
For DPA-related inquiries, data subject requests, or audit coordination:
Email: legal@yourdigitalexpert.com
Mail: 200 – 185 Carlton St, Winnipeg MB R3C 3H7, Canada