Skip to content
CineLog

Data Processing Addendum

Last updated:

This Data Processing Addendum (“DPA”) supplements the Cinelog Terms of Service (the “Agreement”) between Cinelog, LLC (“Cinelog”, “Processor”) and the Customer identified in the Agreement (“Customer”, “Controller”). It applies whenever Cinelog processes Personal Data on behalf of Customer in the course of providing the Service.

In the event of conflict between this DPA and any other part of the Agreement, this DPA prevails for matters of personal data processing.

1. Definitions

Capitalised terms used and not defined in this DPA have the meanings given in the Agreement. Where also used in Data Protection Law, the following terms have their meaning in that law:

  • “Data Protection Law” — all laws applicable to the processing of Personal Data under this DPA, including (a) the EU General Data Protection Regulation 2016/679 (“EU GDPR”); (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”); (e) Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); (f) Quebec’s Act respecting the protection of personal information in the private sector, S.Q. 2021, c. 25 (“Law 25”); and (g) other applicable privacy laws.
  • “Personal Data” — any information relating to an identified or identifiable natural person that Cinelog processes on behalf of Customer under the Agreement.
  • “Customer Personal Data” — Personal Data within Customer Content, including Third-Party Personal Data entered by Customer.
  • “Sub-processor” — any third party engaged by Cinelog to process Customer Personal Data.
  • “SCCs” — the Standard Contractual Clauses approved by European Commission Decision (EU) 2021/914.
  • “UK Addendum” — the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner’s Office (Version B1.0, in force from 21 March 2022).
  • “CCPA Service Provider” — has the meaning given in §1798.140(ag) of the CCPA.

2. Roles and processing details

2.1 Roles

  • Customer is the Controller of Customer Personal Data. Customer is responsible for the lawfulness of providing Personal Data to Cinelog and for the instructions it gives to Cinelog.
  • Cinelog is the Processor of Customer Personal Data and acts only on Customer’s documented instructions, except where required by law (in which case Cinelog will inform Customer of that requirement unless prohibited).
  • Under the CCPA, Cinelog acts as a Service Provider with respect to Customer Personal Data. Cinelog will not (i) sell or share Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and Cinelog; or (iii) combine Customer Personal Data with personal data Cinelog receives from other sources, except as permitted by §7050(b) of the CCPA Regulations.

2.2 Scope and duration

This DPA applies for as long as Cinelog processes Customer Personal Data under the Agreement, plus any survival period required by §10 of this DPA.

2.3 Customer instructions

Customer’s use of the Service in accordance with the Agreement constitutes its documented instructions to Cinelog for processing. Additional instructions must be agreed in writing.

Cinelog will inform Customer if, in its opinion, an instruction infringes Data Protection Law, but Cinelog has no obligation to assess the legality of Customer’s instructions in general.

3. Processor obligations

Cinelog will:

  1. Process Customer Personal Data only on Customer’s documented instructions and only for the purposes set out in Annex I.
  2. Ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality.
  3. Implement and maintain the technical and organizational measures described in Annex II.
  4. Take reasonable steps to ensure the reliability of personnel with access to Customer Personal Data.
  5. Engage Sub-processors only in accordance with §4.
  6. Assist Customer in fulfilling its obligation to respond to data-subject requests, as described in §5.
  7. Assist Customer in complying with its obligations under Articles 32–36 of the EU GDPR (security, breach notification, DPIA, consultation with supervisory authority), taking into account the nature of processing and information available to Cinelog.
  8. Notify Customer of Personal Data Breaches in accordance with §6.
  9. At Customer’s choice, return or delete Customer Personal Data at the end of the Agreement, as described in §10.
  10. Make available to Customer the information necessary to demonstrate compliance with this DPA, and allow audits in accordance with §11.

4. Sub-processors

4.1 Authorization

Customer grants Cinelog general authorization to engage Sub-processors, subject to the conditions in this §4. Cinelog’s current list of Sub-processors is published at Sub-processor List (the “Sub-processor List”), which forms Annex III of this DPA.

4.2 Notice of changes

Cinelog will give Customer at least 30 days’ advance notice of the addition of a new Sub-processor that will process Customer Personal Data, by updating the Sub-processor List and notifying Customers who have subscribed to updates (subscribe by emailing info@cinelog.com with the subject “Subscribe: sub-processors”).

4.3 Right to object

If Customer has a reasonable objection to a new Sub-processor on data-protection grounds, Customer may raise it in writing within the 30-day notice period. The parties will work in good faith to resolve the objection (for example by Cinelog offering an alternative configuration of the Service). If a resolution cannot be reached, Customer may terminate the affected portion of the Service on written notice and Cinelog will refund the prepaid portion of any unused fees for that portion.

4.4 Sub-processor obligations

Cinelog will impose on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA. Cinelog remains liable for the acts and omissions of its Sub-processors as if performed by Cinelog itself.

5. Data-subject requests

The Service provides self-service tools for many data-subject rights (access, export, deletion in particular). For requests that cannot be fulfilled through the Service, Cinelog will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible.

If a data subject sends a request directly to Cinelog and the request relates to Customer Personal Data, Cinelog will forward the request to Customer without undue delay and will not respond substantively to the data subject other than to acknowledge receipt and identify Customer as the controller.

Cinelog may charge a reasonable fee for assistance that goes beyond what the Service provides as a feature.

6. Personal Data Breaches

Cinelog will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 48 hours of becoming aware of it. The initial notice will include, to the extent then known:

  • the nature of the breach, including categories and approximate numbers of data subjects and records affected;
  • the likely consequences;
  • measures taken or proposed to address the breach and mitigate adverse effects;
  • a contact for further information.

Cinelog will follow up with additional information as it becomes available. Notice is sent to the email address designated in Customer’s Account, or to the Customer contact identified in an Order.

Customer is responsible for assessing whether the breach is notifiable to regulators or data subjects under Data Protection Law, and for making any such notifications.

7. International transfers

Where Cinelog transfers Customer Personal Data out of the EEA, the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision, the transfer is governed as follows:

  • EEA → United States or other third country: the parties enter into the SCCs (Module Two: Controller to Processor) by reference, with the options below.
  • United Kingdom → outside UK: the UK Addendum to the SCCs applies in addition.
  • Switzerland → outside Switzerland: the SCCs apply with the modifications described in the FDPIC’s guidance.

7.1 SCC options and parameters

  • Clause 7 (Docking clause): not used.
  • Clause 9(a) (Sub-processors): Option 2 — general written authorization, with the 30-day notice in §4 of this DPA.
  • Clause 11(a) (Independent dispute resolution): the optional language is not included.
  • Clause 17 (Governing law): the law of Ireland.
  • Clause 18 (Forum and jurisdiction): the courts of Ireland.
  • Annex I.A (List of parties): Customer is the data exporter; Cinelog is the data importer. Contact details are in Annex I of this DPA and in the Account record.
  • Annex I.B (Description of transfer): as set out in Annex I of this DPA.
  • Annex I.C (Competent supervisory authority): the supervisory authority of the EEA Member State in which Customer is established, or — for non-EEA Customers — the Irish Data Protection Commission.
  • Annex II (Technical and organizational measures): as set out in Annex II of this DPA.
  • Annex III (Sub-processors): the Sub-processor List.

7.2 UK Addendum

Where the UK Addendum applies, the parties enter into it by reference and complete its Part 1 tables using the corresponding fields from the SCCs.

7.3 EU-US Data Privacy Framework

Where a Sub-processor is certified under the EU-US Data Privacy Framework (and equivalent UK and Swiss frameworks), the transfer to that Sub-processor may also rely on the certification. The SCCs continue to apply unless and until the framework is in force as the sole basis for the transfer.

7.4 Conflict

In any conflict between this DPA and the SCCs or the UK Addendum, the SCCs / UK Addendum prevail in respect of matters of international transfer.

8. Security measures

Cinelog will implement and maintain the technical and organizational measures set out in Annex II to protect Customer Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The measures take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk to data subjects.

Cinelog may update Annex II over time provided that the level of protection is not materially diminished.

9. Audit rights

9.1 Audit reports

On Customer’s reasonable request, Cinelog will make available the most recent of the following that Cinelog has prepared:

  • a SOC 2 Type II report or equivalent third-party audit, once available;
  • a summary of recent penetration-test results;
  • a written description of its information-security program.

For most Customers, these reports are sufficient evidence of Cinelog’s compliance with this DPA.

9.2 On-site audits

Where Data Protection Law requires it and the audit reports above are not sufficient, Customer (or an independent auditor it appoints, subject to confidentiality obligations and not a competitor of Cinelog) may carry out an audit of Cinelog’s processing activities, on at least 30 days’ written notice, during regular business hours, no more than once every 12 months, at Customer’s expense. Cinelog will reasonably cooperate, subject to its security and confidentiality obligations to its other customers.

10. Return or deletion of data

On termination or expiry of the Agreement, Cinelog will, at Customer’s choice (made within the 30-day export window in §11 of the Agreement), either return Customer Personal Data to Customer in a structured, commonly-used, machine-readable format, or delete it. After the 30-day window, Cinelog will delete Customer Personal Data, except where law requires longer retention (in which case Cinelog will continue to apply this DPA to the retained data and limit further processing to what the law requires).

Backups containing Customer Personal Data are deleted in accordance with Cinelog’s documented backup-rotation schedule (currently 35 days), after which Customer Personal Data is no longer recoverable.

11. Liability

Liability under this DPA is subject to the limitations of liability in the Agreement.

12. Governing law

This DPA is governed by the law that governs the Agreement, except that, for matters of EU GDPR, the governing law is the law of Ireland (consistent with §7.1).

Annex I — Description of processing

A. List of parties

  • Data exporter (Controller): Customer, as identified in the Agreement.
  • Data importer (Processor): Cinelog, LLC, 12856 N Highway 183, Ste B #1356, Austin, TX 78750, USA; contact: info@cinelog.com.

B. Description of transfer

ItemDetails
Categories of data subjectsCustomer’s authorized users; collaborators invited by Customer; third-party individuals whose data Customer enters (e.g. crew, cast, vendors, agents, emergency contacts).
Categories of personal dataIdentity and contact data (name, email, phone, address); profile data (avatar, role, department); production scheduling data (call times, schedules); image likeness (where Customer uploads avatars); emergency-contact data; pseudonymous device and usage identifiers. Cinelog does not provide dedicated fields for sensitive personal data (e.g. banking, payroll, identity documents, dietary or medical details); however, Customer may enter any information into free-form notes fields at Customer’s own discretion.
Special categories of dataNot collected through dedicated fields. Where Customer chooses to enter such data into free-form notes (e.g. dietary or medical notes on a call sheet), Customer remains responsible for the lawful basis and any additional conditions under Art. 9 EU GDPR. Cinelog recommends keeping such notes to the minimum necessary for production purposes.
Frequency of transferContinuous, for the duration of the Agreement.
Nature of processingHosting; transmission; storage; backup; access provisioning; analytics (where consented to); transactional email delivery; payment processing; and any other operations necessary to deliver the Service.
PurposeTo provide the Service in accordance with the Agreement.
RetentionFor the duration of the Agreement, plus the periods described in the Privacy Notice §8 and §10 of this DPA.
For onward transfers to Sub-processorsAs described in §4 of this DPA and Annex III.

C. Competent supervisory authority

The supervisory authority of the EEA Member State in which Customer is established; for non-EEA Customers, the Irish Data Protection Commission.

Annex II — Technical and organizational measures

Cinelog implements the following measures (and reserves the right to update them, provided the protection is not materially diminished):

1. Pseudonymisation and encryption.

  • TLS 1.2+ for all data in transit.
  • Encryption at rest for production databases, file storage, and backups, using Google Cloud’s managed envelope encryption (AES-256).
  • Pseudonymous user IDs in analytics streams.

2. Confidentiality, integrity, availability, and resilience.

  • Least-privilege role-based access for personnel; production access logged and reviewed.
  • Mandatory two-factor authentication for all Cinelog personnel.
  • Sentry hardening: sendDefaultPii: false, masked replays.
  • Multi-zone replication for the primary database; daily backups retained 35 days.
  • Documented incident-response and business-continuity plans.

3. Restoration of availability.

  • Recovery Time Objective (RTO): 4 hours for the core Service.
  • Recovery Point Objective (RPO): 1 hour.

4. Regular testing.

  • Annual third-party penetration test.
  • Automated security scanning of source code and container images on every deployment.
  • Quarterly access reviews.

5. Identification and authorization of users.

  • One-time email codes for authentication; no shared accounts.
  • Role-based access control within the Service.

6. Protection of data during transmission and storage.

  • See (1) above.

7. Protection of data during processing.

  • Production access requires VPN and audit logging.
  • Production data is not used in development or test environments.

8. Physical security.

  • Google Cloud’s us-central1 region; physical security is managed by Google under their published certifications (ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3).

9. Event logging.

  • Access to production systems is logged; logs are retained in accordance with our cloud provider’s standard log-retention cycle.
  • Application-level audit events (sign-in, content changes) recorded in the user_actions table.

10. System configuration.

  • Infrastructure as Code (Terraform); change-managed.
  • Hardened container images; minimal-privilege service accounts.

11. Internal governance.

  • Security and privacy policies maintained, reviewed annually.
  • Mandatory privacy and security training for all staff with access to Customer Personal Data.

12. Certifications.

  • Cinelog is actively pursuing ISO 27001 and SOC 2 Type II certifications. We will update this list when a certification is achieved.

13. Data-protection-by-design and by-default.

  • Privacy-impact considerations integrated into product design reviews.
  • Defaults set to minimize data collection (e.g. analytics off by default in EEA/UK/CH).

14. Specific measures for the categories of data subjects described in Annex I.B.

  • For Third-Party Personal Data (Customer’s crew, cast, etc.) entered into the Service, Cinelog acts as Processor only and routes any direct subject request to Customer (§5 of this DPA).

Annex III — Sub-processors

The Sub-processor List forms Annex III of this DPA and is incorporated by reference: see Sub-processor List.