Data Processing Addendum

Parties and Roles

This Data Processing Addendum forms part of the agreement between a Cutform customer and Cutform for the customer's use of the Cutform SaaS platform.

For Customer Personal Data processed through Cutform workspaces, the customer is generally the controller and Cutform is generally the processor. Cutform may act as an independent controller for account administration, billing, fraud prevention, legal compliance, product analytics, and direct user relationship data described in the Privacy Policy.

Scope and Instructions

Cutform will process Customer Personal Data only to provide, secure, maintain, support, improve, and operate Cutform, and otherwise only on the customer's documented instructions, including the agreement, this DPA, workspace configuration, user actions, support requests, and written instructions.

Customer Personal Data may include account data, workspace data, uploaded video/audio/images, voices, likenesses, captions, transcripts, project metadata, social account metadata, post content, usage events, logs, and support data.

Security Measures

Cutform will implement appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Current measures may include TLS encryption in transit, access controls, workspace authorization, database row-level security where applicable, least-privilege access, logging and monitoring, secure storage, backup and recovery processes, vendor review, and secrets managed through environment variables, platform bindings, or equivalent controls.

Subprocessors

Customer gives Cutform general authorization to use subprocessors needed to provide the service. Cutform will require material subprocessors to protect Customer Personal Data under obligations materially equivalent to this DPA.

Current or expected subprocessors include Supabase, Cloudflare, Stripe, Resend, PostHog, ElevenLabs, Google/YouTube APIs, Meta/Instagram/Facebook APIs, LinkedIn API, Brainex or other AI/video processing infrastructure, and logging or observability providers used by Cutform.

International Transfers and Assistance

Cutform and subprocessors may process Customer Personal Data in the UK, EEA, United States, and other countries. Where required, the parties will use appropriate transfer mechanisms such as standard contractual clauses, the UK IDTA or UK addendum, supplementary measures, or other legally recognized safeguards.

Taking into account the nature of processing and information available to Cutform, Cutform will reasonably assist the customer with data subject requests, security obligations, breach notifications, DPIAs, and regulatory consultations where required.

Breach Notice, Deletion, and Audit

Cutform will notify the customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data. The notice will include available information about the nature of the breach, affected data, likely consequences, mitigation steps, and a contact point.

After termination, Cutform will delete or return Customer Personal Data in accordance with the customer's written instructions unless retention is required by law. Backup copies may remain until overwritten or deleted under normal cycles, provided they remain protected and are not actively processed except for restoration, security, or legal compliance.

Customers may request reasonable information necessary to demonstrate compliance with this DPA. Audits must be scoped, scheduled in advance, avoid unreasonable disruption, and protect Cutform and third-party confidential information.

Contact

DPA and subprocessor questions can be sent to [email protected].