Data Processing Addendum

1. Definitions

• Controller: you, the customer who decides the purposes and means of processing personal data via IAVA one.
• Processor: IAVA Productions, processing personal data on behalf of Controller.
• Personal Data: any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller via the Service.
• Sub-processor: a third party engaged by Processor to assist with processing personal data.
• Data Subject: the individual to whom Personal Data relates (typically Controller's clients, leads, contacts).
• Other terms have the meanings given in the GDPR.

2. Subject matter, duration, nature, and purpose

• Subject matter: provision of the IAVA one customer-relationship-management and project-management Service.
• Duration: for as long as Controller's account is active, plus any post-termination retention period required by law.
• Nature: collection, storage, structuring, retrieval, transmission, deletion, and use in AI features as configured by Controller.
• Purpose: enabling Controller to manage their video-production business — clients, leads, projects, invoices, deliverables, and related communications.

3. Categories of data subjects and personal data

Data subjects: Controller's clients, leads, employees / collaborators, and any other natural persons whose data Controller chooses to enter into the Service.

Categories of personal data (typical):

• Identification data: name, email, phone, company.
• Communication data: email subjects/bodies (when Gmail is connected), calendar events.
• Project data: scope, budget, timeline, deliverables, notes.
• Financial data: invoices, payment status (no card numbers — handled by Stripe).
• AI-derived data: extracted facts, summaries, drafted replies (generated from Controller's own data).

Special-category data: Processor does not require special-category personal data. Controller agrees not to use the Service to process such data without first informing Processor and entering into appropriate additional safeguards.

4. Sub-processors

Processor engages the following sub-processors to provide the Service:

Processor will provide Controller with at least 30 days' advance notice of any new sub-processor or change to this list. Controller may object to such changes by notifying Processor; if the parties cannot resolve the objection, Controller may terminate the affected service.

5. Security measures

Processor implements appropriate technical and organizational measures to protect Personal Data, including:

• TLS 1.2+ for all data in transit.
• AES-256-GCM encryption at rest for OAuth refresh tokens and other secrets.
• Row-level security (RLS) on all customer-scoped database tables; public-token surfaces use a dedicated anon client with token-validated policies.
• HMAC-signed OAuth state parameters to prevent CSRF / state-substitution attacks.
• High-entropy (256-bit) random tokens for public sharing URLs; row primary keys are never used as public tokens.
• Public-form input is wrapped in delimiters before being passed to AI prompts to mitigate prompt injection.
• Rate limiting on public endpoints; audit logging of public-portal access.
• Principle of least privilege for Processor personnel.
• Regular security review of dependencies and infrastructure.
• Backup and disaster-recovery procedures aligned with the underlying database provider (Supabase).

6. Data subject rights

Processor will, taking into account the nature of the processing, assist Controller with appropriate technical and organizational measures to fulfill Controller's obligations to respond to data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection). Controller can exercise its admin actions (account deletion, data export) directly via the Service; for additional support, contact anton@iava.one.

7. Personal data breach notification

Processor will notify Controller without undue delay — and in any event within seventy-two (72) hours — after becoming aware of a personal data breach affecting Controller's data. Notification will include the nature of the breach, categories and approximate number of data subjects, likely consequences, and mitigation measures.

8. International data transfers

When Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, Processor relies on the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor, 2021/914) and equivalent safeguards under the UK Addendum and Swiss FADP, incorporated into this DPA by reference.

9. Audit rights

Upon reasonable written request and no more than once per year (except where required by a supervisory authority), Processor will provide Controller with information necessary to demonstrate compliance with this DPA. Processor may satisfy such requests by providing third-party audit reports (e.g., its sub-processors' SOC 2 reports) where available.

10. Term, return, and deletion

This DPA is effective for as long as Processor processes Personal Data on Controller's behalf. Upon termination of the Service, Controller may export its data via the Settings page; Processor will delete Personal Data from active systems within 30 days and from backups within 90 days unless retention is required by law.

11. Governing law

This DPA is governed by the law of the Province of Ontario, Canada, except to the extent the Standard Contractual Clauses are governed by the law of the EU member state where the data exporter is established.

12. Order of precedence

In the event of any conflict between this DPA, the Standard Contractual Clauses, and the Terms of Service, the order of precedence is: (1) Standard Contractual Clauses, (2) this DPA, (3) the Terms of Service.

13. Contact

IAVA Productions, Ontario, Canada
Email: anton@iava.one