Data processing agreement.
Effective date: 10 June 2026
This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Terms of Servicebetween you (“Customer”, the controller) and Curtyn (the processor). It applies whenever we process personal data on your behalf in providing the service — for example the cast, crew, client, and contact details you store in projects, call sheets, and contact records. It reflects the requirements of Article 28 of the EU General Data Protection Regulation (“GDPR”). If there is any conflict between this DPA and the Terms of Service on the subject of personal data, this DPA prevails.
1. Parties and roles
The Customer is the data controller and determines the purposes and means of the processing. Curtyn — a trade name of Ruben Wijnheijmer (sole proprietorship / eenmanszaak), Rector Coppenserf 101, 5046 AX Tilburg, Netherlands, KvK 65353498, BTW-ID NL002338831B79 — is the data processor and processes personal data only on the Customer’s behalf. Where the Customer is itself a processor for a third party, Curtyn acts as a sub-processor and these terms apply accordingly.
2. Subject matter, duration, nature and purpose
Curtyn processes personal data to provide the service described in the Terms of Service: hosting, storing, transcoding, displaying, delivering, and otherwise making available the Customer’s content and project data. Processing continues for as long as the Customer’s account is active and for the limited retention periods described in our Privacy Policy, after which the data is deleted in accordance with Section 9 below.
3. Types of personal data and categories of data subjects
- Types of data: identification and contact details (names, email addresses, phone numbers, roles/positions), and any other personal data the Customer chooses to include in projects, scripts, schedules, call sheets, contact records, messages, or uploaded files.
- Categories of data subjects:the Customer’s clients, cast, crew, collaborators, and other contacts whose data the Customer uploads or creates on the platform.
The Customer must not upload special categories of personal data (GDPR Art. 9) unless it has a lawful basis to do so, and is responsible for ensuring a lawful basis exists for all data it processes through the service.
4. Processing only on instructions
Curtyn processes personal data only on the Customer’s documented instructions, including with regard to transfers, unless required to do so by EU or member-state law — in which case Curtyn will inform the Customer of that requirement before processing, unless the law prohibits it. The Terms of Service, this DPA, and the Customer’s use of the service’s features constitute the Customer’s complete and final instructions. Curtyn will inform the Customer if, in its opinion, an instruction infringes the GDPR.
5. Confidentiality
Curtyn ensures that any person authorised to process the personal data is bound by an appropriate duty of confidentiality and processes the data only as instructed.
6. Security
Curtyn implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by GDPR Art. 32. These are summarised in Annex II. All personal data is encrypted in transit (TLS) and at rest, access to production systems is restricted on a need-to-know basis, and data is protected by the access controls (including Row Level Security) of the platform.
7. Sub-processors
The Customer provides general authorisation for Curtyn to engage the sub-processors listed in Annex I to process personal data. Each sub-processor is engaged under a written contract imposing data-protection obligations equivalent to those in this DPA. Curtyn will give the Customer prior notice of any intended addition or replacement of a sub-processor (by email or in-app notice), allowing the Customer a reasonable period to object on reasonable data-protection grounds. Curtyn remains fully liable to the Customer for the performance of each sub-processor’s obligations.
8. Assistance to the controller
Taking into account the nature of the processing, Curtyn assists the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). Curtyn also assists the Customer in ensuring compliance with its obligations under GDPR Art. 32–36 (security, breach notification, data protection impact assessments, and prior consultation), taking into account the information available to Curtyn.
9. Personal data breaches
Curtyn notifies the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s personal data, and provides the information reasonably available to it to help the Customer meet its own breach notification obligations.
10. Return and deletion
On termination of the service, and at the Customer’s choice, Curtyn deletes or returns the personal data and deletes existing copies, unless EU or member-state law requires storage. Deletion follows the schedule in the Privacy Policy (files within 30 days; other business records within 90 days). The Customer can export its data before deletion.
11. Audits
Curtyn makes available to the Customer the information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates. Audits are limited to once per year (except after a breach or where required by a supervisory authority), conducted on reasonable notice and during business hours, and must not unreasonably disrupt the service.
12. International transfers
Curtyn hosts primary data in the EU. Where Curtyn or a sub-processor transfers personal data outside the European Economic Area, the transfer is covered by an adequacy decision where one applies (including the EU–US Data Privacy Framework) or by the European Commission’s Standard Contractual Clauses, which are incorporated into the relevant sub-processor contracts, together with appropriate supplementary measures.
13. Duration and conflict
This DPA takes effect when the Customer accepts the Terms of Service and remains in force for as long as Curtyn processes personal data on the Customer’s behalf. It is governed by the law of the Netherlands.
Annex I — Sub-processors
- Supabase — database hosting and authentication (EU region).
- Backblaze — encrypted cloud file storage.
- Hetzner / Vultr — ephemeral video processing and transcoding servers.
- Cloudflare — content delivery network and security routing.
- Vercel — frontend hosting and edge network.
- Mollie — payment processing and subscription management.
- Resend — transactional email delivery.
Annex II — Technical and organisational measures
- Encryption of personal data in transit (TLS) and at rest.
- Row Level Security and access controls scoping data to authorised accounts.
- Need-to-know access to production systems, with restricted credentials.
- Signed, time-limited URLs for file access.
- Routine database backups and storage redundancy.
- Logging and monitoring for security and abuse prevention.
- Soft-delete with scheduled permanent destruction of removed data.
Contact
Questions about this DPA, or to send data-protection instructions or requests, email support@curtyn.com.