Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and Alvaro Berlanga, operating Conduct Studio (NIF 53995589F, Calle Estrellas 2, 28224 Pozuelo de Alarcón, Madrid, Spain) ("we", "us", "Processor"). It applies where, in your use of the Service, we Process Personal Data on your behalf — for example, personal data contained in your content or relating to collaborators you invite.

For that Personal Data, you are the Controller and we are the Processor. You determine the purposes and means of Processing; we Process only on your documented instructions. For account, billing, and security data we collect to run the Service, we act as an independent Controller as described in our Privacy Policy. Capitalised terms not defined here have the meaning in the GDPR or the Terms of Service. Where this DPA conflicts with the Terms of Service on data-protection matters, this DPA prevails.

Subject-matter: provision of the Conduct Studio cue-management and collaboration Service. Duration: for the term of your subscription plus the deletion windows in the Terms. Nature & purpose: hosting, storage, transmission, transcoding, backup, and display of your content and collaboration data to deliver the Service. Types of Personal Data: names, email addresses, profile images, organisation and role data, messages and comments, and any Personal Data you choose to include in uploaded content. Categories of data subjects: your personnel, collaborators (directors, editors, clients), and any individuals whose Personal Data appears in your content. We do not intend the Service for special-category data and ask that you not upload it unless strictly necessary and lawful.

We Process Customer Personal Data only on your documented instructions, including as set out in this DPA, the Terms of Service, and your configuration and use of the Service, unless required to do otherwise by EU, Member State, or other applicable law (in which case we will inform you, unless legally prohibited). We will promptly inform you if, in our opinion, an instruction infringes applicable data-protection law. We will not sell Customer Personal Data, and will not use it for our own purposes, advertising, or to train AI/ML models.

We ensure that persons authorised to Process Customer Personal Data are bound by appropriate obligations of confidentiality and access it only on a need-to-know basis to provide and support the Service. Staff support access is logged and time-limited as described in our Privacy Policy.

We implement appropriate technical and organisational measures to protect Customer Personal Data, taking into account the state of the art, costs, and the nature and risks of Processing (Article 32 GDPR). These include: encryption in transit (TLS 1.2+) and at rest (AES-256); role-based and row-level access controls; opaque storage keys and time-limited signed URLs for media; tenant isolation; least-privilege administrative access with audit logging; secure software-development and dependency-audit practices; and regular backups. The full current measures are summarised in Annex 2, available on request.

You grant general authorisation for us to engage sub-processors to support the Service. Our current sub-processors are published at conductstudio.com/legal/subprocessors. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain fully liable to you for their performance.

We will give you advance notice of any new sub-processor before authorising it to Process Customer Personal Data (by updating the list and, if you have subscribed, by email). You may object on reasonable data-protection grounds within 30 days; if we cannot reasonably accommodate the objection, you may terminate the affected part of the Service.

Taking into account the nature of the Processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection). The Service provides self-serve tools (export, deletion, rectification) that enable much of this directly. If we receive a request relating to your data subjects, we will direct the requester to you and not respond directly except on your instruction or as legally required.

We will assist you, taking into account the nature of Processing and information available to us, in ensuring compliance with your obligations under Articles 32–36 GDPR, including security, breach notification, data-protection impact assessments, and prior consultation.

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Personal-Data Breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, likely consequences, and measures taken or proposed. You are responsible for any notifications you must make to authorities or data subjects, with our reasonable assistance.

On termination of the Service, and at your choice, we will delete or return Customer Personal Data, and delete existing copies, except to the extent applicable law requires storage. Deletion follows the timelines in the Terms of Service (including grace and backup-purge windows). You may export your data using the Service's export tools at any time before deletion.

We host Customer Personal Data in the EU. Where Processing by a sub-processor involves a transfer outside the EU/EEA or UK, that transfer is governed by an adequacy decision (including the EU-US Data Privacy Framework where applicable), the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) with the appropriate Module, and/or the UK IDTA or Addendum and the Swiss addendum, together with supplementary measures. The applicable clauses are incorporated by reference and available on request.

We will make available to you information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, on reasonable prior notice, no more than once per year (unless required by a supervisory authority), subject to confidentiality and to not unreasonably disrupting our operations. Where available, we may satisfy audit requests by providing relevant third-party reports or documentation.

This DPA is subject to the liability provisions of the Terms of Service. It takes effect when you accept the Terms (or begin using the Service to Process Personal Data of others) and continues for as long as we Process Customer Personal Data. It is governed by the law of Spain.

Data-protection contact: privacy@mail.conductstudio.com

Alvaro Berlanga · NIF 53995589F · Calle Estrellas 2, 28224 Pozuelo de Alarcón, Madrid, Spain.