1

2

3

4

5

6

7

8

9

10

11

12

1
Data Protection Addendum
This current consolidated Data Protection Addendum was published on [insert date].
1 Definitions
1.1 In this Data Protection Addendum defined terms shall have the same meaning, and the same
rules of interpretation shall apply as in the remainder of our Agreement. In addition, in this
Data Protection Addendum the following definitions have the meanings given below:
Controller has the meaning given to that term in Data Protection
Laws;
Data Protection Laws means, as applicable to either party or the Services:
(a) the EU GDPR;
(b) the UK GDPR and the UK DPA 2018;
(c) any laws which implement or supplement any
such laws; and
(d) any laws that replace, extend, re-enact,
consolidate or amend any of the foregoing;
Data Protection Losses means all liabilities arising directly or indirectly from any
breach or alleged breach of any of the Data Protection
Laws or of this Data Protection Addendum, including
all:
(a) costs (including legal costs), claims, demands,
actions, settlements, interest, charges,
procedures, expenses, losses and damages
(including relating to material or non-material
damage);
(b) administrative fines, penalties, sanctions,
liabilities or other remedies imposed by a
Supervisory Authority;
(c) compensation which is ordered by a court or
Supervisory Authority to be paid to a Data
Subject; and/or
(d) costs of compliance with investigations by a
Supervisory Authority;
Data Subject has the meaning given to that term in Data Protection
Laws;
Data Subject Request means a request made by a Data Subject to exercise
any rights of Data Subjects under Chapter III of the
GDPR in relation to any Protected Data;

2
EEA Data Protection Laws means Data Protection Laws applicable under the laws
of the European Economic Area, the European Union
or any of their member states;
EEA Protected Data means Protected Data to which any EEA Data
Protection Laws apply;
EU GDPR means the General Data Protection Regulation,
Regulation (EU) 2016/679;
GDPR means the EU GDPR and the UK GDPR (as applicable
in the circumstances);
Lawful Safeguards means such legally enforceable mechanism(s) for
Transfers of Personal Data as may be permitted under
Data Protection Laws from time to time;
Personal Data has the meaning given to that term in Data Protection
Laws;
Personal Data Breach means any breach of security leading to the accidental
or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, any Protected Data;
processing has the meaning given to that term in Data Protection
Laws (and related terms such as process, processes
and processed have corresponding meanings);
Processing Instructions has the meaning given to that term in paragraph 3.1.1;
Processor has the meaning given to that term in Data Protection
Laws;
Protected Data means Personal Data in the Customer Data;
Relevant Law means:
(a) in respect of EEA Protected Data, all
applicable law(s) of the European Economic
Area and European Union and of the relevant
member state(s) of either; and
(b) in respect of UK Protected Data, all applicable
law(s) of the United Kingdom (or of any part of
the United Kingdom);
Sub-Processor means a Processor engaged by the Supplier or by any
other Sub-Processor for carrying out processing
activities in respect of the Protected Data on behalf of
the Customer;
Supervisory Authority means any local, national or multinational agency,
department, official, parliament, public or statutory
person or any government or professional body,

3
regulatory or supervisory authority, board or other body
responsible for administering Data Protection Laws;
Transfer bears the same meaning as the word ‘transfer’ in
Article 44 of the GDPR (and related terms such as
Transfers, Transferred and Transferring have
corresponding meanings);
UK Data Protection Laws means the Data Protection Laws applicable under the
laws of the United Kingdom (or of any part of the
United Kingdom), including the UK GDPR and UK DPA
2018;
UK DPA 2018 means the United Kingdom’s Data Protection Act 2018;
UK GDPR has the meaning given to that term in the UK DPA
2018; and
UK Protected Data means Protected Data to which any UK Data
Protection Laws apply.
2 Processor and Controller
2.1 The parties agree that, for the Protected Data, the Customer shall be the Controller and the
Supplier shall be the Processor. Nothing in our Agreement relieves the Customer of any
responsibilities or liabilities under any Data Protection Laws.
2.2 For the avoidance of doubt, you agree and acknowledge the Supplier does not determine the
content, lawfulness or compliance of prompts, Customer Data or Outputs and acts solely on
the Customer’s instructions.
2.3 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has
full authority and authorisation of all relevant Controllers to instruct the Supplier to process the
Protected Data in accordance with our Agreement.
2.4 The Supplier shall process Protected Data in compliance with:
2.4.1 the obligations of Processors under Data Protection Laws in respect of the
performance of its obligations under our Agreement; and
2.4.2 the terms of our Agreement.
2.5 The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times
comply with:
2.5.1 all Data Protection Laws in connection with the processing of Protected Data, the use
of the Services (and each part) and the exercise and performance of its respective
rights and obligations under our Agreement, including maintaining all relevant
regulatory registrations and notifications as required under Data Protection Laws; and
2.5.2 the terms of our Agreement.
2.6 The Customer warrants, represents and undertakes, that at all times:

4
2.6.1 the processing of all Protected Data (if processed in accordance with our Agreement)
shall comply in all respects with all Data Protection Laws, including in terms of its
collection, use and storage;
2.6.2 fair processing and all other appropriate notices have been provided to the Data
Subjects of the Protected Data (and all necessary consents from such Data Subjects
obtained and at all times maintained) to the extent required by all Data Protection
Laws in connection with all processing activities in respect of the Protected Data that
may be undertaken by the Supplier and its Sub-Processors in accordance with our
Agreement;
2.6.3 the Protected Data is accurate and up to date;
2.6.4 it shall establish and maintain adequate security measures to safeguard the
Protected Data in its possession or control (including from unauthorised or unlawful
destruction, corruption, processing or disclosure) and maintain complete and
accurate backups of all Protected Data provided to the Supplier (or anyone acting on
its behalf) so as to be able to immediately recover and reconstitute such Protected
Data in the event of loss, damage or corruption of such Protected Data by the
Supplier or any other person;
2.6.5 all instructions given by it to the Supplier in respect of Personal Data shall at all times
be in accordance with Data Protection Laws; and
2.6.6 it has undertaken due diligence in relation to the Supplier’s processing operations and
commitments and it is satisfied (and for so long as it continues to use the Services,
remains satisfied) that:
(a) the Supplier’s processing operations are suitable for the purposes for which
the Customer proposes to use the Services and engage the Supplier to
process the Protected Data;
(b) the technical and organisational measures set out in Schedule 1 (each as
updated from time to time) shall (if the Supplier complies with its obligations
under such Addendum and our Agreement) ensure a level of security
appropriate to the risk in regard to the Protected Data as required by Data
Protection Laws; and
(c) the Supplier has sufficient expertise, reliability and resources to implement
technical and organisational measures that meet the requirements of Data
Protection Laws.
2.7 If the Supplier is subject to any applicable law at any time that conflicts with any of its
obligations under this Data Protection Addendum it may immediately terminate our
Agreement by notice unless the conflict has been resolved to the Supplier’s satisfaction prior
to such notice of termination.
3 Instructions and details of processing
3.1 Insofar as the Supplier processes Protected Data on behalf of the Customer, the Supplier:
3.1.1 unless required to do otherwise by Relevant Law, shall (and shall take steps to
ensure each person acting under its authority shall) process the Protected Data only

5
on and in accordance with the Customer’s documented instructions as set out in our
Agreement, as updated from time to time (Processing Instructions);
3.1.2 if Relevant Law requires it to process Protected Data other than in accordance with
the Processing Instructions, shall notify the Customer of any such requirement before
processing the Protected Data (unless Relevant Law prohibits such information on
important grounds of public interest); and
3.1.3 shall promptly inform the Customer if the Supplier becomes aware of a Processing
Instruction that, in the Supplier’s opinion, infringes Data Protection Laws, provided
that:
(a) this shall be without prejudice to paragraphs 2.5 and 2.6; and
(b) to the maximum extent permitted by applicable law, the Supplier shall have
no liability howsoever arising (whether in contract, tort (including negligence)
or otherwise) for any losses, costs, expenses or liabilities (including any Data
Protection Losses) arising from or in connection with any processing in
accordance with the Processing Instructions following the Customer’s receipt
of the information required by this paragraph 3.1.3.
3.2 The Customer agrees that:
3.2.1 use of the Services includes the processing of Protected Data through automated
systems and third-party Sub-Processors (including AI and machine learning
providers) as necessary to provide the Services, and that such processing forms part
of the Customer’s documented instructions;
3.2.2 the Supplier (and each Sub-Processor) is not obliged to undertake any processing of
Protected Data that the Supplier reasonably believes infringes any of the Data
Protection Laws and shall not be liable (or subject to any reduction or set-off of any
Prices otherwise payable to the Supplier) to the extent that it (or any Sub-Processor)
is delayed in or fails to perform any obligation under our Agreement as a result of not
undertaking any processing in such circumstances; and
3.2.3 without prejudice to any other right or remedy of the Supplier, in the event the
Customer has not resolved any Processing Instruction notified to it under paragraph
3.1.3 such that it is lawful in the Supplier’s reasonable opinion within 14 days of such
notification then such circumstances are a material breach of our Agreement by the
Customer that cannot be remedied and the Supplier may terminate our Agreement in
accordance with its terms.
3.3 The Customer shall be responsible for ensuring all of its Affiliates and Authorised Users read
and understand the Privacy Policy (as updated from time to time).
3.4 The Customer acknowledges and agrees that the execution of any computer command to
process (including deletion of) any Protected Data made in the use of any of the Services by
an Authorised User will be a Processing Instruction (other than to the extent such command is
not fulfilled due to technical, operational or other reasons). The Customer shall ensure that
Authorised Users do not execute any such command unless authorised by the Customer (and
by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data
is deleted pursuant to any such command the Supplier is under no obligation to seek to
restore it.

6
3.5 Subject to applicable Subscription Plans the processing of the Protected Data by the Supplier
under our Agreement shall be for the subject-matter, duration, nature and purposes and
involve the types of Personal Data and categories of Data Subjects set out in The Schedule.
4 Technical and organisational measures
4.1 The Supplier shall implement and maintain technical and organisational measures:
4.1.1 in relation to the processing of Protected Data by the Supplier, as set out in Schedule
1; and
4.1.2 to assist the Customer insofar as is commercially reasonable and possible (taking
into account the nature of the processing) in the fulfilment of the Customer’s
obligations to respond to Data Subject Requests relating to Protected Data, in each
case at the Customer’s cost on a time and materials basis. The parties have agreed
that (taking into account the nature of the processing) the Supplier’s compliance with
paragraph 6.1 shall constitute the Supplier’s sole obligations under this paragraph
Error: Reference source not found.
5 Using staff and other Processors
5.1 The Customer hereby grants the Supplier a general authorisation to engage Sub-Processors
to carry out processing activities in respect of the Protected Data in connection with the
Agreement. This includes Sub-Processors providing AI and machine learning services used
to process Protected Data as part of the Services.
5.2 The Supplier may appoint new Sub-Processors or replace existing Sub-Processors by
providing the Customer with prior notice of any intended changes.
5.3 The Customer may object to the appointment of a new Sub-Processor (or any replacement
Sub-Processor) on reasonable grounds relating to data protection by terminating our
Agreement in accordance with its rights following the update notification introducing the
change before that update takes effect in accordance with our Agreement.
5.4 The Supplier shall:
5.4.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of
the Protected Data, ensure that each Sub-Processor is appointed under a written
contract containing materially the same obligations as under paragraphs 2 to 12
(inclusive) (including those obligations relating to sufficient guarantees to implement
appropriate technical and organisational measures); and
5.4.2 remain fully liable for all the acts and omissions of each Sub-Processor as if they
were its own.
5.5 The Supplier shall ensure that all persons authorised by it (or by any Sub-Processor) to
process Protected Data are subject to a binding written contractual obligation to keep the
Protected Data confidential in a manner consistent with the Supplier’s confidentiality
obligations under our Agreement.
6 Assistance with compliance and Data Subject rights
6.1 The Supplier shall refer all Data Subject Requests it receives to the Customer without undue
delay. The Customer shall pay the Supplier for all work, time, costs and expenses incurred by

7
the Supplier or any Sub-Processor(s) in connection with such activity, calculated on a time
and materials basis.
6.2 The Supplier shall provide such assistance as the Customer reasonably requires (taking into
account the nature of processing and the information available to the Supplier) to the
Customer in ensuring compliance with the Customer’s obligations under Data Protection
Laws with respect to:
6.2.1 security of processing;
6.2.2 data protection impact assessments (as such term is defined in Data Protection
Laws);
6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by
the Customer in response to any Personal Data Breach,
provided the Customer shall pay the Supplier for all work, time, costs and expenses incurred
by the Supplier or any Sub-Processor(s) in connection with providing the assistance in this
paragraph 6.2, calculated on a time and materials basis and such assistance shall not require
the Supplier to disclose proprietary or confidential information or to modify the Services.
7 International data transfers
7.1 The Customer instructs and authorises the Supplier and its Sub-processors to transfer and
process Personal Data outside the United Kingdom and/or European Economic Area as
necessary to provide the Services. This may include transfers arising from the use of
Sub-Processors providing AI and machine learning services in support of the Services.
7.2 The Supplier shall ensure that any such transfer is carried out in compliance with Data
Protection Laws and is subject to appropriate safeguards, including (where applicable)
adequacy regulations or approved standard contractual clauses.
7.3 The Supplier shall make available information regarding the locations of processing and shall
notify the Customer of any material changes in accordance with this Data Protection
Addendum.
7.4 The Supplier and each Sub-Processor is not obliged to undertake any unlawful Transfer of
Protected Data and shall not be liable to the extent that it (or any Sub-Processor) is delayed
in or fails to perform any obligation under our Agreement due to it (or any Sub-Processor)
being unable (or believing it is unable) to undertake any Transfer in a lawful manner. The
Prices payable to the Supplier shall not be discounted or set-off as a result of any delay or
non-performance of any obligation in accordance with this paragraph Error: Reference source
not found.
8 Information and audit
8.1 The Supplier shall maintain, in accordance with Data Protection Laws binding on the Supplier,
written records of all categories of processing activities carried out on behalf of the Customer.
8.2 Subject to clause 8.3, on request, the Supplier shall provide the Customer (or auditors
mandated by the Customer) with a copy of the third party certifications and audits to the
extent made generally available to its customers. Such information shall be confidential to the

8
Supplier and shall be the Supplier’s Confidential Information as defined in our Agreement,
and shall be treated in accordance with applicable terms.
8.3 The Customer acknowledges and accepts that relevant contractual terms agreed with Sub-
Processor(s) may mean that the Supplier or Customer may not be able to undertake or
facilitate an information request or audit or inspection of any or all Sub-Processors pursuant
to this Data Protection Addendum.
9 Breach notification
9.1 In respect of any Personal Data Breach, the Supplier shall, without undue delay (and in any
event within 72 hours):
9.1.1 notify the Customer of the Personal Data Breach; and
9.1.2 provide the Customer with details of the Personal Data Breach to the extent
reasonably available at the time.
10 Deletion of protected data and copies
Following the end of the provision of the Services (or any part) relating to the processing of
Protected Data the Supplier shall dispose of Protected Data in accordance with its obligations
under our Agreement. The Supplier shall have no liability (howsoever arising, including in
negligence) for any deletion or destruction of any such Protected Data undertaken in
accordance with our Agreement.
11 Compensation and claims
11.1 The Supplier shall be liable for Data Protection Losses (howsoever arising, whether in
contract, tort (including negligence) or otherwise) under or in connection with our Agreement:
11.1.1 only to the extent caused by the processing of Protected Data under our Agreement
and directly resulting from the Supplier’s breach of our Agreement; and
11.1.2 in no circumstances to the extent that any Data Protection Losses (or the
circumstances giving rise to them) are contributed to or caused by any breach of our
Agreement by the Customer (including in accordance with paragraph 3.1.3Error:
Reference source not found).
11.2 If a party receives a compensation claim from a person relating to processing of Protected
Data in connection with our Agreement or the Services, it shall promptly provide the other
party with notice and full details of such claim.
11.3 The parties agree that the Customer shall not be entitled to claim back from the Supplier any
part of any compensation paid by the Customer to the extent that the Customer is liable to
indemnify or otherwise compensate the Supplier in accordance with our Agreement.
11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses
as between the parties, including with respect to compensation to Data Subjects,
notwithstanding any provisions under Data Protection Laws to the contrary, except:
11.4.1 to the extent not permitted by Relevant Law (including Data Protection Laws); and
11.4.2 that it does not affect the liability of either party to any Data Subject.

9
12 Survival
This Data Protection Addendum (as updated from time to time) shall survive termination (for
any reason) or expiry of our Agreement and continue until no Protected Data remains in the
possession or control of the Supplier or any Sub-Processor, except that paragraphs 10 to 12
(inclusive) shall continue indefinitely.

10
THE SCHEDULE
Data Processing Details
Subject-matter of processing:
The provision of an AI-powered, browser-based video generation and editing platform, including
account creation, authentication, content generation, hosting, rendering, editing, storage, analytics,
customer support and related technical and operational functions, as further described in the
Agreement and any applicable Subscription Plans.
Duration of the processing:
For the duration of the Customer’s access to and use of the Services under the Agreement, and
thereafter for any period during which Personal Data is retained in accordance with the Agreement,
the Customer’s documented instructions, or applicable law.
Nature and purpose of the processing:
Processing is carried out:
 in accordance with the rights and obligations of the parties under the Agreement;
 as reasonably necessary to provide, operate, maintain and support the Services;
 as initiated, requested or instructed by Authorised Users or the Customer through their use of
the Services;
 to enable AI-driven video creation, including processing prompts, scripts, uploaded media and
other Customer Data through automated systems and third-party AI and machine learning
providers, generating outputs and related metadata;
 to manage user authentication, subscriptions, billing, credits, security, analytics and customer
support; and
 for compliance with Applicable Laws, enforcement of terms, fraud prevention, and platform
integrity.
Type of personal data:
Depending on Customer use of the Services, the following types of Personal Data may be processed:
 Account and identity data: Names, email addresses, profile images, account identifiers.
 User authentication and access data: OAuth tokens, session identifiers, login timestamps.
 Contact and support data: Communications with customer support.
 Billing and transaction data: Subscription status, billing address, payment status and limited
payment card data (processed via third-party payment providers).
 Technical and usage data: IP addresses, device type, browser type, operating system,
usage logs and behavioural data.

11
 AI interaction data: Personal Data contained in user inputs (including prompts, scripts,
instructions or uploaded materials), generated outputs, and associated interaction logs and
metadata.
Categories of data subjects:
 Authorised Users of the Services;
 employees, contractors or agents of the Customer;
 end users or individuals appearing in Customer-provided content (to the extent Personal Data
is included by the Customer).
Special categories of personal data:
The Supplier does not knowingly or willingly collect or process special category data.
Technical and organisational measures:
The Supplier implements appropriate technical and organisational measures designed to ensure a
level of security appropriate to the risk, including, as appropriate:
• We limit access to Personal Data to those who have a genuine business need to access it.
Those processing Personal Data will do so only in an authorised manner and are subject to a
duty of confidentiality.
• Whilst we cannot guarantee the security of email communications, email correspondence will
be stored securely on our email.
• If a payment is made to us online, we will never retain a copy of an individual’s credit or debit
card details. Our third-party payment processors will securely retain and process the
information they need to process such a transaction.
• Before introducing any new systems or technologies relevant to the processing of Personal
Data, we will where necessary and appropriate undertake and complete a data protection
impact assessment (DPIA) identifying any associated risks.
• Should you become aware of special category data having been provided to us, uploaded to
our AI system or appearing on our website, you can contact us using our details under ‘How
to contact us’ or by making a formal complaint [insert link]. On receipt of such a report, we
will act quickly to delete any special category data that has been brought to our attention.
• We also have procedures to deal with any suspected data security breach. We will notify the
Customer and any applicable regulator of a suspected data security breach where we are
legally required to do so.
These measures are reviewed and updated periodically to reflect changes in technology, industry
practices and risk.
Sub-processors:
The Customer authorises the Supplier to engage Sub-processors to process Personal Data for the
purpose of providing the Services.

12
The Supplier may use Sub-processors for the following categories of services:
 cloud infrastructure and hosting;
 content storage and delivery networks;
 payment processing;
 analytics and performance monitoring;
 customer support and communication tools;
 security, fraud prevention and system monitoring; and
 AI, machine learning providers used for model inference, content generation and related
processing activities.
The Processor shall ensure that any Sub-processor it appoints is subject to data protection
obligations that are no less protective than those set out in this Agreement and remains responsible to
the Customer for the performance of the Sub-processor’s obligations.