Data Processing Addendum

2.1

Roles. The parties acknowledge that, in respect of Customer Personal Data, Customer is the Controller and Shotstack is the Processor. Where Customer is itself a Processor acting on behalf of a third-party Controller, Shotstack acts as Sub-processor and this DPA applies to that relationship by extension. This DPA does not apply to Shotstack's Processing of Personal Data as a Controller — including for account administration, billing, security monitoring, internal analytics, and Shotstack's own marketing — which is governed by the Shotstack privacy policy.

2.2

Subject matter. The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1.

2.3

Term. This DPA takes effect when the Agreement takes effect and terminates automatically with the Agreement. Termination of this DPA does not release Customer from accrued obligations, including any indemnity owed under clause 6.4. Sections relating to deletion, return, audit support, liability, and indemnity survive termination as required.

3.1

Customer warrants that: (a) it has a lawful basis under Data Protection Laws for the Processing it instructs Shotstack to perform; (b) it has provided all required notices to Data Subjects and obtained any consents required; and (c) its instructions to Shotstack do not cause Shotstack to breach Data Protection Laws.

3.2

Customer shall not submit to the Services, without Shotstack's prior written agreement: (a) special categories of Personal Data within the meaning of GDPR Article 9; (b) Personal Data relating to criminal convictions or offences within the meaning of GDPR Article 10; or (c) Personal Data of children processed in a manner requiring parental consent, age-gating, or child-specific regulatory compliance (including under GDPR Article 8, COPPA, or any age-appropriate design code).

3.3

Customer is responsible for the lawfulness, accuracy, and quality of Customer Personal Data and for the Customer-side technical and organisational measures required to protect it (including secure handling of credentials and API keys).

4.1

Documented instructions. Process Customer Personal Data only on Customer's documented instructions. The Agreement, this DPA, and Customer's use of the Services through the documented API constitute Customer's documented instructions; ad-hoc support requests do not expand the scope of instructions. Shotstack shall promptly inform Customer if, in its opinion, an instruction infringes Data Protection Laws, and may suspend Processing of any instruction it reasonably believes is unlawful pending Customer's confirmation.

4.2

Confidentiality. Ensure that personnel authorised to Process Customer Personal Data are bound by confidentiality obligations.

4.3

Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of the state of the art and the nature of the data Processed. Shotstack's measures are described in Annex 2 and may be updated from time to time provided the level of protection is not materially decreased.

4.4

4.5

Data Subject Rights. Customer is solely responsible for managing Data Subject communications, consents, and rights requests in respect of Customer Personal Data. Taking into account the nature of the Processing, Shotstack shall provide commercially reasonable assistance to enable Customer to respond to Data Subject requests. Where requests are sent directly to Shotstack, it shall promptly forward them to Customer and not respond except as instructed by Customer or required by law. Assistance beyond two (2) hours per quarter is provided at Shotstack's then-current rates.

4.6

DPIA assistance. Shotstack shall provide commercially reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the information available to Shotstack. Assistance beyond two (2) hours per quarter is provided at Shotstack's then-current rates.

4.7

Breach notification. Shotstack shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and shall provide such information as Shotstack has available to assist Customer with its own notification obligations under Data Protection Laws.

4.8

Deletion or return. Within thirty (30) days of termination of the Agreement, Shotstack shall delete or return all Customer Personal Data (at Customer's choice), other than copies required to be retained by law or held in routine backup systems pending automatic deletion.

4.9

5.1

5.2

For the EU SCCs: Clause 7 (docking) is not applied; Clause 9, Option 2 (general written authorisation) is selected with the notice period in clause 4.4(d); Clause 11(a) optional language is not selected; Clause 17 governing law is the law of Ireland; Clause 18 forum is the courts of Ireland. Annexes I, II, and III of the EU SCCs are populated by Annexes 1 and 2 of this DPA and the sub-processor list referenced in clause 4.4(a).

5.3

For the UK Addendum: Tables 1, 2, and 3 are populated by reference to this DPA, the EU SCCs above, and the materials referenced in clause 5.2. Table 4 — neither party may end the Addendum when the Approved Addendum changes.

6.1

Cap. Shotstack's aggregate liability to Customer arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to and counts towards the limitations of liability set out in the Agreement. Neither party is liable to the other for indirect, consequential, special, exemplary, or punitive damages or for loss of profit, revenue, goodwill, or anticipated savings. The parties shall not be entitled to recover the same loss twice under the Agreement and this DPA.

6.2

No fine pass-through. Shotstack is not liable for administrative fines, penalties, or sanctions imposed on Customer by any supervisory authority, except to the extent such fines are directly and exclusively attributable to Shotstack's material breach of this DPA.

6.3

Statutory rights preserved. Nothing in this clause limits a Data Subject's rights against either party under Clause 12 of the EU SCCs or any other right that cannot be limited under Data Protection Laws.

6.4

Customer indemnity. Customer shall indemnify and hold Shotstack harmless from and against all losses, claims, fines, regulatory penalties, damages, and reasonable legal costs arising from or in connection with: (a) Customer's breach of clause 3 (including breach of the warranties on lawful basis or transmission of prohibited data categories); (b) any third-party claim that Customer Personal Data was processed without a lawful basis; or (c) Customer's instructions, where Shotstack has notified Customer that the instruction may infringe Data Protection Laws and Customer has nevertheless required Shotstack to proceed. The Customer indemnity in this clause 6.4 is not subject to the cap in clause 6.1.

7.1

Governing law. This DPA is governed by the laws of New South Wales, Australia, and the parties submit to the non-exclusive jurisdiction of the courts of New South Wales, except where Data Protection Laws or the SCCs require otherwise (including, where the SCCs apply, the law and forum specified in clause 5.2).

7.2

Precedence. In the event of conflict, the order of precedence is: (1) the SCCs and any other mandatory transfer mechanism; (2) this DPA; (3) the Agreement.

7.3

Notices. Notices under this DPA may be sent to the addresses set out in the Agreement, with a copy of any data protection notice to support@shotstack.io.

7.4

Counterparts and signatures. This DPA may be signed by countersignature, click-accept, or by reference in the Agreement. Customer's continued use of the Services constitutes acceptance.