This Data Processing Agreement ("DPA") forms part of the Terms of Service between Screenplay Studio ("Processor") and you ("Controller") and governs the processing of personal data in connection with the Screenplay Studio service.
1. Scope
This DPA applies to all personal data processed by Screenplay Studio on behalf of users in the course of providing the service. It covers:
- Account and profile information (name, email, avatar)
- Project data and content created within the platform
- Collaboration and communication data
- Usage data and analytics
- Payment and billing information (processed via PayPal)
This DPA is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and supplements our Privacy Policy.
2. Definitions
| Term | Definition |
|---|---|
| Controller | The user or entity that determines the purposes and means of the processing of personal data. In most cases, this is you — the Screenplay Studio user. |
| Processor | Screenplay Studio, which processes personal data on behalf of the Controller to provide the service. |
| Sub-processor | A third-party service provider engaged by Screenplay Studio to assist in processing personal data (e.g., hosting providers, payment processors). |
| Data Subject | An identified or identifiable natural person whose personal data is processed. This includes end users, collaborators, and any individual whose data appears in content created on the platform. |
3. Processor Obligations
In accordance with Article 28 of the GDPR, Screenplay Studio as Processor shall:
- Process personal data only on documented instructions from the Controller
- Ensure all persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Respect the conditions for engaging sub-processors
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in ensuring compliance with security, breach notification, and DPIA obligations
- Delete or return all personal data upon termination of the service, at the Controller's choice
- Make available all information necessary to demonstrate compliance with Article 28 obligations
4. Sub-processors
We engage the following sub-processors to deliver our service. Each sub-processor is bound by data processing agreements that offer equivalent protections to this DPA.
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, file storage | EU (Frankfurt) |
| Vercel Inc. | Application hosting, CDN, edge functions | Global with EU edge nodes |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Payment processing, subscription billing | EU / US |
We will notify you of any intended changes to our sub-processors at least 30 days in advance, giving you the opportunity to object. If you object and we cannot reasonably accommodate your objection, you may terminate the affected services.
5. Data Subject Rights
Screenplay Studio will assist the Controller in fulfilling data subject requests under GDPR Articles 15–22, including:
- Right of access — We provide data export tools in your account settings
- Right to rectification — You can update your data at any time through your profile
- Right to erasure — Account and content deletion is available in settings
- Right to restrict processing — Contact us to restrict specific processing activities
- Right to data portability — Export your data in standard formats (JSON, PDF, Fountain)
- Right to object — You may object to specific processing; we will cease unless we have compelling legitimate grounds
We will respond to data subject requests within 30 days. For complex requests, this may be extended by an additional 60 days with notification.
6. Security Measures
We implement the following technical and organizational measures to protect personal data:
| Measure | Implementation | Standard |
|---|---|---|
| Encryption at rest | All data encrypted at rest in the database and file storage | AES-256 |
| Encryption in transit | All data encrypted during transmission between client and server | TLS 1.3 |
| Row Level Security | Database-level policies ensuring users can only access their own data | Supabase RLS |
| Access logging | Comprehensive logging of data access for audit purposes | Real-time |
| Automated backups | Regular encrypted backups with point-in-time recovery | Daily + PITR |
| Penetration testing | Regular security assessments by independent parties | Annual |
7. Breach Notification
In the event of a personal data breach, Screenplay Studio will:
- Notify the Controller without undue delay and within 72 hours of becoming aware of the breach
- Provide the following details:
- Nature of the breach, including categories and approximate number of data subjects affected
- Name and contact details of the data protection point of contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
- Document all breaches, including facts, effects, and remedial actions taken
- Cooperate with the Controller and supervisory authorities as required
8. Audit Rights
The Controller has the right to audit Screenplay Studio's compliance with this DPA. This includes:
- Requesting documentation of our security measures and data processing activities
- Conducting or commissioning audits and inspections, with reasonable prior notice
- Reviewing our sub-processor agreements and security certifications
Audits shall be conducted during normal business hours with at least 30 days' written notice. We may charge reasonable fees for audits that exceed one per year.
9. Data Return & Deletion Upon Termination
Upon termination of the service or at the Controller's request:
- Data return: We will provide all personal data in a structured, commonly used, machine-readable format (JSON, CSV, or PDF as applicable)
- Data deletion: We will delete all personal data within 30 days of termination, including from backups, unless retention is required by law
- Certification: Upon request, we will provide written confirmation that all data has been deleted
10. International Data Transfers
We take the following measures to ensure lawful international data transfers:
- EU-US Data Privacy Framework: Our US-based sub-processors (where applicable) participate in and are certified under the EU-US Data Privacy Framework
- Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we rely on the European Commission's Standard Contractual Clauses (2021/914) to safeguard transfers
- Data localization: Our primary database is hosted in the EU (Frankfurt). Application data is served via Vercel's global edge network with EU edge nodes prioritized for EU users
11. Technical and Organizational Measures (TOMs)
The following is a comprehensive list of our Technical and Organizational Measures:
| Category | Measure | Details |
|---|---|---|
| Confidentiality | Access control | Role-based access, Row Level Security, project-level permissions |
| Confidentiality | Authentication | Supabase Auth, bcrypt hashing, session tokens, email verification |
| Confidentiality | Encryption | AES-256 at rest, TLS 1.3 in transit |
| Integrity | Input validation | Server-side validation, parameterized queries, XSS prevention |
| Integrity | Change management | Version-controlled deployments, automated testing, staging environment |
| Availability | Backup & recovery | Daily automated backups, point-in-time recovery, encrypted backup storage |
| Availability | Infrastructure | Vercel edge network, geographic redundancy, auto-scaling |
| Availability | Monitoring | Real-time error tracking, uptime monitoring, anomaly detection |
| Resilience | Incident response | Documented incident response plan, 72h breach notification, post-mortems |
| Resilience | Testing | Annual penetration testing, vulnerability scanning, dependency audits |
| Accountability | Logging & audit | Access logging, request logging, audit trail for sensitive operations |
| Accountability | Data minimization | Collect only necessary data, automatic data expiry, anonymization |
12. Contact
For questions about this Data Processing Agreement, contact our Data Protection Officer at dpo@screenplaystudio.fun.