Data Processing Agreement
Last updated: 10 July 2026
This Data Processing Agreement (DPA) forms part of the agreement between MyStdio, a product of Zyon Entertainment Pty Ltd (ABN 24 640 498 997, 383 Pitt Street, Sydney NSW 2000, Australia) (Processor, we, us) and the organization using our services (Controller, you, your) for the processing of personal data as described below.
When this DPA applies: This DPA applies when your organization uses MyStdio and you are the controller of personal data that we process on your behalf. If you need a signed copy of this DPA for your records, please contact privacy@mystdio.com.
1. Definitions
1.1 "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection, and any other applicable data protection legislation.
1.2 "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf.
1.3 "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
1.4 "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
1.5 "Data Subject" means an individual whose Personal Data is processed.
1.6 "Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Purpose
2.1 This DPA applies to the processing of Personal Data by us on your behalf in connection with the MyStdio platform services.
2.2 The subject matter, duration, nature, and purpose of processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 to this DPA.
2.3 The duration of processing shall be for the term of your agreement with us, plus any retention period required by law or as specified in our Privacy Policy.
3. Obligations of the Processor
The following clauses implement the complete set of processor obligations under Article 28(3)(a) through (h) GDPR. Each clause below is labeled with the corresponding Article 28(3) sub-paragraph for ease of reference.
3.1 (Art. 28(3)(a)) We shall process Personal Data only on your documented instructions, unless required to do so by applicable law.
3.2 (Art. 28(3)(b)) We shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 (Art. 28(3)(c)) We shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR and described in Annex 2.
3.4 (Art. 28(3)(d)) We shall not engage another processor (Sub-processor) without your prior general or specific authorization, and we shall impose the same data protection obligations set out in this DPA on every Sub-processor by way of a written contract, in each case consistent with the conditions in Article 28(2) and Article 28(4) GDPR. Our current list of Sub-processors is available in Appendix A below.
3.5 We shall notify you of any intended changes to Sub-processors at least 30 days in advance, giving you the opportunity to object to such changes in accordance with Section 7 below.
3.6 (Art. 28(3)(e)) We shall assist you, by appropriate technical and organizational measures, in responding to requests from Data Subjects exercising their rights under Data Protection Laws.
3.7 (Art. 28(3)(f)) We shall assist you in ensuring compliance with your obligations under Articles 32 to 36 GDPR, including security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
3.8 (Art. 28(3)(g)) At your choice, we shall delete or return all Personal Data after the end of the provision of services, unless applicable law requires retention.
3.9 (Art. 28(3)(h)) We shall make available to you all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.
4. Obligations of the Controller
4.1 You shall ensure that you have a lawful basis to provide Personal Data to us for processing.
4.2 You shall provide us with documented instructions regarding the processing of Personal Data, ensuring such instructions comply with Data Protection Laws.
4.3 You shall inform us without undue delay if you become aware of any circumstances that may affect our processing of Personal Data.
4.4 You are responsible for informing Data Subjects about the processing of their Personal Data as required by Data Protection Laws.
5. Security Measures (Article 32 GDPR)
5.1 We implement the following technical and organizational measures:
- Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
- Access Controls: Role-based access control, multi-factor authentication for administrative access, and regular access reviews.
- Data Isolation: Multi-tenant architecture with row-level security ensuring complete data isolation between tenants.
- Logging & Monitoring: Comprehensive activity logging and security monitoring.
- Backup & Recovery: Regular encrypted backups with tested recovery procedures.
- Malicious File Protection: Uploads are validated against an extension and MIME-type blocklist (executables, scripts, and macro-enabled office documents are rejected), checked against magic-byte signatures to prevent file-type spoofing, and screened for dangerous double extensions. SVG uploads are rejected if they contain embedded scripts, event handlers, or external references.
- Secure Development: Security-focused development practices, code reviews, and regular security assessments.
6. Security Incident Notification
6.1 We shall notify you without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident affecting Personal Data, so that you have a reasonable window to meet your own regulatory notification obligations, including the 72-hour notification requirement applicable to controllers under Article 33 GDPR.
6.2 Such notification shall include, to the extent available:
- A description of the nature of the Security Incident
- The categories and approximate number of Data Subjects affected
- The categories and approximate number of Personal Data records affected
- The likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
6.3 We shall cooperate with you and provide reasonable assistance in investigating and remediating any Security Incident.
7. Sub-processing
7.1 You hereby authorize us to engage the Sub-processors listed in Appendix A below.
7.2 We shall inform you of any intended changes to our Sub-processors at least 30 days in advance, giving you the opportunity to object.
7.3 If you object to a new Sub-processor on reasonable grounds related to data protection, we shall work with you to find a mutually acceptable solution.
7.4 We shall impose on each Sub-processor data protection obligations no less protective than those in this DPA.
7.5 We remain fully liable to you for the performance of each Sub-processor's obligations.
8. Data Subject Rights
8.1 We shall assist you in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
8.2 If we receive a request directly from a Data Subject, we shall promptly forward it to you unless we are legally prohibited from doing so.
9. International Data Transfers
9.1 Personal Data may be transferred to and processed in countries outside your jurisdiction as described in Appendix A (Sub-processors) below.
9.2 For transfers to countries not recognized as providing an adequate level of data protection, we rely on:
- Standard Contractual Clauses (SCCs): The European Commission's standard contractual clauses for international transfers.
- UK IDTA/Addendum: For UK transfers, the UK International Data Transfer Agreement or UK Addendum to the EU SCCs.
9.3 Upon request, we shall provide you with copies of the relevant transfer mechanisms.
10. Audit Rights
10.1 We shall make available to you information reasonably necessary to demonstrate compliance with our obligations under this DPA.
10.2 Upon reasonable notice, you may audit our compliance with this DPA, subject to:
- Reasonable advance notice (at least 30 days)
- Audits during normal business hours
- No more than one audit per year (unless required by law or supervisory authority)
- Confidentiality obligations regarding any information obtained
10.3 We may satisfy audit requirements by providing relevant third-party certifications or audit reports (such as SOC 2 reports).
11. Data Deletion and Return
11.1 Upon termination of the services, we shall, at your election:
- Return: Provide you with a copy of all Personal Data in a commonly used format; or
- Delete: Securely delete all Personal Data in our possession.
11.2 Deletion shall occur within 90 days of termination, except where retention is required by applicable law or for the establishment, exercise, or defense of legal claims.
11.3 Upon request, we shall certify in writing that deletion has been completed.
12. Liability
12.1 Each party shall be liable for damages caused by processing that infringes Data Protection Laws or this DPA, as provided under applicable law.
12.2 The limitations of liability in our Terms of Service shall apply to this DPA, except to the extent prohibited by applicable law.
13. General Provisions
13.1 This DPA is governed by the same law that governs our Terms of Service, subject to mandatory provisions of Data Protection Laws.
13.2 This DPA shall remain in effect for the duration of the services and for as long as we process Personal Data on your behalf.
13.3 In the event of a conflict between this DPA and our Terms of Service, this DPA shall prevail with respect to data protection matters.
13.4 We may update this DPA from time to time. We will notify you of material changes at least 30 days in advance.
14. Execution and Acceptance
14.1 This DPA takes effect, and is deemed accepted by both parties, upon your acceptance of our Terms of Service and Privacy Policy, unless a separately executed or counter-signed version is agreed as described below.
14.2 For enterprise Controllers, or where a Controller established in the European Union, the United Kingdom, or Switzerland requires a signed copy for its own compliance records, we will provide a signature block for counter-signature by both parties upon request. Contact privacy@mystdio.com to request a countersigned copy of this DPA.
14.3 We maintain a record of when, and by whom, this DPA (including any separately signed version) was accepted or countersigned, and will provide a copy of that record to you upon reasonable request.
Annex 1: Details of Processing
Processing of Personal Data in connection with the provision of the MyStdio video production client portal platform.
For the term of the agreement plus any legally required retention period (typically 2 years after account closure, 7 years for financial records).
- Providing access to the platform
- Facilitating video production project management
- Enabling video review and approval workflows
- Processing quotes, invoices, and payments
- Sending transactional communications
- Providing customer support
- Platform security and fraud prevention
- Identity data (name, job title)
- Contact data (email, phone, address)
- Account data (login credentials, preferences)
- Transaction data (quotes, invoices, payments)
- Project content (briefs, feedback, comments)
- Technical data (IP address, device info, logs)
- Video content and associated metadata
- Your employees and contractors (platform users)
- Your clients (project stakeholders, reviewers)
- Guest reviewers (public review participants)
Annex 2: Security Measures
- TLS 1.2+ for all data in transit
- AES-256 encryption for data at rest
- Encrypted database connections
- Role-based access control (RBAC)
- Multi-factor authentication for administrative access
- Principle of least privilege
- Regular access reviews and deprovisioning
- Row-level security (RLS) in database
- Complete data isolation between tenants
- Separate storage namespaces per tenant
- Comprehensive activity logging
- Security event monitoring
- Anomaly detection
- Regular encrypted backups
- Tested disaster recovery procedures
- Geographic redundancy for critical systems
Appendix A: Sub-processors
MyStdio engages sub-processors in the categories and locations set out below. A current, itemised list of our named sub-processors is available to the Customer on request by emailing privacy@mystdio.com, and forms part of this Agreement.
Updates: We will update this list when we add or remove sub-processors. For material changes, we will notify you at least 30 days in advance and give you the opportunity to object, in accordance with Sections 3.5 and 7.2 of this DPA.
| Category | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Cloud hosting and infrastructure (application database and compute) | Host the application and database | European Union (Germany) | Within the EEA |
| Object and file storage | Store uploaded files and media | United States | Standard Contractual Clauses |
| Content delivery and video streaming | Deliver and stream media | European Union origin with global edge locations (including the United States and Australia) | Standard Contractual Clauses |
| Transactional email | Send account and notification emails | United States | Standard Contractual Clauses |
| Payment processing (Stripe) | Process payments | Primarily United States | Standard Contractual Clauses / Data Privacy Framework |
| AI services (image generation, text generation, video analysis, audio transcription) | Power optional AI features | United States | Standard Contractual Clauses |
| Social-media publishing | Publish posts to connected social accounts on request | United States | Standard Contractual Clauses |
International Data Transfers
When your data is transferred to sub-processors located outside your country of residence, we ensure appropriate safeguards are in place:
- EU-U.S. Data Privacy Framework (DPF): Where a sub-processor is self-certified under the EU-U.S. DPF (including, where applicable, the UK Extension and the Swiss-U.S. DPF), we rely on that certification as an approved transfer mechanism.
- European Economic Area (EEA): Transfers to countries outside the EEA that are not covered by an adequacy decision or DPF certification are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
- United Kingdom: Transfers are governed by the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.
- Australia: We ensure overseas recipients handle your data in accordance with the Australian Privacy Principles.
- New Zealand: We ensure recipients provide comparable privacy protection or obtain your explicit consent before transfer, in accordance with Principle 12 of the Privacy Act 2020.
Contact
For questions about this DPA or to request a signed copy, please contact us:
MyStdio, a product of Zyon Entertainment Pty Ltd
ABN 24 640 498 997
383 Pitt Street, Sydney NSW 2000, Australia
Privacy Team
Email: privacy@mystdio.com