PromoNexAi B.V. Data Processing Agreement (DPA)

Effective Date: October 1, 2025

1. Parties & Roles

This DPA forms part of the Terms of Service between PromoNexAi B.V. (the "Processor") and the customer (the "Controller").

2. Subject Matter & Duration

Subject Matter: Processing personal data to provide AI-powered video generation services.

Duration: for the term of the Agreement and up to 12 months after termination for backups/compliance.

3. Nature & Purpose of Processing

Provision of the services, including scraping product data on the customer's instruction, generating scripts, images, audio and video, translations, analytics, support, billing, security and compliance.

4. Types of Personal Data & Data Subjects

Personal Data:

  • account data (name, email)
  • billing data
  • usage logs
  • content metadata
  • audio/video files the customer uploads or generates

Data Subjects:

  • customer personnel/end users
  • collaborators authorized by the customer

5. Processor Obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure personnel confidentiality and appropriate training.
  • Implement appropriate technical and organizational security measures.
  • Assist Controller with data subject requests and DPIAs as reasonably required.
  • Notify Controller without undue delay of a personal data breach (aim within 72 hours).
  • Delete or return personal data at termination, subject to legal retention.

6. Security Measures

  • Encryption in transit and at rest where applicable.
  • Access controls, least-privilege, and MFA for administrative access.
  • Network and application monitoring and logging.
  • Regular backups and disaster recovery procedures.
  • Vendor risk management for sub‑processors.

7. Sub‑Processors

Controller provides general authorization for Processor to engage sub‑processors. Current sub‑processors include:

  • Google (Gemini) – AI text processing/translation.
  • ElevenLabs – voice synthesis.
  • Black Forest Labs (Runway) – image/video generation.
  • Stripe – payments processing.
  • Hosting/analytics providers as needed.

Processor will inform Controller of any intended changes to sub‑processors and provide an opportunity to object on reasonable grounds.

8. International Transfers

Where personal data is transferred outside the EEA/UK, Processor will ensure appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and supplementary measures where required.

9. Audit & Compliance

Controller may audit Processor's compliance up to once per year (and after material incidents) upon reasonable notice. Processor may satisfy audit requests by providing third‑party reports or certifications where available.

10. Liability

Liability under this DPA is governed by the limitations set out in the main Agreement/Terms of Service.

11. Contact

Data Protection inquiries:

📧 privacy@promonexai.com