Legal

Data Processing Agreement

Last updated: May 7, 2026 · GDPR Article 28 compliant

Quick Navigation

1. Introduction & Parties 2. Definitions 3. Scope of Processing 4. Obligations as Processor 5. Obligations as Controller 6. Sub-Processors 7. Security Measures 8. Data Breach Notification 9. Data Subject Rights 10. DPIAs & Consultation 11. International Transfers 12. Term & Termination 13. Liability

Note: This Data Processing Agreement (“DPA”) forms part of the agreement between Growthflicks (“Processor”) and each customer (“Controller”) who uses the Service for purposes that involve processing personal data within the meaning of the GDPR. By accepting Growthflicks' Terms of Service, the Controller agrees to be bound by this DPA. No separate signature is required.

1. Introduction and Parties

This Data Processing Agreement (“DPA” or “Agreement”) is entered into between:

The Controller: the legal entity or individual that has subscribed to the Growthflicks platform and that determines the purposes and means of processing personal data in connection with their use of the Service (“Customer” or “Controller”).
The Processor: Growthflicks d.o.o., a company registered in the Republic of Slovenia, which processes personal data on behalf of the Controller in the course of providing the Service (“Growthflicks” or “Processor”).

This DPA supplements and is incorporated into the Growthflicks Terms of Service (“Main Agreement”). In the event of any conflict between this DPA and the Main Agreement on data protection matters, this DPA shall prevail.

The purpose of this DPA is to ensure that the processing of personal data by Growthflicks on behalf of the Customer is carried out in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and applicable national data protection laws.

2. Definitions

For the purposes of this DPA, the following definitions apply:

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) as defined in Article 4(1) GDPR.
“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) GDPR.
“Controller” means the natural or legal person who determines the purposes and means of the processing of Personal Data, as defined in Article 4(7) GDPR.
“Processor” means a natural or legal person who processes Personal Data on behalf of the Controller, as defined in Article 4(8) GDPR.
“Sub-Processor” means any third party engaged by Growthflicks to process Personal Data in connection with the Service on behalf of the Controller.
“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data as defined in Article 4(12) GDPR.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Article 46(2)(c) GDPR.
“Supervisory Authority” means the competent data protection authority with jurisdiction over the Controller or Processor.

3. Scope and Nature of Processing

Subject-Matter

Growthflicks processes Personal Data on behalf of the Controller solely to the extent necessary to provide the Service as described in the Main Agreement, including AI content generation, social media account management, content scheduling and publishing, and related platform features.

Duration

Processing continues for the duration of the Main Agreement and until all Personal Data is deleted or returned in accordance with Section 12 of this DPA.

Nature and Purpose

The processing is carried out for the following purposes:

Operating and maintaining the Service, including user authentication and session management;
Executing AI generation tasks instructed by the Controller or its end-users;
Publishing content to social media accounts connected by the Controller;
Storing and retrieving User Content as directed by the Controller;
Providing technical support and resolving Service issues.

Categories of Personal Data

The types of Personal Data processed may include:

Contact and identity data: names, email addresses, usernames;
Account credentials: hashed passwords, OAuth tokens for connected social accounts;
Usage data: IP addresses, device identifiers, session data, activity logs;
User Content: prompts, uploaded media, and generated content;
Social media profile data received via API upon account connection.

Categories of Data Subjects

The Controller's employees, contractors, or agents who use the Service;
The Controller's end-users whose data may be processed as part of content workflows;
Third parties whose data may appear in User Content uploaded by the Controller.

4. Obligations of Growthflicks as Processor

Growthflicks undertakes to:

Process only on documented instructions: process Personal Data only on the documented instructions of the Controller, including with regard to transfers to third countries, unless required by EU or Member State law. In such case, Growthflicks shall notify the Controller before processing, unless prohibited by law.
Ensure confidentiality: ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement security measures: implement appropriate technical and organisational measures as required by Article 32 GDPR (see Section 7).
Engage Sub-Processors appropriately: only engage Sub-Processors in accordance with Section 6 of this DPA.
Assist with Data Subject requests: taking into account the nature of the processing, assist the Controller through appropriate technical and organisational measures in fulfilling its obligations to respond to requests from Data Subjects (see Section 9).
Assist with compliance obligations: assist the Controller in ensuring compliance with Articles 32–36 GDPR, including security, breach notification, DPIAs, and prior consultation, taking into account the nature of processing and information available.
Delete or return data: at the choice of the Controller, delete or return all Personal Data upon termination of the Service, and delete existing copies unless required by EU or Member State law.
Provide audit information: make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 GDPR, and allow for and contribute to audits conducted by the Controller or a mandated auditor, subject to reasonable notice and conditions.
Notify of unlawful instructions: immediately inform the Controller if, in Growthflicks' opinion, an instruction infringes the GDPR or other applicable data protection law.

5. Obligations of the Customer as Controller

The Controller represents, warrants, and undertakes that:

It has a valid legal basis under the GDPR for all processing of Personal Data instructed to Growthflicks;
It has provided all required notices and obtained all required consents from Data Subjects whose data is processed through the Service;
Its instructions to Growthflicks comply with all applicable data protection law;
It will ensure that the Personal Data provided to Growthflicks is accurate and that only Personal Data that is necessary for the specified purpose is transferred;
It is responsible for determining whether the Service is appropriate for the purposes for which it intends to use it, including any compliance obligations specific to its industry or jurisdiction.

6. Sub-Processors

General Authorisation

The Controller provides a general written authorisation to Growthflicks to engage Sub-Processors for the purpose of providing the Service. Growthflicks shall notify the Controller of any intended additions or replacements of Sub-Processors with at least 14 days' prior notice, giving the Controller the opportunity to object.

Sub-Processor Obligations

Growthflicks shall impose data protection obligations equivalent to those set out in this DPA on any Sub-Processor by way of a contract or other legal act. Growthflicks remains fully liable to the Controller for the performance of a Sub-Processor's obligations.

Current Sub-Processors

The current list of Sub-Processors engaged by Growthflicks includes the following categories of providers:

Cloud hosting and infrastructure (data storage, compute, databases);
Payment processing (Stripe, Inc. — for billing and subscription management);
AI model providers (for image and video generation services);
Email delivery services (for transactional and notification emails);
Content delivery networks (CDN providers for media delivery);
Security and DDoS protection (Cloudflare).

A detailed and up-to-date list of Sub-Processors is available upon request at [email protected].

Objection to Sub-Processors

If the Controller has legitimate, substantive grounds to object to the engagement of a new Sub-Processor related to data protection, it must notify Growthflicks in writing within the 14-day notice period. If the parties cannot resolve the objection, the Controller may terminate the affected Service on written notice without penalty.

7. Security Measures

Pursuant to Article 32 GDPR, Growthflicks has implemented the following technical and organisational measures to ensure a level of security appropriate to the risk:

Technical Measures

Encryption of Personal Data in transit using TLS 1.2 or higher;
Encryption of Personal Data at rest using AES-256;
Pseudonymisation of user identifiers in analytics and logging systems;
Automated backup systems with integrity verification;
Network-level access controls, firewalls, and intrusion detection systems;
Vulnerability management and regular security patching;
Web Application Firewall (WAF) and DDoS mitigation.

Organisational Measures

Role-based access controls and the principle of least privilege for all systems;
Multi-factor authentication for all administrative and production system access;
Data protection training for all staff with access to Personal Data;
Documented security incident response procedures;
Regular third-party security assessments and penetration tests;
Vendor due diligence for all Sub-Processors handling Personal Data.

Growthflicks will review and update these measures regularly in light of technical advances and the nature of risks presented.

8. Personal Data Breach Notification

In the event Growthflicks becomes aware of a confirmed Personal Data Breach affecting Personal Data processed on behalf of the Controller, Growthflicks shall:

Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach, to the email address associated with the Controller's account;
Provide, to the extent then known, the following information:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
- The name and contact details of the Data Protection Officer or other point of contact;
- A description of the likely consequences of the breach;
- A description of the measures taken or proposed to address the breach.
Cooperate with the Controller and provide reasonable assistance in meeting the Controller's own breach notification obligations under the GDPR.

Growthflicks' notification of a breach does not constitute an acknowledgement of fault or liability. The Controller is responsible for determining whether to notify the relevant Supervisory Authority or affected Data Subjects.

9. Data Subject Rights

Growthflicks shall, upon written request from the Controller, provide reasonable assistance to enable the Controller to respond to requests from Data Subjects exercising their rights under Chapter III GDPR, including rights of:

Access (Article 15 GDPR);
Rectification (Article 16 GDPR);
Erasure / “Right to be Forgotten” (Article 17 GDPR);
Restriction of processing (Article 18 GDPR);
Data portability (Article 20 GDPR);
Objection to processing (Article 21 GDPR).

Where a Data Subject contacts Growthflicks directly with a request relating to Personal Data processed on behalf of the Controller, Growthflicks shall promptly forward such request to the Controller and shall not respond to such requests directly unless otherwise agreed or required by law.

The Controller is responsible for responding to Data Subject requests within the timeframes required by applicable law (generally 30 days under the GDPR).

10. Data Protection Impact Assessments and Prior Consultation

Where required by Article 35 GDPR, Growthflicks shall provide reasonable assistance to the Controller in carrying out a Data Protection Impact Assessment (“DPIA”) relating to the Controller's use of the Service.

Growthflicks shall also provide reasonable assistance to the Controller in respect of any prior consultation with a Supervisory Authority under Article 36 GDPR.

The Controller acknowledges that it bears primary responsibility for determining whether a DPIA is required in connection with its use of the Service and for conducting such assessment.

11. International Transfers of Personal Data

Growthflicks may transfer Personal Data to Sub-Processors located outside the European Economic Area (“EEA”). Any such transfer shall only occur where:

The destination country benefits from an adequacy decision by the European Commission;
Appropriate safeguards have been put in place by means of Standard Contractual Clauses (SCCs) adopted pursuant to Article 46(2)(c) GDPR; or
Another appropriate transfer mechanism under Article 46 GDPR applies.

By accepting this DPA, the Controller authorises Growthflicks to make such international transfers, provided that an appropriate safeguard as listed above is in place. Growthflicks shall make copies of applicable SCCs and transfer documentation available to the Controller upon written request.

If an approved transfer mechanism is invalidated or becomes unavailable, Growthflicks shall promptly notify the Controller and cooperate to implement an alternative lawful transfer mechanism.

12. Term and Termination

This DPA enters into force on the date the Controller accepts the Main Agreement and remains in effect for the duration of the Main Agreement.

Upon expiry or termination of the Main Agreement for any reason, Growthflicks shall, at the Controller's written election:

Delete all Personal Data processed on behalf of the Controller within 30 days of the termination date; or
Return the Personal Data to the Controller in a commonly used machine-readable format, and thereafter delete all copies.

Notwithstanding the above, Growthflicks may retain Personal Data to the extent required by applicable EU or Member State law (e.g., financial records for tax compliance), in which case Growthflicks shall notify the Controller of such requirement and limit processing to the extent and duration necessary.

If the Controller does not provide deletion or return instructions within 30 days of termination, Growthflicks shall proceed with deletion by default.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Main Agreement (Growthflicks Terms of Service).

Where a Data Subject suffers material or non-material damage as a result of a GDPR infringement, each party shall be liable for the damage caused by its own processing operations that infringed the GDPR in accordance with Articles 82 and 83 GDPR.

A party shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

For any questions regarding this DPA or to exercise rights under it, contact:

Growthflicks — Data Protection
Email: [email protected]
Subject line: “DPA Enquiry”

Related policies: Privacy Policy · Terms of Service · Cookie Policy

Transforming ideas into digital reality with cutting-edge solutions.

Get in touch

Have a question?

AI Tools Solutions

Pricing