Data Processing Addendum
Updated: July 2025
This Data Processing Addendum (“DPA”) is incorporated by reference into Shuffll’s Terms of Use or other applicable agreement governing the use of Shuffll’s services (the “Agreement”) entered into between you, the Client (as defined in the Agreement) (“Client”, “you”), and Shuffll Technologies Ltd. (“Shuffll”, “we”, “us”, or “our”).
This DPA reflects the Parties’ agreement regarding the processing of Personal Data by Shuffll solely on behalf of the Client, in the context of delivering embedded and modular video creation services through Shuffll’s infrastructure.
Capitalized terms not defined herein shall have the meanings assigned to them in the Agreement.
By using the Services, you accept this DPA and warrant that you have full authority to bind the Client to it. If you cannot or do not agree to comply with and be bound by this DPA, please do not provide Personal Data to us.
In the event of a conflict between this DPA and the Agreement, this DPA shall prevail solely with respect to the Processing of Personal Data.
1. DEFINITIONS
(a) Affiliate – Any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.
(b) Authorized Affiliate – Any Client affiliate permitted to use the Services under the Agreement but that has not signed its own agreement with Shuffll.
(c) Controller, Processor, Data Subject, Processing, Supervisory Authority – As defined in the GDPR.
(d) Data Protection Laws – All applicable privacy and data protection laws, including GDPR, UK GDPR, CCPA, and any other relevant national or international data regulations.
(e) Personal Data – Any information relating to an identified or identifiable natural person processed by Shuffll on behalf of the Client.
(f) Sensitive Data – Data falling under Article 9 of the GDPR or equivalent categories under applicable law.
(g) Sub-processor – A third party engaged by Shuffll to process Personal Data on behalf of the Client.
(h) Services – Shuffll’s modular video creation infrastructure and orchestration services, including white-label, embedded, or API-driven deployments, provided via web app, iframe, or integrations into partner ecosystems.
(i) User – An end user of the Client (or its platform) who interacts with the Shuffll-powered video functionality.
2. ROLES OF THE PARTIES
Client: Controller – Determines the purposes and means of Personal Data Processing.
Shuffll: Processor – Processes Personal Data only on documented instructions from the Client and strictly within the scope of delivering its Services.
3. CLIENT RESPONSIBILITIES
The Client agrees to:
Ensure it has legal grounds to collect and provide Personal Data to Shuffll;
Provide accurate and lawful instructions regarding data use;
Remain responsible for compliance with all applicable laws related to Personal Data.
4. SHUFFLL’S OBLIGATIONS AS PROCESSOR
Shuffll shall:
Process Personal Data strictly per the Client’s documented instructions;
Ensure personnel authorized to process data are bound by confidentiality obligations;
Implement and maintain appropriate technical and organizational safeguards;
Promptly notify the Client of any Personal Data Breach;
Assist the Client in complying with Data Subject rights and supervisory authority inquiries;
Delete or anonymize Personal Data after services end, unless legally required to retain it.
5. DETAILS OF PROCESSING
| Subject Matter | Processing of Personal Data in connection with Shuffll’s embedded video infrastructure services |
|---|---|
| Nature & Purpose | To enable video creation, orchestration, customization, and delivery via Shuffll’s web app, API, or embedded deployments |
| Data Subjects | Client’s end users or platform users (“Users”) |
| Types of Personal Data | Name, email, image/video/audio content, text inputs, metadata related to video workflows |
| Duration | For the term of the Agreement + any legally required retention period |
6. SUB-PROCESSORS
(a) Client authorizes Shuffll to use the following Sub-processors:
MS Azure (AWS) – Hosting and Compute infrastructure
Google Cloud Platform – Storage and compute services
Cloudflare – CDN and security services
OpenAI, Anthropic, ElevenLabs, Heygen, AssemblyAI, and others – Used as modular AI components for video generation (scriptwriting, avatars, subtitles, etc.)
(b) All Sub-processors are bound by data protection terms no less stringent than this DPA.
(c) Shuffll will notify the Client of material Sub-processor changes and allow objections within 7 days on reasonable legal grounds.
7. SECURITY & AUDIT RIGHTS
(a) Security Measures – Shuffll uses industry best practices, including encryption in transit and at rest, access control, monitoring, and secure development protocols.
(b) Audit Rights – Upon written request (max once annually), Shuffll will provide documentation or allow reasonable audits under confidentiality obligations.
8. DATA BREACH NOTIFICATION
Shuffll will notify the Client without undue delay upon becoming aware of a Personal Data Breach, including the nature, impact, and remediation steps.
9. DATA RETURN OR DELETION
Upon termination of the Agreement, Shuffll will delete or return Personal Data unless retention is required by law. A single secure archival copy may be retained for legal defense purposes.
10. INTERNATIONAL DATA TRANSFERS
Cross-border data transfers shall be governed by the EU Standard Contractual Clauses (SCCs 2021/914) or other valid mechanisms as required by Data Protection Laws.
11. DATA SUBJECT RIGHTS
If Shuffll receives a Data Subject request, it will promptly refer it to the Client, unless authorized otherwise in writing.
12. LIABILITY
Each Party’s liability with respect to this DPA shall be subject to the limitations and exclusions of liability set forth in the Shuffll Terms of Use or the applicable Agreement between the Parties.
13. GOVERNING LAW
This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, unless a different governing law and jurisdiction is specified in the Agreement between the Parties, in which case such specified law and jurisdiction shall apply.
Schedule 1 – Processing Summary
| Purpose | Data Subjects | Types of Personal Data | Retention Period |
|---|---|---|---|
| Video creation, customization, orchestration, delivery | End users of Clients and/or partner platforms | Name, email, video/audio/image content, metadata, scripts | Duration of Agreement + lawful retention |
Schedule 2 – Security Measures
Encryption at rest (AES-256) and in transit (TLS 1.2+)
Role-based access controls and least-privilege architecture
Multi-factor authentication for administrative systems
Ongoing vulnerability scanning and penetration testing
Secure data deletion upon contract termination
Logging, monitoring, and incident response protocols
© 2025 Shuffll Technologies Ltd. All Rights Reserved.
For any questions regarding this DPA, contact [email protected]
