Effective Date: May 5, 2025
This Data Processing Agreement (“Agreement”) is entered into between:
(1) Nexrender OÜ (“Processor”), with its principal place of business at Sepapaja 6, 15551 Tallinn, Estonia;
and
(2) Client company (“Controller”), individually referred to as a “Party” and collectively as the “Parties.”
1.1. “Data Protection Laws” means all applicable legislation protecting the rights and freedoms of individuals in relation to their personal data, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”), and any subsequent amendments or regulations.
1.2. “Personal Data” means any information relating to an identified or identifiable natural person.
1.3. “Sub-processor” means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
1.4. “Services” means the provision of Nexrender’s cloud-based rendering infrastructure.
2.1. This Agreement governs the processing of Personal Data by the Processor in the course of providing the Services.
2.2. This Agreement is effective from the date of the underlying service agreement and remains valid for as long as Personal Data is processed by the Processor on behalf of the Controller.
3.1. The Processor will process Personal Data strictly for the purposes of providing customized video rendering services via Adobe After Effects templates rendered on Nexrender’s cloud infrastructure.
3.2. No profiling, tracking, or behavioral analytics is performed by the Processor beyond performance and usage telemetry.
4.1. Data subjects: End users of the Controller, whose information may be rendered in personalized videos.
4.2. Data types: Custom variables, user names, visual identifiers, and any other metadata embedded by Controller into video templates.
5.1. Processor shall process Personal Data only on documented instructions from the Controller.
5.2. Processor shall ensure that persons authorized to process the data are bound by confidentiality agreements.
5.3. Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
5.4. Processor shall assist the Controller in fulfilling obligations to respond to data subject rights (e.g. access, rectification, erasure, portability).
5.5. Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach.
5.6. Processor shall, at the choice of the Controller, delete or return all Personal Data after the end of the provision of Services.
6.1. The Controller authorizes the use of the following sub-processors:
Hetzner – Hosting provider (EU-based)
Google Cloud Platform – VM scalability (EU and US regions)
AWS – Storage and compute (optional)
PostHog – Anonymous telemetry (no PII)
DigitalOcean – Infrastructure fallback
6.2. Processor shall ensure sub-processors provide equivalent data protection obligations.
6.3. Processor shall notify the Controller of any intended changes to sub-processors and allow the Controller to object.
7.1. If the Processor or any sub-processor processes Personal Data outside the EEA, such transfer shall be governed by the Standard Contractual Clauses (SCCs) or Data Privacy Framework certification as applicable.
8.1. Upon reasonable prior written request and not more than once annually, the Controller may request a summary report of the Processor’s data protection practices and relevant third-party certifications.
8.2. Processor may, at its discretion, make additional documentation available to demonstrate compliance, provided that such disclosure does not compromise security or confidentiality.
8.3. Any in-person audit shall require at least 30 days’ notice, be limited in scope and duration, and shall only be conducted if legally required or if a material security incident has occurred.
9.1. Each Party shall be liable for breaches of this Agreement in accordance with the terms of the main service agreement.
10.1. This Agreement shall be governed by and construed in accordance with the laws of Estonia.
10.2. Any disputes shall be subject to the exclusive jurisdiction of the courts of Estonia.
11.1. This Agreement is an annex to and forms part of the Terms of Use and does not require a separate signature unless requested by either Party.
11.2. In case of conflicts between this Agreement and the Terms of Use, this Agreement shall prevail in matters of data protection.