1. Scope and roles
Where a business customer uses VODPilot to process personal data in uploaded media, stream metadata, workspace records, or connected-channel data on behalf of that customer, the customer is the controller and Michael Ketzer, operating VODPilot, acts as processor. For account, billing, security, abuse-prevention, legal, and product-administration processing, VODPilot may act as an independent controller as described in the Privacy Policy.
2. Subject matter and duration
The subject matter is the provision, security, support, and maintenance of VODPilot. Processing continues for the duration of the customer relationship and any legally required retention, backup, deletion, dispute, security, or compliance period.
3. Categories of data
- Customer account and workspace member data, including names, email addresses, roles, and authentication records.
- Connected Twitch account identifiers, channel metadata, stream session records, VOD titles, categories, timestamps, and related event data.
- Uploaded and processed media, thumbnails, file names, object-storage keys, review notes, playout status, and processing logs.
- Support, abuse-report, security, audit, billing, and operational records.
4. Categories of data subjects
Data subjects may include customer personnel, workspace members, creators, streamers, moderators, viewers whose information appears in submitted content or metadata, support contacts, reporters, and other people whose data is included in customer-provided material.
5. Customer instructions
VODPilot processes customer personal data only on documented instructions, including the Terms of Service, product configuration, workspace actions, support requests, and this DPA, unless applicable law requires otherwise. If VODPilot believes an instruction violates data protection law, VODPilot may notify the customer and suspend the affected processing where appropriate.
6. Confidentiality and security
VODPilot limits access to personal data to people and systems that need it for service operation, support, security, billing, legal compliance, or abuse prevention. VODPilot applies reasonable technical and organizational measures, including access controls, authentication safeguards, transport security, least-privilege operational access, audit records, backup controls, and storage-provider safeguards.
7. Sub-processors
- VODPilot may use sub-processors listed in the Privacy Policy, including hosting, database, object-storage, payment, email, realtime-event, and AI processing providers.
- VODPilot remains responsible for sub-processor performance of processor obligations where required by GDPR Art. 28.
- Material sub-processor changes will be reflected in the Privacy Policy or this DPA. Customers may object on reasonable data-protection grounds by contacting support@vodpilot.com.
8. International transfers
Where personal data is transferred outside the EU or EEA to a country without an adequacy decision, VODPilot intends to rely on appropriate safeguards such as the European Commission Standard Contractual Clauses and supplementary measures offered by the relevant provider.
9. Assistance
Taking into account the nature of the processing and information available to VODPilot, VODPilot will reasonably assist customers with data-subject requests, security obligations, data protection impact assessments, and regulator consultations where legally required and commercially reasonable.
10. Security incidents
VODPilot will notify affected business customers without undue delay after becoming aware of a personal-data breach affecting customer personal data, where notification is legally required. The notice will include available information reasonably needed for the customer to meet its own notification obligations.
11. Deletion and return
On termination or customer request, VODPilot will delete or return customer personal data where reasonably possible, unless retention is required for legal, tax, accounting, security, dispute, abuse-prevention, backup, or compliance purposes. Deleted production data may remain in backups for a limited period until backup rotation.
12. Audits
VODPilot will make reasonably necessary information available to demonstrate compliance with this DPA. Audits must be proportionate, subject to confidentiality, avoid compromising other customers or security controls, and be limited to once per year unless a serious incident or legal requirement justifies otherwise.