Legal documents

Here you can find all the legal documents concerning your relationship with EZTitles Development Studio Ltd.

EZConvert Cloud Data Processing Agreement (DPA)

(last updated 03.12.2025)

download as pdf

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the written contract, order form, online subscription terms, license agreement, or master service agreement between EZTitles Development Studio Ltd., a company incorporated under the laws of the Republic of Bulgaria, registered office at 74, Nartsis Str., 1415 Sofia, Bulgaria ("EZT STUDIO" or the "Processor"), and the customer using EZConvert Cloud (the "Customer" or "Controller") (the "Agreement").

This DPA applies to the extent EZConvert Cloud processes personal data on behalf of the Customer.

In case of conflict between this DPA and the Agreement or any Service Level Agreement ("SLA"), this DPA shall prevail with respect to personal data protection matters only.

Availability, continuity, uptime, and service credit matters remain governed exclusively by the EZConvert Cloud Service Level Agreement (SLA).

1. Definitions and Interpretation

Capitalized terms not defined in this DPA have the meanings given in:

  • Regulation (EU) 2016/679 ("GDPR")
  • The Agreement
  • The applicable SLA

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" has the meaning given in Article 4(2) GDPR.
  • "Sub-processor" means a third party engaged by EZT STUDIO to process Personal Data.

2. Roles of the Parties

2.1 The Customer acts as Data Controller.
2.2 EZT STUDIO acts solely as Data Processor.
2.3 Nothing in this DPA shall be construed as creating a joint-controller relationship.

3. Scope, Nature and Purpose of Processing

3.1 Nature of Processing

  • Temporary automated processing of subtitle, caption and related audiovisual metadata files
  • Transmission, transformation and return of converted output files via cloud infrastructure

3.2 Purpose of Processing

  • File conversion
  • Delivery of conversion results
  • Technical support and troubleshooting
  • All Personal Data and content processed under this DPA remains the exclusive property and responsibility of the Customer at all times

3.3 Categories of Data Subjects

May include:

  • Media professionals
  • Voice performers
  • Interviewees
  • On-screen identifiable individuals

3.4 Categories of Personal Data

May include:

  • Names, voices, identifying references appearing in subtitle files
    EZT STUDIO does not intentionally process special category data.

3.5 Duration of Processing

Processing is strictly temporary and transaction-based.

4. Processor Obligations

EZT STUDIO shall:

a) Process Personal Data only on documented instructions from the Customer
b) Ensure personnel are bound by confidentiality obligations
c) Implement appropriate technical and organizational measures (see Annex A)
d) Take reasonable steps to ensure sub-processor compliance
e) Assist the Customer with data subject requests where technically feasible
f) Notify the Customer without undue delay after becoming aware of a confirmed Personal Data Breach
g) Upon termination, delete or return Personal Data unless legally required to retain it

5. Customer Obligations

The Customer is solely responsible for:

  • Lawful basis for processing
  • Transparency and notices to data subjects
  • Accuracy and legality of submitted content
  • Security of API keys and access credentials
  • Configuration of access rights and authentication
  • Backup and archival of its own data

6. Sub-Processors

6.1 The Customer grants general authorization for EZT STUDIO to engage Sub-processors.

6.2 EZT STUDIO shall:

  • Enter into contracts imposing equivalent data protection obligations
  • Remain responsible for Sub-processors only to the extent required by mandatory applicable law

6.3 A current list of Sub-processors is set out in Annex B.

7. International Data Transfers

7.1 Data may be processed in:

  • The European Union
  • Other jurisdictions where EZT STUDIO or its Sub-processors operate data centers

7.2 Where required, transfers are safeguarded by:

  • EU Standard Contractual Clauses (SCCs)
  • Or other valid transfer mechanisms under Chapter V GDPR

8. Data Retention and Deletion

  • Data is stored only for the minimum time required for conversion and delivery
  • Temporary retention may occur for:
    • Delivery retries
    • Error recovery
    • Technical troubleshooting
  • EZT STUDIO does not provide long-term archival
  • Final deletion is automated and irreversible after the technical window

The Customer remains solely responsible for its own backups.

9. Security Measures

EZT STUDIO implements security in accordance with Annex A and industry-standard cloud practices including:

  • Encryption in transit
  • Access control
  • Segregated cloud environments
  • Monitoring and intrusion detection

10. Personal Data Breach Management

10.1 EZT STUDIO shall notify the Customer without undue delay after becoming aware of a confirmed breach.

10.2 Notification shall include:

  • Nature of the breach
  • Likely consequences
  • Measures taken or proposed

10.3 EZT STUDIO shall not be responsible for Customer notification to authorities or data subjects unless explicitly required by law.

11. Liability Allocation

11.1 Each party is liable for breaches within its respective sphere of responsibility.

11.2 EZT STUDIO shall not be liable for breaches caused by:

  • Customer misconfiguration
  • Compromised credentials
  • Negligent access control
  • Force majeure events
  • Independent failures of third-party infrastructure providers

11.3 All liability is subject to the limitation of liability in the Agreement.

12. Audits

  • The Customer may conduct one audit per 12-month period on reasonable notice
  • Audits must:
    • Be limited to data protection matters
    • Not disrupt operations
    • Be subject to confidentiality
  • Third-party certifications may be provided in lieu of physical audits

13. Term and Termination

This DPA remains in effect for the duration of the Agreement and any Processing thereafter.

Upon termination:

  • All Personal Data shall be deleted or returned unless retention is legally required.

14. Governing Law

This DPA is governed by the same law and jurisdiction as the Agreement unless mandatory data protection law requires otherwise.

ANNEX A - TECHNICAL AND ORGANIZATIONAL MEASURES (TOMS)

EZT STUDIO implements the following minimum measures:

Organizational

  • Access on a least-privilege, role-based basis
  • Confidentiality obligations for all personnel
  • Security incident response procedures
  • Regular security awareness training

Technical

  • TLS encryption in transit
  • Encrypted cloud storage
  • Firewall-protected infrastructure
  • Identity and access management controls
  • Segregated workload environments
  • Centralized logging and monitoring
  • Automated vulnerability patching at infrastructure level

ANNEX B - SUB-PROCESSORS

  1. Microsoft Azure - Cloud hosting, compute, storage, networking. Location: EU & Non-EU data centers
  2. Regional CDN Providers- Secure API traffic delivery. Location: Global

EZT STUDIO may update this list in accordance with this DPA.