Last updated: 2026-01-01

This Data Processing Agreement (“DPA”) forms part of the agreement between the business customer (“Controller”) and:

vidAds (Einzelunternehmen), Moritz Kieser (“Processor”) Stadlerweg 2b, 83734 Hausham, Bavaria, Germany Email: contact@clipdone.app

This DPA applies to the extent Processor processes personal data on behalf of Controller in the course of providing the ClipDone Service.

1) Definitions

“Applicable Data Protection Laws” means the EU GDPR and, where applicable, the UK GDPR and UK Data Protection Act 2018, and other laws applicable to the processing under this DPA.

“Customer Content” means any footage, files, inputs, prompts, metadata, or other content submitted to the Service by or on behalf of Controller, and the resulting outputs.

2) Roles and scope

Controller is the controller of personal data contained in Customer Content. Processor acts as processor when providing the Service.

The subject matter, duration, nature and purpose of the processing, types of personal data and categories of data subjects are described in Annex 1.

3) Processor obligations (GDPR Art. 28(3))

Processor shall:

• process personal data only on documented instructions from Controller, unless required by law;
• ensure persons authorized to process personal data are subject to confidentiality;
• implement appropriate technical and organizational measures (TOMs) (Annex 2);
• assist Controller with data subject requests and GDPR obligations, taking into account the nature of processing;
• notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Content;
• delete or return personal data at the end of the provision of services (Section 9 and Annex 1), unless retention is required by law;
• make available information necessary to demonstrate compliance and allow audits as set out in Section 11;
• inform Controller without undue delay if, in Processor’s opinion, an instruction infringes Applicable Data Protection Laws.

4) Controller obligations

Controller shall ensure it has a lawful basis and provides required notices to data subjects for the processing of personal data in Customer Content, and that Customer Content and instructions comply with Applicable Data Protection Laws.

5) Subprocessors

Controller grants Processor a general authorization to engage subprocessors to provide the Service.

Approved subprocessors as of the effective date are listed in Annex 3.

Processor will impose data protection obligations on subprocessors equivalent to those in this DPA.

Changes: Processor will notify Controller of intended additions or replacements of subprocessors at least 15 days in advance (e.g., by updating the list in Annex 3 and by providing notice via email and/or in-app notice). Controller may object on reasonable data protection grounds within that period. If the parties cannot resolve the objection, Controller may terminate the affected part of the Service as its sole remedy.

6) International transfers

Subprocessors (or their infrastructure) may process personal data outside the EEA/UK (e.g., in the United States). Where required, Processor will ensure appropriate safeguards (e.g., EU SCCs and, where applicable, the UK Addendum) are in place.

7) OpenRouter and downstream model providers (LLMs)

ClipDone may route certain AI requests via OpenRouter to downstream model providers (e.g., xAI/Grok).

Downstream model providers may retain inputs/outputs according to their policies, including for security and abuse prevention. For xAI (Grok models), retention may be up to 30 days according to provider policy. Processor does not represent “zero data retention” unless explicitly agreed in writing.

8) Assistance with data subject requests

Processor will provide reasonable assistance to enable Controller to respond to data subject requests (Arts. 12–23 GDPR). If Processor receives a request directly relating to Customer Content, Processor will (unless legally prohibited) inform Controller and redirect the request to Controller.

9) Deletion, return, and retention

During the term, Controller can export/retrieve Customer Content via the Service and/or by support request.

After termination or account deletion, Processor will delete or anonymize Customer Content and outputs within 30 days unless:

• Controller requests earlier deletion (where feasible), or
• retention is required for security, dispute resolution, or legal compliance, or
• the data remains in backups until the next rotation cycle.

Backups: Data may persist in backups until overwritten according to backup rotation schedules of our infrastructure providers. Details are available on request.

10) Security (TOMs)

Processor implements appropriate TOMs as described in Annex 2. Processor may update TOMs over time provided updates do not materially reduce overall security.

11) Audits

Controller may audit Processor’s compliance with this DPA no more than once per 12 months, with reasonable notice, during business hours, and subject to confidentiality and security requirements.

Processor may satisfy audit requests by providing reasonable compliance information and/or independent third-party reports where available, unless Controller reasonably demonstrates these are insufficient.

12) Liability

Liability under this DPA is subject to the liability limitations in the main agreement/Terms, unless prohibited by Applicable Data Protection Laws.

Subject matter

Provision of the ClipDone Service (video upload, automated processing, output generation).

Duration

For the term of the agreement, plus the retention periods described in Section 9 (including backups rotation).

Nature of processing

Collection, storage, organization, transformation, AI-assisted processing, retrieval, deletion.

Purpose(s)

Provide the Service to Controller, generate outputs, ensure security, prevent abuse, and provide support.

Types of personal data

• account identifiers of authorized users (e.g., name, email)
• Customer Content may include faces/voices and other personal data contained in uploaded files
• prompts/instructions provided by users (may contain personal data if included by Controller)

Categories of data subjects

Controller’s employees, contractors, customers, or other individuals appearing in Controller’s uploaded content.

Special categories of data

Not intended. Controller should not upload special-category data unless necessary and lawful and with appropriate safeguards.

• Access control: role-based access controls; least privilege; administrative access restricted.
• Encryption in transit: TLS for data in transit.
• Logging and monitoring: security and reliability monitoring.
• Secure development: code review and dependency management practices.
• Incident response: documented process; breach notification workflow.
• Data minimization: process only data needed to provide the Service; avoid sending unnecessary data to LLMs.

Note: Underlying cloud providers may provide additional security features (e.g., encryption at rest) according to their services.

The current list is also published at: Subprocessors.