DATA PROCESSING AGREEMENT
Entertainment IT, Inc.
Effective Date: March 17, 2026 | Version 1.0
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Entertainment IT, Inc. ("Processor" or "Company") and the entity agreeing to these terms ("Controller" or "Customer") for the provision of software products and services operated by Entertainment IT, Inc. and its subsidiaries.
1. Definitions
- "Data Protection Laws" means GDPR (EU) 2016/679, UK GDPR, CCPA/CPRA, and all other applicable data protection and privacy laws.
- "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Service.
- "Processing" means any operation on Personal Data, including collection, storage, use, transmission, and deletion.
- "Sub-processor" means any third party engaged to process Personal Data on behalf of the Controller.
- "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.
2. Roles and Scope
- The Customer is the Controller determining purposes and means of processing
- Entertainment IT, Inc. is the Processor processing Personal Data to provide services
- Processing is limited to what is necessary to deliver the contracted services
- This DPA applies for the duration of the service agreement
3. Processor Obligations
The Processor will:
- Process Personal Data only on documented instructions from the Controller
- Ensure authorized persons are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist with Data Subject requests, security obligations, and impact assessments
- Delete or return Personal Data upon termination, at Controller's choice
- Make information available to demonstrate compliance
4. Controller Obligations
The Controller represents that:
- It has a lawful basis for processing Personal Data through the Service
- It has provided appropriate notices to Data Subjects
- Its processing instructions comply with Data Protection Laws
5. Security Measures
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Access controls: Role-based, authenticated access
- Infrastructure: SOC 2 compliant hosting (Cloudflare, Supabase)
- Payment security: PCI DSS Level 1 (Stripe)
- Data minimization: Only necessary data collected
- No telemetry: Desktop applications do not collect usage analytics
6. Sub-processors
6.1 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, CDN, tunnels, Worker runtime | United States (global) |
| Supabase, Inc. | Database hosting | United States |
| Stripe, Inc. | Payment processing | United States |
| Resend, Inc. | Email delivery | United States |
| Twilio, Inc. | SMS messaging | United States |
6.2 Changes
Thirty (30) days notice before engaging new Sub-processors. Controller may object on reasonable grounds; if unresolved, Controller may terminate.
6.3 Sub-processor Obligations
Each Sub-processor is bound by obligations no less protective than this DPA.
7. Security Incident Response
- Notification within seventy-two (72) hours of discovering a Security Incident
- Notification includes: nature, scope, likely consequences, and remediation measures
- Cooperation with Controller on investigation and mitigation
8. Data Subject Rights
The Processor will assist the Controller in responding to Data Subject requests (access, correction, deletion, portability, restriction, objection) within applicable timeframes.
9. International Transfers
- Data may be processed in the United States
- Transfers from EEA/UK rely on Standard Contractual Clauses (EU 2021/914)
- Supplementary measures include encryption and access controls
10. Audits
- Controller may request security documentation and written responses to compliance questions
- On-site audits permitted with thirty (30) days notice, at Controller's expense, once per year
11. Termination
Upon termination of the service agreement, the Processor will delete or return all Personal Data within thirty (30) days, at Controller's election. Retention permitted only where required by law.
12. Liability
Liability under this DPA is subject to the limitations in the Terms of Service.
13. General
- Conflict: This DPA prevails over the Terms of Service on data protection matters
- Governing Law: State of Florida, unless Data Protection Laws require otherwise
- Amendments: May be updated with thirty (30) days notice
Annex A: Processing Details
| Element | Details |
|---|---|
| Subject matter | Processing to provide software and related services |
| Duration | Duration of service agreement |
| Purpose | License validation, account management, payments, email, support, web features |
| Data Subjects | Customers, employees, end users, support contacts |
| Categories of Data | Name, email, phone, machine IDs, IP addresses, OS info, license keys, payment info (via Stripe), support content |
| Sensitive data | None intentionally collected |
Contact
Entertainment IT, Inc. Email: privacy@entertainmentit.co Website: https://entertainmentit.co
© 2026 Entertainment IT, Inc. All rights reserved.