Data Processing Agreement

Last updated: January 2026

This Data Processing Agreement ("DPA") forms part of any master agreement, EULA, order form, or other written contract (collectively, the "Principal Agreement") between CVEDIA Pte. Ltd. ("CVEDIA") and the entity using CVEDIA-RT products or services ("Customer").

1. Definitions

"Controller" means the entity that determines the purposes and means of processing personal data.

"Processor" means the entity that processes personal data on behalf of the Controller.

"Personal Data" has the meaning given in GDPR Art. 4(1) and equivalent laws.

"Applicable Data Protection Law" includes the GDPR, UK Data Protection Act 2018, UAE Federal Decree-Law No. 45 of 2021, DIFC Data Protection Law No. 5 of 2020, CCPA/CPRA, and PIPEDA.

"Sub-processor" means any third party engaged by CVEDIA to process Personal Data.

2. Roles of the Parties

Customer as Controller

For any data the Customer uploads, sends, or otherwise makes available to CVEDIA (including video clips or telemetry tied to identifiable systems), the Customer acts as Controller and CVEDIA acts as Processor.

CVEDIA as Controller

For telemetry and diagnostic data collected directly by CVEDIA (e.g., CPU/GPU load, number of streams, resolution, or aggregated analytics), CVEDIA acts as an independent Controller.

3. Subject Matter and Duration

Processing covers storage, analysis, and testing of limited video or image clips, device metadata (IP address, machine ID), and anonymized telemetry, for the purposes of:

  • quality evaluation and improvement of CVEDIA-RT algorithms;
  • security, debugging, and operational analytics; and
  • customer support.

Processing continues for as long as the Customer uses CVEDIA-RT and until deletion or anonymization as described in Section 9.

The categories of data subjects and types of Personal Data processed under this Agreement are described in Annex B.

4. Processor Obligations

CVEDIA shall:

  • process Personal Data only on documented instructions from the Customer;
  • ensure personnel confidentiality;
  • implement appropriate technical and organizational measures (Annex A);
  • assist the Customer in fulfilling its data-subject rights and DPIA obligations where feasible;
  • maintain records of processing activities;
  • notify the Customer without undue delay after becoming aware of a Personal Data Breach;
  • not "sell" or "share" Personal Data as those terms are defined by the CCPA/CPRA (Annex C).

CVEDIA shall process data only:

  • to operate and improve CVEDIA-RT;
  • to provide technical support and diagnostics; and
  • for lawful R&D, testing, and security purposes.

CVEDIA shall process Personal Data solely in accordance with this Agreement, the Customer's documented instructions, and the categories of processing described in Annex B.

5. Sub-processing

  • Customer authorizes CVEDIA to use the Sub-processors listed at cvedia.com/sub-processors and any future Sub-processors notified by email or posting at that URL.
  • CVEDIA shall ensure each Sub-processor is bound by written terms no less protective than this DPA.
  • Customer may object on reasonable grounds within 30 days of notice.

6. Data Location and Transfers

6.1 Data Storage

CVEDIA is a fully remote company incorporated in Singapore. Personal Data are not stored in Singapore. All Personal Data are stored exclusively in cloud infrastructure provided by the Sub-processors listed at cvedia.com/sub-processors, primarily:

  • Microsoft Azure — European Union and United States
  • Google Cloud — European Union and United States
  • Cloudinary — United States

6.2 Personnel Access

CVEDIA operates as a fully remote company with personnel located globally. Remote access to Personal Data by CVEDIA personnel is governed by the following transfer mechanisms, as applicable:

  • EEA/UK/Adequate Countries — No additional transfer mechanism required.
  • United States — EU-U.S. Data Privacy Framework (DPF) or Standard Contractual Clauses.
  • Other Third Countries — Standard Contractual Clauses (EU Commission Decision 2021/914) incorporated into employment or contractor agreements.

A current list of countries with EU adequacy decisions is maintained by the European Commission.

6.3 Transfer Mechanisms

  • Sub-processors listed at cvedia.com/sub-processors maintain certification under the EU-U.S. Data Privacy Framework and/or operate under Standard Contractual Clauses.
  • Personnel in third countries (countries without an EU adequacy decision) access data under Standard Contractual Clauses incorporated into their agreements with CVEDIA.
  • All transfers outside the EEA, UAE, or DIFC rely on Standard Contractual Clauses (EU Commission Decision 2021/914) or other lawful mechanisms recognized under Applicable Data Protection Law.

6.4 SCCs Governing Law and Supervisory Authority

Where Standard Contractual Clauses apply:

  • Governing Law (Clause 17): Laws of the Netherlands
  • Forum (Clause 18): Courts of the Netherlands
  • Competent Supervisory Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

7. Security

CVEDIA maintains a documented information-security program appropriate to the nature, scope, and risk of its processing activities, including administrative, technical, and physical safeguards (Annex A).

8. Assistance and Audits

CVEDIA shall make available to the Customer, upon reasonable written request, information necessary to demonstrate compliance with this Agreement and Applicable Data Protection Law.

The Customer may conduct audits or inspections of CVEDIA's processing of Personal Data only where required by Applicable Data Protection Law or a competent supervisory authority, and subject to the following conditions:

  • audits shall be limited to the extent necessary to verify compliance with this Agreement;
  • audits shall not unreasonably interfere with CVEDIA's business operations;
  • audits shall occur no more than once per twelve (12) month period, unless required by law or following a Personal Data Breach;
  • the Customer shall provide at least thirty (30) days' prior written notice;
  • audits shall be conducted during normal business hours; and
  • the Customer shall bear its own costs and the reasonable costs incurred by CVEDIA in connection with the audit.

The Customer shall ensure that any audit findings and information obtained are treated as Confidential Information.

Where possible, audits shall be satisfied through written responses, documentation, or remote assessments. The parties acknowledge that CVEDIA operates on a fully remote basis and does not maintain physical offices accessible for on-site inspection.

9. Data Retention and Deletion

Retention

Personal Data are retained only as long as necessary for the purposes in Section 3.

  • Raw user-submitted clips may be retained for model testing and regression prevention.
  • CVEDIA reviews such datasets at least annually to confirm ongoing necessity.

Anonymization

CVEDIA may convert data into irreversibly anonymized or aggregated form for legitimate R&D purposes; such data are no longer considered Personal Data.

Deletion Requests

When a Customer or data subject requests deletion and provides sufficient identifying details (e.g., IP address and/or machine ID), CVEDIA will delete or anonymize matching data where technically feasible.

If identification is not reasonably possible, CVEDIA will inform the requester that no corresponding records could be found.

10. Return or Destruction of Data

Upon termination or expiry of the Services, and at the Customer's choice, CVEDIA shall delete or return all Personal Data processed on behalf of the Customer, unless retention of the Personal Data is required by Applicable Data Protection Law.

Where retention is required by law, CVEDIA shall ensure that such Personal Data is retained only for the period mandated by such law and remains subject to appropriate technical and organisational measures to protect its confidentiality and integrity.

CVEDIA may retain Personal Data strictly to the extent necessary for the establishment, exercise, or defence of legal claims, in accordance with Applicable Data Protection Law.

Any further use of Personal Data for research, development, analytics, or service improvement purposes shall occur only after such data has been irreversibly anonymised so that it no longer constitutes Personal Data under Applicable Data Protection Law.

Upon the Customer's written request, CVEDIA shall provide written certification that deletion or anonymisation has been completed in accordance with this Section.

11. Data-Subject Rights

CVEDIA shall forward to the Customer any request received directly from a data subject unless otherwise required by law. Where CVEDIA acts as Controller, it will respond directly in accordance with its Privacy Policy.

12. Breach Notification

CVEDIA shall notify the Customer without undue delay after confirming a Personal Data Breach, providing information sufficient to enable the Customer to comply with its own reporting obligations.

13. Liability and Indemnity

Each party remains liable for its own processing activities and any acts or omissions of its personnel or Sub-processors that cause a breach of this DPA.

14. Governing Law

This DPA is governed by the law stated in the Principal Agreement. Where none is specified, Singapore law applies, subject to mandatory rights under Applicable Data Protection Law.

Annex A – Technical and Organisational Measures

CVEDIA implements technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, appropriate to the nature, scope, context, and purposes of processing.

1. Governance and Policies

  • CVEDIA maintains written internal policies covering information security, access control, incident response, and data retention.
  • Security responsibilities are assigned to designated personnel within engineering and operations.
  • Personnel with access to Personal Data are subject to confidentiality obligations.

2. Access Control

  • Access to systems processing Personal Data is restricted on a least-privilege basis.
  • Administrative access requires strong authentication (including multi-factor authentication where supported).
  • Access rights are reviewed periodically and revoked promptly when no longer required.

3. Infrastructure Security

  • Personal Data are hosted on cloud infrastructure provided by Microsoft Azure and Google Cloud, located in the European Union and the United States.
  • Media assets are stored on Cloudinary infrastructure in the United States.
  • CVEDIA relies on cloud providers' physical and environmental security controls, including data-center access restrictions and redundancy.
  • All cloud providers maintain ISO 27001, SOC 2 Type II certifications, and participate in the EU-U.S. Data Privacy Framework.
  • Logical separation is maintained between environments and customer datasets where applicable.

4. Encryption

  • Data are encrypted in transit using industry-standard protocols (e.g. TLS).
  • Data are encrypted at rest using encryption mechanisms provided by the cloud service provider.
  • Encryption keys are managed using cloud-provider security controls.

5. Logging and Monitoring

  • System activity and errors are logged for operational and security purposes.
  • Logs are protected against unauthorized access and used to support troubleshooting and incident detection.
  • Monitoring is implemented to identify anomalous behavior or service disruptions.

6. Secure Development Practices

  • CVEDIA follows secure development practices, including source-code version control, controlled deployment processes, and separation between development and production environments where feasible.
  • Changes to production systems are reviewed and tested prior to deployment.

7. Incident Response

  • CVEDIA maintains an incident-response process to assess, contain, and remediate security incidents.
  • Personal Data Breaches are escalated internally without undue delay.
  • Where required by Applicable Data Protection Law, CVEDIA will notify Customers without undue delay after becoming aware of a confirmed Personal Data Breach.

8. Data Minimisation and Retention Controls

  • CVEDIA limits the collection of Personal Data to what is necessary for the stated purposes.
  • Data may be anonymized or aggregated where feasible, particularly for testing and model validation.
  • Retention of Personal Data is periodically reviewed in accordance with internal data-retention practices.

9. Sub-processor Oversight

  • CVEDIA engages Sub-processors only under written agreements imposing data-protection obligations consistent with this DPA.
  • Sub-processors are selected based on their ability to implement appropriate security measures.

10. Proportionality

The measures described above are implemented taking into account the state of the art, the costs of implementation, and the risks presented by the processing, in accordance with Article 32 GDPR and equivalent provisions under other Applicable Data Protection Laws.

Annex B – Data Categories and Subjects

Category Example Fields Data Subjects
Video/Image Clips Short snippets voluntarily submitted, may incidentally contain identifiable persons Users or individuals captured in footage
Device Metadata IP address, machine ID, timestamps Operators of devices
Telemetry Hardware metrics (CPU, GPU, memory), stream counts, resolutions Customer systems
Support Data Email, logs, error reports Customer representatives

Annex C – CCPA/CPRA Addendum

  • CVEDIA acts as a Service Provider under the CCPA/CPRA.
  • CVEDIA does not sell or share Personal Information.
  • Customer data will be used solely to perform services under the Principal Agreement.
  • CVEDIA will notify the Customer if it determines it can no longer meet CPRA requirements.