Data Processing Addendum

This Data Processing Addendum (“DPA”) amends the Agreement between Pirsonal and Customer and sets out the obligations of both parties with respect to the Processing of Customer Personal Data in connection with the Agreement. Unless otherwise defined herein, any capitalized terms shall have the meanings given to them in the Agreement.

1. Defined Terms

DEFINED TERMS. The following terms shall have the following meanings in this DPA:

1.1.“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2.“Agreement” or “Contract” means the underlying agreement or contract between Pirsonal and the Customer for the provision of the Services that references and incorporates this DPA;

1.3.“Applicable Data Protection Law” means data privacy and cybersecurity laws to the extent applicable to the relevant party’s Processing of Customer Personal Data;

1.4.“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to Applicable Data Protection Law, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Pirsonal but has not signed its own Agreement or Order Form with Pirsonal and is, therefore, not a “Customer” as defined under this DPA.

1.5.“Customer” or “Client” means the legal entity which has directly entered into the Agreement for Services with Pirsonal or its Affiliates;

1.6.“Customer Personal Data” means the Personal Data that Customer or its Authorized Affiliate provides under the Agreement for Pirsonal to Process on behalf of Customer in connection with the Services. Customer Personal Data does not include information that is (i) deidentified, anonymized, aggregated, publicly available information, or business contact data (unless the Applicable Data Protection Law otherwise considers such information as Personal Data), (ii) Usage Statistics; or (iii) any information that the Applicable Data Protection Law specifically states does not constitute Personal Data;

1.7.“Data Security Addendum” shall mean either (a) Pirsonal’s Information Security System Policy found here, or (b) if applicable, a negotiated data security addendum that is incorporated into the Agreement by the parties, in each case as it may now or hereafter be amended;

1.8.“Security Breach” shall have the meaning ascribed to it in Pirsonal’s Information Security System Policy;

1.9.“Services” means the products or services provided by Pirsonal to Customer pursuant to the Agreement.

1.10.“Standard Contractual Clauses” means those model clauses approved pursuant to Applicable Data Protection Law that legitimizes the transfer of Personal Data across borders, including the Standard Contractual Clauses approved by the European Commission which can be found here;

1.11.“Subprocessor” means a subcontractor providing Services where such subcontractor Processes Customer Personal Data.

1.12.“Pirsonal” means the named Pirsonal entity that has entered into the Agreement for Services with Customer;

1.13.“Usage Statistics”, “Consulting Services”, “Strategy Consulting”, “Customer Success Plan” means information that is generated by or on behalf of Pirsonal and that is derived by or through the use of the Services;

1.14.“Controller” also referred to as “Business”, “Processor” also referred to as “Service Provider”, “Data Subject” also referred to as “Consumer”, “Personal Data” also referred to as “Personal Information”, “Process” or “Processing”, and “Sell” or “Selling” (or any of their analogous terms) shall all have the meanings set out in the relevant Applicable Data Protection Law.

2. Processing of Customer Personal Data and Parties’ Obligations

PROCESSING OF CUSTOMER PERSONAL DATA AND PARTIES’ OBLIGATIONS

2.1. Compliance with Laws. Each party agrees to comply with its own obligations under Applicable Data Protection Laws.

2.2. Parties’ Obligations. With respect to the Processing of Customer Personal Data in connection with the Services, the parties agree that:

2.2.1. Customer is the Controller of Customer Personal Data and, consequently, Pirsonal is a Processor thereof;

2.2.2. Each party will (i) inform the other if, in its reasonable opinion, an instruction infringes on its own obligations under Applicable Data Protection Law or other laws and (ii) upon reasonable request, provide assistance required under Applicable Data Protection Law with respect to data protection impact assessments, consulting with relevant data protection authorities, and/or making available relevant information necessary to demonstrate compliance with Applicable Data Protection Law;

2.2.3. Without limiting Section 2.1, Customer represents and warrants that it has obtained all consents for and rights to, and has provided all necessary notices to Data Subjects with respect to, the Customer Personal Data as required for the same to be Processed as contemplated by the Agreement; and

2.2.4. Except as required under Applicable Data Protection Law, Customer acknowledges and agrees that Pirsonal is under no duty to independently collect consent from or provide notice to any Data Subjects or to investigate the completeness, accuracy, or sufficiency of any specific Customer instruction or Customer Personal Data.

3. Obligations of Pirsonal

OBLIGATIONS OF PIRSONAL. Pirsonal will take steps to ensure that:

3.1. Limitations on Processing. It only Processes the Customer Personal Data hereunder in alignment with Customer’s instructions, including those set forth in the Agreement;

3.2. Personnel. Its personnel (including staff, agents, and Subprocessors) who handle Customer Personal Data are subject to a duty of confidentiality;

3.3. Security. It maintains and implements appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized destruction, loss, alteration, disclosure thereof, or access thereto. The parties agree that the security measures set forth on Pirsonal’s Information Security System Policy are in scope and fulfill the obligations of this Section;

3.4. Access Requests. It will provide reasonable cooperation to Customer or a Data Subject to fulfil a Data Subject’s request to access, correct, delete, or cease processing of data. To the extent Pirsonal receives a request, correspondence, enquiry, or complaint from a regulator that directly relates to Customer Personal Data, then (to the extent permissible) it will promptly refer the same to Customer for handling;

3.5. Breach Notification. It will report a Security Breach as required and following Pirsonal’s Information Security System Policy, including that to the extent known, shall provide relevant information and reasonable cooperation so that Customer can fulfil its own obligations as Controller. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users;

3.6. Deletion and Retention. Upon request, it will delete the Customer Personal Data in its (or its Subprocessors’) possession, except to the extent that Pirsonal is required to retain such data by law or its data retention policies (in which case Pirsonal shall isolate and protect such Customer Personal Data from further active Processing except to the extent required by law);

3.7. Pirsonal will maintain an up-to-date list of Subprocessors used to deliver the Services, including their role and, where applicable, the regions in which processing occurs. This list will be made available on Pirsonal’s website or through appropriate customer communications.

Pirsonal will impose written data protection obligations on all Subprocessors that are no less protective than those set out in this DPA, taking into account the nature of the services provided. Pirsonal shall remain responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Law and the Agreement.

Where additional infrastructure or configuration details are required for legal, security, or procurement evaluation, Pirsonal may provide further information through appropriate channels, subject to reasonable confidentiality and security considerations.

The list of Subprocessors includes, where applicable, a description of their processing role and the regions in which processing may occur (e.g., EU, United States, or global infrastructure), depending on the configuration of the Services. The location of processing depends on the infrastructure configuration selected by the customer. Pirsonal supports EU-based, US-based, custom, and hybrid deployments.

3.8. Audits. It will optionally allow for and contribute to audits conducted by Customer, or an external auditor selected by Customer per Pirsonal’s Information Security System Policy. At Customer’s expense and to the extent a more extensive audit is granted by Pirsonal, then the parties agree to negotiate, in good faith, a statement of work that outlines the scope and time frames of the audit.

4. Data Transfers

4.1 General.
Pirsonal shall process Customer Personal Data in accordance with Applicable Data Protection Law, including any restrictions applicable to international data transfers.

4.2 Transfers outside the EEA.
To the extent that the processing of Customer Personal Data involves transfers from the European Economic Area (EEA) to countries that do not provide an adequate level of data protection, Pirsonal shall ensure that such transfers are subject to appropriate safeguards in accordance with Applicable Data Protection Law.

4.3 Standard Contractual Clauses (SCCs).
Where required under Applicable Data Protection Law, the parties agree that the Standard Contractual Clauses adopted by the European Commission pursuant to Decision (EU) 2021/914 shall apply to such transfers.

Unless otherwise agreed, Module 2 (Controller to Processor) shall apply where Pirsonal processes Customer Personal Data on behalf of the Customer.

The Standard Contractual Clauses shall be deemed incorporated into this DPA by reference and shall apply automatically where relevant.

4.4 Onward Transfers.
Pirsonal shall ensure that any onward transfer of Customer Personal Data to Subprocessors located outside the EEA is subject to appropriate safeguards, including the application of Standard Contractual Clauses or other lawful transfer mechanisms, as required under Applicable Data Protection Law.

4.5 Supplementary Measures.
Pirsonal implements technical and organizational measures designed to ensure an appropriate level of protection for Customer Personal Data, taking into account the nature of the processing and the risks involved.

These measures are described in Pirsonal’s security and compliance documentation and are intended to support the effectiveness of transfer mechanisms such as Standard Contractual Clauses.

4.6 Data Residency and Configuration.
The location of processing depends on the infrastructure configuration selected by the Customer. Pirsonal supports EU-based, US-based, custom, and hybrid deployments.

4.7 Cooperation.
The parties shall cooperate in good faith to implement any additional safeguards or documentation required to ensure compliance with Applicable Data Protection Law.

5. Language

LANGUAGE. The DPA is executed in English and/or Spanish versions. The Parties agree that in the event of any conflict between the Spanish and English versions, the English version shall prevail. Other documents, such as Pirsonal’s Information Security System Policy, are exclusively available in Spanish. The parties acknowledge that in the case of any discrepancies, the Spanish version will take precedence.

6. General

GENERAL. All other terms and conditions of the Agreement remain in full force and effect. In the event of any inconsistencies between this DPA and the Agreement, this DPA shall prevail as it relates to the Processing of Customer Personal Data only.

Annex I — Details of Processing

A. Subject Matter of Processing

The subject matter of the processing is the provision of Pirsonal’s personalized video platform and related services, including the creation, rendering, delivery, and analysis of personalized video content based on Customer-provided data.

B. Duration of Processing

Processing shall continue for the duration of the Agreement and, where applicable, for any additional period required to:

  • comply with legal obligations
  • resolve disputes
  • enforce contractual rights

Data retention and deletion are governed by the Agreement and Pirsonal’s data retention policies.

C. Nature and Purpose of Processing

Pirsonal processes Customer Personal Data for the following purposes:

  • Generating personalized video content using Customer-provided data
  • Rendering and producing video outputs dynamically
  • Delivering videos through landing pages, players, or integrations
  • Enabling user interaction (e.g., forms, CTAs, engagement tracking)
  • Supporting campaign execution and automation workflows
  • Providing analytics and performance insights
  • Supporting customer onboarding, troubleshooting, and technical support

D. Categories of Data Subjects

Depending on the Customer’s use case, data subjects may include:

  • Customers or end-users of the Customer
  • Employees or contractors
  • Leads, prospects, or subscribers
  • Members, partners, or participants in Customer programs

E. Categories of Personal Data

Customer Personal Data processed may include:

  • Identification data (e.g., name, surname)
  • Contact data (e.g., email address, phone number)
  • Professional or demographic data (where provided by Customer)
  • Customer-specific fields and attributes used for personalization
  • Content data (e.g., text, images, video, audio uploaded by Customer)
  • Interaction and engagement data (e.g., video views, clicks, responses)

Pirsonal does not determine the categories of Personal Data processed; these are defined and controlled by the Customer.

F. Processing Operations

Processing activities may include:

  • Collection (via Customer systems or uploads)
  • Structuring and organization of data
  • Storage and hosting
  • Adaptation and personalization of content
  • Rendering and generation of video outputs
  • Delivery via web pages, players, or integrations
  • Retrieval and access by authorized users
  • Analysis and reporting of engagement data
  • Deletion and/or anonymization

Annex II — Technical and Organizational Measures (TOMs)

Pirsonal implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with Applicable Data Protection Law.

These measures include, but are not limited to, the following:

1. Access Control

  • Role-based access control (RBAC)
  • Authentication mechanisms (including multi-factor authentication where applicable)
  • Least-privilege access principles
  • Access logging and monitoring

2. Data Protection

  • Encryption of data in transit (TLS or equivalent)
  • Encryption of data at rest where applicable
  • Data minimization practices
  • Logical separation of customer data

3. Infrastructure Security

  • Secure cloud infrastructure (EU and/or US regions depending on configuration)
  • Network security controls (firewalls, segmentation)
  • Vulnerability management and patching processes

4. Application Security

  • Secure development practices
  • Testing and validation procedures
  • Monitoring for unauthorized access or anomalies

5. Incident Management

  • Documented incident response procedures
  • Breach detection and response processes
  • Notification procedures aligned with Applicable Data Protection Law

6. Availability and Resilience

  • Backup and recovery procedures
  • Redundancy and system resilience measures
  • Disaster recovery planning

7. Organizational Measures

  • Internal security policies and procedures
  • Personnel confidentiality obligations
  • Security awareness and training
  • Vendor and subprocessor risk management

8. Compliance Framework

  • Information Security Management System aligned with ISO/IEC 27001
  • Regular audits and assessments
  • Continuous monitoring and improvement of security controls

Annex III — List of Subprocessors

Information regarding Subprocessors, including their role and applicable processing locations, is made available via Pirsonal’s Subprocessor documentation through its Legal Center or upon request. It can be found here.

Annex IV — Standard Contractual Clauses (EU) 2021/914

For the purposes of international data transfers subject to Applicable Data Protection Law, the parties agree that the Standard Contractual Clauses adopted by the European Commission pursuant to Decision (EU) 2021/914 (the “SCCs”) are incorporated into this DPA by reference.

Where applicable:

  • Module 2 (Controller to Processor) applies where the Customer acts as Controller and Pirsonal acts as Processor
  • Module 3 (Processor to Processor) applies where Pirsonal engages Subprocessors

The SCCs shall be deemed completed as follows:

Clause 7 — Docking Clause

The optional docking clause applies, allowing additional parties to accede to the SCCs as Controllers or Processors in accordance with their terms.

Clause 9 — Use of Subprocessors

Option 2 (General written authorization) applies. Pirsonal has the Customer’s general authorization for the engagement of Subprocessors, subject to the requirements set out in this DPA.

Clause 11 — Redress

The optional language is not included.

Clause 17 — Governing Law

The SCCs shall be governed by the law of Spain.

Clause 18 — Jurisdiction

Any dispute arising from the SCCs shall be resolved by the courts of Madrid, Spain.

Visit our Legal Center for additional documentation or security details

Legal Center

Related Legal Documents

Pirsonal GDPR Subprocessor Information

Explore the list of approved subprocessors used by Pirsonal and how data is securely handled across third-party services in full alignment with GDPR requirements.

Read More

Pirsonal’s ISO27001 Certification

Understand how Pirsonal meets internationally recognized information security standards through its ISO 27001 certification, ensuring robust data protection and risk management.

Read More

Pirsonal’s Information Security System Policy

Review the principles and practices behind Pirsonal’s information security framework, designed to safeguard data, ensure operational integrity, and support enterprise compliance needs.

Read More

Legal Notice

Review Pirsonal’s Legal Notice, including the terms governing access to our website and services, user obligations, liability limitations, billing terms, intellectual property, and applicable jurisdiction.

Read More

Service Level Agreement (SLA)

Review Pirsonal’s uptime commitment, support availability, maintenance policies, and service credits to understand how we ensure reliable platform performance.

Read More

Security Overview

Explore Pirsonal’s approach to enterprise security, including data protection, infrastructure, access controls, and compliance with GDPR and industry standards.

Read More

Privacy Policy

Pirsonal’s Privacy Policy explains how personal data is processed, stored, and protected, including GDPR rights and data protection practices.

Read More

Standard Contractual Clauses (SCCs)

Includes Module 2, annexes, and supplementary safeguards aligned with GDPR and Schrems II.

Read More

Professional Services Agreement

Read Pirsonal’s Professional Services Agreement, including terms for consulting, implementation, fees, confidentiality, and data protection for personalized video services.

Read More

Master Service Agreement (SMA)

Read Pirsonal’s Master Service Agreement (MSA) to understand how our personalized video platform, services, data protection, and legal terms are structured.

Read More