Data Processing Addendum (DPA)

Last Updated: August 25, 2025

This Data Processing Addendum (“DPA“) is incorporated by reference into the Swarmify Master Services Agreement (“MSA“) between Swarmify Video LLC (“Swarmify“, “Processor“) and the Customer (“Customer“, “Controller“) and governs Swarmify’s processing of Customer Personal Data in connection with the Service. Capitalized terms not defined here have the meanings in the MSA or applicable data protection laws.

1) Scope & Roles

  • Controller/Processor. For Customer Personal Data contained in Customer Content and processed on Customer’s behalf, Customer is the Controller and Swarmify is the Processor (or Service Provider under U.S. state privacy laws).
  • Customer Personal Data. Personal data contained in Customer Content that Swarmify processes on Customer’s behalf via the Service.

2) Processing Instructions

Swarmify will process Customer Personal Data only (a) to provide, maintain, and improve the Service; (b) per the MSA and this DPA; and (c) per Customer’s written instructions, including through Service configurations and documented use. Swarmify will promptly inform Customer if, in its opinion, an instruction infringes applicable law.

3) Confidentiality

Swarmify will ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate privacy and security training.

4) Security

Taking into account the state of the art, costs, nature, scope, context, and purposes of processing, and risks to data subjects, Swarmify implements and maintains appropriate technical and organizational measures (“TOMs“) described in Annex 2.

5) Subprocessors

Customer authorizes Swarmify to engage affiliates and third-party subprocessors to provide the Service. A current list of subprocessors, including each subprocessor’s name and the services it performs, will be made available to Customer upon written request to Swarmify’s data protection contact at privacy [at] swarmify.com. Swarmify remains responsible for the acts and omissions of its authorized subprocessors to the same extent as if Swarmify had performed the services itself.

6) International Transfers

  • EEA/CH/UK Data. Where Customer Personal Data is subject to the GDPR (EU/EEA), FADP (Switzerland), or UK GDPR and is transferred to a country lacking an adequacy decision, the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (“SCCs“) Controller-to-Processor, Module 2 are hereby incorporated by reference between Customer (data exporter) and Swarmify (data importer). For transfers subject to UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office (the “UK Addendum“) applies. For transfers subject to Swiss law, the SCCs are adapted as required by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
  • By entering into the MSA/DPA, the parties are deemed to have executed the SCCs (including the UK Addendum and Swiss adaptations where applicable), with the details set out in Annex 1 and security measures in Annex 2. In the event of conflict, the SCCs prevail for transfers they govern.
  • Data Privacy Framework. Notwithstanding the foregoing, if Swarmify’s certification under the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. DPF (collectively, “DPF“) is effective and applicable to the transfer, such transfer shall be made in accordance with the DPF principles, which shall prevail over the SCCs for such transfers.

7) Assistance

  • Data Subject Rights. Taking into account the nature of processing, Swarmify will assist Customer by appropriate technical and organizational measures in responding to verified requests to exercise data subject rights (access, deletion, correction, portability, restriction, objection).
  • Impact Assessments & Consultation. Swarmify will provide information reasonably necessary for Customer’s data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent related to the Service.

8) Security Incidents

Swarmify will notify Customer without undue delay and in any event within seventy-two (72) hours after confirming a Security Incident involving Customer Personal Data within Swarmify’s control, and will provide updates reasonably required for Customer’s incident response and regulatory obligations. Notification is not an admission of fault.

9) Audits & Reports

  • Upon request up to once in any twelve (12) month period, Swarmify will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., security summaries, third-party audit reports where available).
  • Where additional review is required by law, Customer may conduct (or have a reputable independent auditor conduct) a reasonable audit of the TOMs, subject to confidentiality, scheduling, scope, and safety constraints. Audits occur during normal business hours, do not unreasonably interfere with operations, and are at Customer’s expense. If similar information has already been provided, Swarmify may satisfy the request with existing reports.

10) Return & Deletion

Following termination or expiration of the Service, Customer may export Customer Content as described in the MSA. After the post-termination export window, Swarmify will delete Customer Personal Data from active systems and, within a reasonable period, from backups per standard retention, unless retention is required by law or for a lawful legal hold. Any retained data remains subject to this DPA.

11) CCPA/CPRA and Other U.S. State Laws

  • Swarmify acts as a “Service Provider” or “Processor” with respect to Customer Personal Data. Swarmify will not sell or share (for cross-context behavioral advertising) Customer Personal Information, will not combine it with other personal information except as permitted by law and this DPA, and will not use it for purposes other than providing the Service and as otherwise permitted by the MSA/DPA. Swarmify certifies that it understands the restrictions of this section and will comply with them.
  • Swarmify will notify Customer if it can no longer meet its obligations under applicable state privacy laws.

12) Government Requests

Where legally permitted, Swarmify will notify Customer of legally binding requests from public authorities for disclosure of Customer Personal Data and will challenge unlawful or overbroad requests.

13) Liability; Order of Precedence

Liability is as set forth in the MSA. If there is a conflict between this DPA and the MSA, this DPA controls with respect to processing of Customer Personal Data; if there is a conflict between this DPA and the SCCs for transfers they govern, the SCCs control.

14) Term

This DPA remains in effect for as long as Swarmify processes Customer Personal Data on Customer’s behalf under the MSA.

Annex 1 – Description of Processing

Categories of Data Subjects: Customer’s authorized users; Customer’s end users/viewers; Customer’s personnel and contractors; other individuals whose data Customer submits to the Service.

Types of Personal Data: Names, emails, contact details; account identifiers; IP addresses and device identifiers; cookie/online identifiers; usage and log data; content interaction telemetry (e.g., video view events, session timestamps); and any other personal data that Customer chooses to upload or route via the Service. Special categories are not required by the Service and should not be submitted; if submitted at Customer’s discretion, they are processed only on documented instructions.

Purpose and Nature of Processing: Provision, maintenance, optimization, security, and support of the Service (including content delivery, performance acceleration, analytics, troubleshooting, billing, and abuse prevention).

Retention: For the duration of the MSA and then per Section 10 of this DPA and the MSA.

Frequency: Continuous and as initiated by Customer’s use of the Service.

Subject Matter and Duration: As necessary to provide the Service for the term of the MSA.

Annex 2 – Technical & Organizational Measures (TOMs)

  • Access Control: Role-based access; least-privilege; MFA for production access; periodic access reviews; secure onboarding/offboarding.
  • Data Security: Encryption in transit (TLS) and at rest where appropriate; key management via industry-standard tooling.
  • Application Security: Secure SDLC; code review; dependency scanning; vulnerability management with risk-based patching targets; separation of environments.
  • Network Security: Firewalls/WAF; DDoS protections; network segmentation; intrusion detection/prevention alerts.
  • Logging & Monitoring: Centralized logging and alerting; anomaly detection; audit trails for privileged actions.
  • Business Continuity: Regular backups; tested restore procedures; documented incident and disaster recovery plans.
  • Personnel & Training: Security awareness, confidentiality obligations, and background checks as permitted by law.
  • Vendor Management: Risk-based review of Subprocessors; contractual security/privacy requirements; continuous monitoring where feasible.
  • Data Minimization: Retention and pseudonymization/aggregation where appropriate; configuration controls for telemetry.

Contacts

Swarmify (Processor) Contact for Privacy/Security: legal [at] swarmify.com