Data Processing Agreement (DPA)

May 1, 2026

01.Parties and Purpose

This Data Processing Agreement (the 'DPA') is concluded between, on the one hand, the professional client using the Pix2Clip service acting as data controller (the 'Controller') and, on the other hand, QR Communication, an SAS registered with the Paris Trade and Companies Register under SIREN 940 163 496, with its registered office at 23 rue de Richelieu, 75001 Paris, acting as processor (the 'Processor'). It is concluded pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR) and supplements the Terms of Use and General Terms of Sale. Its purpose is to define the conditions under which the Processor processes, on behalf of the Controller, the personal data necessary for the provision of AI-based content generation services. The DPA applies for the entire duration of the main contract and survives its termination for obligations that are intended to continue.

02.Description of the Processing

Nature and purposes of the processing: hosting, processing, transmission to AI models and return of generated content (videos, images, audio files, synthetic voices) from prompts and files provided by the Controller's users. Categories of data subjects: authorised users of the Controller, individuals possibly represented in uploaded content (under the sole responsibility of the Controller). Categories of data: identification data, technical connection data, textual and multimedia content submitted. The Processor processes such data solely on documented instructions from the Controller, as resulting from the use of the service via the provided interfaces. Any additional instruction must be made in writing. The Controller warrants the lawfulness of the data it transmits and the existence of an appropriate legal basis.

03.Sub-processors

The Controller authorises the Processor to use the following sub-processors: Hetzner Online GmbH (Germany, application hosting); Scaleway SAS (France, S3 fr-par object storage); Viva Payment Services SA (Greece, payment processing); MiniMax (China, generative AI models). Each is bound to the Processor by a contract imposing obligations equivalent to those of this DPA. The transfer to MiniMax (China) is governed by the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, supplemented by additional technical measures (encryption in transit, minimisation of transmitted data, no transfer of authentication data). Any change to the list of sub-processors will be notified to the Controller by email with thirty days' notice, providing the right to reasoned objection.

04.Technical and Organisational Measures

In accordance with Article 32 GDPR, the Processor implements the following measures: encryption of communications via TLS 1.3; AES-256 encryption at rest on object storage; Argon2id hashing of passwords; strict segregation of production and test environments; mandatory multi-factor authentication for administrator accounts; timestamped and retained logging of accesses and sensitive operations, with periodic review; least-privilege policy on internal access; encrypted daily backups with seven-day retention; regular restoration tests; vulnerability and security patch management procedure; periodic data protection awareness training for staff. A detailed and updated description may be provided upon reasoned request of the Controller.

05.Data Subject Rights and Notifications

The Processor assists the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Articles 15 to 22 GDPR (access, rectification, erasure, restriction, objection, portability). Where a data subject contacts the Processor directly, the Processor informs the Controller without undue delay and does not respond without instruction. In the event of a personal data breach, the Processor notifies the Controller without undue delay and at the latest within seventy-two hours of becoming aware of it, with all useful information enabling the Controller to notify the competent supervisory authority in accordance with Article 33 GDPR.

06.Audit, Termination and Return

The Processor makes available to the Controller, upon reasonable written request with thirty days' notice, all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, within the limit of one audit per year, except in the event of a major incident. Upon termination of the main contract, the Processor shall, at the Controller's choice expressed in writing within thirty days following termination, either return all data in a structured and commonly used format, or definitively delete it from all active and backup media, within a maximum period of ninety days, and provide a destruction certificate. Statutory retention obligations (notably accounting) remain reserved.