Document: Data Processing Agreement Version: 1.0 (Draft) Effective Date: 06 May 2026 Last Reviewed: 06 May 2026 Governing Law: England and Wales

---

Data Processing Agreement

This Data Processing Agreement ("DPA" or "Agreement") supplements and forms part of the Terms of Service between:

"Controller" (also referred to as "Client"): The Subscriber identified in the Order Form or account registration — a business or individual that uses the Service to process personal data on behalf of their own customers or operations.

"Processor" (also referred to as "ClipToText"): ALL-IN-ONE DIGITAL SOLUTIONS LTD, registered in England and Wales under company number 15957512, with registered address at 2nd Floor, Collage House, 17 King Edwards Road, Ruislip, Middlesex, HA4 7AE, United Kingdom.

Together referred to as the "parties" and individually as a "party".

---

1. Definitions

Term	Meaning
Controller	The party that determines the purposes and means of Processing Personal Data. In the context of this DPA, the Client.
Processor	The party that Processes Personal Data on behalf of the Controller. In the context of this DPA, ClipToText.
Personal Data	Any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR.
Processing	Any operation or set of operations performed on Personal Data, as defined in Article 4(2) UK GDPR.
Data Subject	An identified or identifiable natural person to whom Personal Data relates.
Personal Data Breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
Sub-processor	Any third party engaged by the Processor to Process Personal Data in connection with the Services.
Services	The ClipToText.ai platform services as described in the Terms of Service.
UK GDPR	The retained EU law version of the General Data Protection Regulation, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
DPA 2018	The Data Protection Act 2018.
IDTA	The International Data Transfer Agreement approved by the UK Information Commissioner under Section 119A DPA 2018.
Supervisory Authority	The Information Commissioner's Office (ICO) or any other competent data protection supervisory authority.
TOMs	Technical and Organisational Measures as described in Schedule 2 of this DPA.

---

2. Scope and Relationship of the Parties

2.1. Nature of relationship. The Controller collects and controls Personal Data belonging to its End Users and customers. When the Controller uses the Services, ClipToText processes that Personal Data as a Processor, acting only on the documented instructions of the Controller.

2.2. Where this DPA applies. This DPA applies where the Controller uses the Services to process Personal Data of individuals (Data Subjects) who are customers of, or visitors to, the Controller's Sites (as defined in the Terms of Service). It does not govern ClipToText's processing of the Controller's own personal data as a Subscriber (which is governed by the Privacy Policy).

2.3. Each party's obligations. The Controller is solely responsible for:

• The lawfulness of collecting Personal Data from its Data Subjects;
• Providing adequate privacy notices to its Data Subjects;
• Establishing a valid lawful basis for processing under UK GDPR Article 6 (and Article 9 where applicable);
• Ensuring that it is entitled to transfer Personal Data to ClipToText for processing.

---

3. Subject Matter, Duration, Nature and Purpose of Processing

Subject matter: Processing of Personal Data belonging to the Controller's End Users and newsletter subscribers via the ClipToText.ai Service.

Duration: For the term of the Controller's Subscription, plus any applicable retention period stated in this DPA or the Privacy Policy.

Nature of Processing:

• Storage of Personal Data (newsletter subscriber lists, site visitor data) on ClipToText's infrastructure;
• Transmission of content to AI sub-processors (OpenAI) for article and image generation;
• Processing of email addresses for newsletter campaigns via Brevo;
• Storage of files (transcriptions, generated images) on AWS S3.

Purpose of Processing: To provide the Services described in the Terms of Service, including content generation, newsletter automation, site management and third-party publishing integrations.

---

4. Types of Personal Data and Categories of Data Subjects

Types of Personal Data processed on behalf of the Controller:

Data Type	Examples
Contact data	Email addresses, names of newsletter subscribers
Usage and behavioural data	Page views, clicks, form submissions on Controller's Sites
Content data	User-generated content submitted by End Users via Controller's Sites
Communication data	Content of emails sent via newsletter feature

Additional data types processed on behalf of the Controller include: YouTube transcription output (text derived from audio of URLs submitted by the Controller); AI-generated article text and images stored in the Controller's account; third-party CMS API credentials (WordPress, Blogger, Shopify, Webflow, Wix, Ghost) stored encrypted at rest for publishing integration; site configuration data (SEO settings, templates, language preferences). This table will be updated by ClipToText when material new features are introduced, with 14 days' notice to the Controller.

Special categories of Personal Data: The Controller must not submit special categories of Personal Data (Article 9 UK GDPR — including health data, biometric data, racial/ethnic origin, political opinions, religious beliefs, sexual orientation) to the Services without obtaining explicit consent from each affected Data Subject and notifying ClipToText in advance.

Categories of Data Subjects:

• End Users who visit, subscribe to or interact with the Controller's Sites;
• Newsletter subscribers of the Controller's Sites;
• Any other individuals whose Personal Data the Controller submits to the Services.

---

5. Processor Obligations

5.1 Processing on Instructions

5.1.1. ClipToText will Process Personal Data only on the documented instructions of the Controller (including as set out in this DPA and the Terms of Service), unless required to do so by applicable UK law. If applicable law requires Processing that conflicts with the Controller's instructions, ClipToText will inform the Controller before Processing (unless prohibited by law).

5.1.2. ClipToText will immediately inform the Controller if, in its opinion, any instruction infringes UK GDPR or other applicable data protection law.

5.2 Confidentiality

5.2.1. ClipToText will ensure that all personnel authorised to Process Personal Data under this DPA are bound by appropriate confidentiality obligations (whether by contract or statutory duty).

5.2.2. ClipToText will limit access to Personal Data to those personnel who require access to perform the Services.

5.3 Security

5.3.1. ClipToText will implement and maintain the Technical and Organisational Measures described in Schedule 2 of this DPA, in accordance with Article 32 UK GDPR.

5.3.2. The TOMs are subject to ongoing review and improvement. ClipToText may update the TOMs from time to time, provided that updates do not materially reduce the level of protection.

5.4 Sub-processors

5.4.1. The Controller grants ClipToText general written authorisation to engage the Sub-processors listed in Schedule 1 of this DPA.

5.4.2. ClipToText will give the Controller at least 14 days' advance written notice before engaging any new Sub-processor or making material changes to existing Sub-processor arrangements. Notice will be given by email to the Controller's account email address.

5.4.3. The Controller may object to a new Sub-processor within 14 days of notice by notifying ClipToText in writing. If the parties cannot resolve the objection, the Controller may terminate the Subscription on written notice, with a pro-rata refund of prepaid Fees for the remaining subscription period.

5.4.4. ClipToText will impose data protection obligations on all Sub-processors equivalent to those in this DPA, by way of a written contract satisfying Article 28(3) UK GDPR.

5.4.5. ClipToText remains fully liable to the Controller for the performance of Sub-processors' obligations under this DPA.

5.5 Data Subject Rights

5.5.1. ClipToText will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures to fulfil its obligations to respond to Data Subject rights requests under UK GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).

5.5.2. Where ClipToText receives a request directly from a Data Subject, it will promptly forward it to the Controller without acting on it.

5.5.3. Assistance beyond what is reasonably required to operate the Services may be subject to reasonable additional charges, agreed in advance.

5.6 Compliance Assistance

5.6.1. ClipToText will assist the Controller in ensuring compliance with its obligations under Articles 32–36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of Processing and information available to ClipToText.

5.7 Audit Rights

5.7.1. ClipToText will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

5.7.2. ClipToText will permit and cooperate with audits or inspections conducted by the Controller (or a mutually agreed auditor) no more than once per calendar year, upon 30 days' written notice, during normal business hours, and subject to reasonable confidentiality obligations.

5.7.3. Audits must be conducted in a manner that minimises disruption to the Services. Costs of audits beyond reasonable documentation review will be borne by the Controller.

5.7.4. Alternatively, ClipToText may satisfy audit requests by providing relevant third-party audit reports or certifications (e.g. ISO 27001, SOC 2) where available.

---

6. Personal Data Breach

6.1. ClipToText will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

6.2. Notification will include, to the extent then available:

• A description of the nature of the Breach, including categories and approximate number of Data Subjects affected;
• Categories and approximate number of Personal Data records affected;
• Name and contact details of the Data Protection contact at ClipToText;
• Likely consequences of the Breach;
• Measures taken or proposed to address the Breach and mitigate its effects.

6.3. Where full information is not available within 72 hours, ClipToText will provide initial notification with available information and supplement it as further information becomes available.

6.4. ClipToText will cooperate with the Controller in investigating the Breach, fulfilling the Controller's own notification obligations to the ICO (where applicable) and affected Data Subjects.

6.5. ClipToText will not communicate a Breach to a Supervisory Authority or affected Data Subjects on the Controller's behalf without the Controller's prior written consent, unless required to do so by applicable law.

---

7. International Data Transfers

7.1. ClipToText may transfer Personal Data to countries outside the UK where required to provide the Services (including to Sub-processors listed in Schedule 1 located in the USA).

7.2. ClipToText will ensure all such transfers are subject to appropriate safeguards under UK GDPR Chapter V, including:

• UK International Data Transfer Agreements (IDTAs); or
• UK Addendum to EU Standard Contractual Clauses;

as approved by the Secretary of State under Section 119A DPA 2018.

7.3. Transfer agreements with Sub-processors are executed as follows: OpenAI (UK Addendum to OpenAI DPA), Stripe (UK Addendum to Stripe DPA), AWS (UK IDTA via AWS Data Privacy console), Cloudflare (UK Addendum to Cloudflare DPA). Hetzner Online GmbH (VPS hosting, Finland EU) does not require a transfer agreement as Finland is within the EEA and covered by the UK adequacy decision. Copies of executed agreements are available to the Controller on written request to privacy@cliptotext.ai.

7.4. The Controller authorises ClipToText to enter into appropriate transfer agreements with Sub-processors on its behalf as a sub-controller.

---

8. Termination and Data Deletion

8.1. On termination of the Terms of Service for any reason, ClipToText will:

• Cease Processing Personal Data within 30 days of termination; and
• At the Controller's election (notified in writing within the 30-day window): either return Personal Data in a portable, machine-readable format or securely delete/destroy it.

8.2. If the Controller does not elect within 30 days, ClipToText will securely delete all Personal Data unless retention is required by applicable UK law (in which case ClipToText will notify the Controller of the retention basis).

8.3. Billing and transaction records will be retained for 7 years in accordance with HMRC statutory requirements.

8.4. ClipToText will certify in writing, upon the Controller's request, that deletion or return has been completed.

---

9. Governing Law

This DPA is governed by the laws of England and Wales. Any dispute arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, subject to any mandatory rights the Controller may have under the laws of its place of establishment.

---

Schedule 1 — Approved Sub-processors

The following Sub-processors are approved as at the Effective Date:

Sub-processor	Registered Country	Purpose	Transfer Safeguard
OpenAI, L.L.C.	USA	Text generation (GPT-4), transcription (Whisper), image generation (DALL-E 3)	UK IDTA / UK Addendum SCC
Stripe, Inc.	USA	Payment processing, billing	UK IDTA / UK Addendum SCC
Brevo (Sendinblue SAS)	France (EU)	Transactional and marketing email delivery	EU SCC / adequacy maintained
Amazon Web Services, Inc.	USA	File storage (S3) — videos, images, transcriptions	UK IDTA / UK Addendum SCC
Cloudflare, Inc.	USA	CDN, DDoS protection, WAF	UK IDTA / UK Addendum SCC
Hetzner Online GmbH	Finland (EU)	Backend hosting, MariaDB database, Redis cache	No transfer required — EU/EEA; UK adequacy decision applies

ClipToText will notify the Controller at least 14 days before adding or materially changing any Sub-processor in this list.

---

Schedule 2 — Technical and Organisational Measures (TOMs)

The following measures are implemented by ClipToText in accordance with Article 32 UK GDPR:

2.1 Data Encryption

• In transit: All data transmitted between end-users and the Service is encrypted using TLS 1.2 or higher. All API communications use HTTPS.
• At rest: Personal Data stored in databases and file storage is encrypted using AES-256.
• Credentials: Third-party API keys and integration credentials are stored encrypted at rest.
• Passwords: User passwords are never stored in plain text; they are hashed using a one-way cryptographic function.

2.2 Access Controls

• Authentication: All staff accessing production systems use strong, unique passwords and multi-factor authentication (MFA).
• Role-based access control (RBAC): Access to production data is restricted to personnel with a business need.
• Principle of least privilege: Personnel are granted only the minimum access required for their role.
• Access reviews: Access rights are reviewed periodically and revoked promptly on staff departure.
• Audit logging: All access to production systems and databases is logged with user identity, timestamp and action.

2.3 Multi-Tenant Data Isolation

• Each Controller's data is logically isolated by a unique site_id identifier.
• All database queries include a mandatory site_id filter — cross-tenant data access is technically prevented at the application layer.
• Redis cache keys are prefixed with tenant:{siteId}: to prevent cross-tenant cache leakage.
• The TenantContext service enforces tenant boundaries in all service-layer operations.

2.4 Infrastructure Security

• Backend infrastructure is hosted at Hetzner Online GmbH, Helsinki, Finland (EU) with physical security controls maintained by Hetzner.
• Cloudflare provides CDN, WAF (Web Application Firewall) and DDoS protection.
• Network firewalls restrict access to internal services.
• Only necessary ports are exposed; all other inbound traffic is blocked.

2.5 Vulnerability Management

• Dependencies are monitored for known vulnerabilities using automated dependency scanning.
• Security patches are applied within a reasonable timeframe of release, with critical patches prioritised.
• Security patches are applied according to the following SLA: critical (CVSS 9.0+): 7 days; high (CVSS 7.0–8.9): 30 days; medium (CVSS 4.0–6.9): 90 days; low: next scheduled maintenance window.
• Annual penetration testing is recommended; results are reviewed and critical findings remediated.

2.6 Incident Response

• ClipToText maintains a documented Incident Response Plan covering: detection, triage, containment, eradication, notification and post-incident review.
• Incidents are logged, investigated and root-cause analysed.
• Breach notification is provided within 72 hours in accordance with Section 6.

2.7 Backup and Recovery

• Data is backed up daily, with backups retained for 30 days.
• Backups are encrypted (AES-256) and stored separately from production data.
• Recovery procedures are tested quarterly with documented results.

2.8 Personnel Measures

• All personnel with access to Personal Data are trained on data protection obligations and this DPA.
• Personnel are bound by contractual confidentiality obligations.
• Access is revoked promptly on termination of employment or contractor engagement.

---

This document was prepared as a draft template and must be reviewed and validated by a qualified UK solicitor before publication or reliance. It does not constitute legal advice.