CinePlan Data Processing Agreement
CinePlan Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the agreement between Cherrium LLC (“Processor” or “CinePlan”) and the entity or individual agreeing to these terms (“Controller” or “Customer”) for use of the CinePlan service.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person processed by CinePlan on behalf of the Controller.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- “Data Protection Laws” means applicable data protection legislation including GDPR, CCPA/CPRA, and equivalent laws in other jurisdictions.
- “Sub-processor” means a third-party service provider engaged by CinePlan to process Personal Data.
2. Scope and Roles
The Controller determines the purposes and means of processing Personal Data through CinePlan. CinePlan acts as the Processor and processes Personal Data only on documented instructions from the Controller as necessary to provide the service.
2.1 Categories of Data Subjects
- Controller's employees and authorized users.
- Production contacts, including crew, vendors, talent, clients, and other production participants entered by the Controller.
2.2 Types of Personal Data
- Account data such as name and email address.
- Contact data such as name, role, email, phone, company, and production-related notes.
- Production data such as schedules, locations, location coordinates, location production-pack notes, equipment, notes, call sheet delivery and confirmation records, and requested forecast dates when weather is used.
- Operational records such as AI job recovery status, AI usage logs, schedule revision history, production status suggestions, and user-submitted feedback or issue reports.
- Legal acceptance records such as acceptance timestamps, document versions, hashed IP address, and user agent.
- Uploaded files such as images, documents, scripts, reference frames, and other production files.
3. Processor Obligations
CinePlan shall:
- Process Personal Data only as necessary to provide the service and as instructed by the Controller.
- Use appropriate technical and organizational measures to protect Personal Data, including encryption in transit, encrypted storage for supported personally identifiable information, password hashing, access controls, authentication, rate limiting, and abuse prevention.
- Not process Personal Data for a purpose other than providing the service unless required by law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality.
- Assist the Controller in responding to data subject requests where reasonably possible.
- Delete or return Personal Data upon termination of the service, subject to retention required by law, security, billing, audit, legal, or dispute-resolution needs.
3.1 Instruction Compliance
If CinePlan believes that an instruction from the Controller infringes applicable Data Protection Laws, CinePlan will promptly inform the Controller and may suspend the relevant processing until the Controller provides revised instructions.
3.2 Sub-processor Obligations
CinePlan uses sub-processors to provide parts of the service. CinePlan remains responsible for sub-processors used to process Personal Data on behalf of the Controller and requires appropriate data protection commitments from those sub-processors.
3.3 Data Protection Impact Assessments
CinePlan will provide reasonable assistance to the Controller for data protection impact assessments and prior consultations with supervisory authorities to the extent required by Data Protection Laws and technically available.
4. Sub-processors
The Controller authorizes CinePlan to engage the following sub-processors. CinePlan will provide notice of intended material changes to sub-processors and an opportunity to object within 30 days where required by applicable law.
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon Inc. | PostgreSQL database hosting | United States |
| Vercel Inc. | Application hosting and file storage | United States |
| Stripe Inc. | Payment processing | United States |
| Hosted AI infrastructure provider | AI feature processing | United States |
| Apple Inc. | WeatherKit forecast data | United States |
| Resend Inc. | Transactional email delivery | United States |
| Upstash Inc. | Distributed rate limiting | United States |
| Cloudflare Inc. | Bot protection, delivery, and security infrastructure | United States |
| Liveblocks Inc. | Real-time collaboration | United States |
5. International Transfers
CinePlan is operated from the United States and Personal Data may be processed in the United States or other countries where Cherrium or its sub-processors operate. Where required, CinePlan relies on applicable safeguards such as Standard Contractual Clauses, service-provider data processing terms, or other lawful transfer mechanisms.
6. Data Breach Notification
CinePlan will notify the Controller without undue delay, and where required within 72 hours of becoming aware, of a Personal Data breach that is likely to result in a risk to the rights and freedoms of data subjects. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it where available.
7. Data Subject Rights
CinePlan provides self-service tools to support data subject rights:
- Access and portability: The data export feature in Settings exports supported account and production data.
- Correction: Profile and production data are editable through the application UI.
- Deletion: Account deletion deletes the account and cascades supported account-owned records, including productions, contacts, and uploaded files. Some limited support, security, billing, audit, or legal records may be retained or de-identified for the periods described in the Privacy Policy and then removed under Cherrium's retention controls.
For requests that cannot be fulfilled through self-service, contact hello@cherrium.com.
8. Audits
CinePlan will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for audits required by applicable Data Protection Laws, subject to reasonable notice, confidentiality obligations, security controls, and limits designed to protect other users and Cherrium systems.
9. Term and Termination
This DPA remains in effect for the duration of the Controller's use of CinePlan. Upon termination, CinePlan will delete or return Personal Data in accordance with the Privacy Policy, account deletion tools, product retention controls, and applicable legal requirements.
10. Acceptance
By using CinePlan, you accept this DPA as part of the Cherrium Software Terms of Use. For questions or to request a signed copy, contact hello@cherrium.com.
Software Terms of Use: https://cherrium.com/pages/cherrium-software-terms-of-use
Software Privacy Policy: https://cherrium.com/pages/cherrium-software-privacy-policy