Data Processing Agreement (DPA)

Operated by Reelir Studios AB · Last updated: 2026-01-10

Back to homePrivacy policy

Agreement overview

This Data Processing Agreement (“Agreement”) governs the processing of personal data by Reelir Studios AB on behalf of production companies using our DIT Media Management System.

This Agreement supplements the underlying service agreement and is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (GDPR).

Full agreement text

1. Parties

This Agreement is entered into between the production company using the service (“Controller”) and Reelir Studios AB, a company registered in Sweden (“Processor”).

2. Subject matter and duration

This Agreement governs the processing of personal data in connection with secure media intake, custody tracking, verification, reporting, and delivery services for the duration of the underlying service agreement and applicable retention periods.

3. Nature and purpose of processing

  • Secure handling of production media
  • Maintenance of an auditable chain of custody
  • Backup, verification, and reporting
  • Delivery confirmation and operational coordination
  • Professional accountability and dispute resolution

4. Categories of data

Personal data processed may include names, professional roles, phone numbers provided at intake, operational identifiers, and immutable audit records of actions performed by staff.

Special categories of personal data under Article 9 GDPR are not intentionally processed.

5. Processor obligations

The Processor shall:

  • Process data only on documented instructions
  • Ensure confidentiality of authorized personnel
  • Implement appropriate technical and organizational measures
  • Not process data for its own purposes

6. Sub-processors

The Controller authorizes the use of sub-processors necessary for service delivery, including Supabase, MEGA S4 Object Storage, Railway, MessageBird, and Discord.

Sub-processors are contractually bound to provide protections no less protective than those set out in this Agreement.

7. Audit logs and accountability

Operational audit logs are append-only and may include identifiable information about staff actions. Audit records are retained in identifiable form to preserve evidentiary integrity and are not anonymized.

8. Data subject rights

The Processor shall assist the Controller, where reasonable, in responding to data subject rights requests. Requests for deletion or anonymization may be refused where retention is required under Article 17(3) GDPR.

9. Governing law

This Agreement shall be governed by the laws of Sweden, without prejudice to mandatory provisions of EU data protection law.

10. Contact

Privacy-related inquiries may be directed to trausti@reelir-studios.com.