Data Processing Addendum

Last Updated: May 13, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service or Master Services Agreement (the "Agreement") between It Just Works, Inc. (dba StarZero) ("StarZero," "we," "us," or "Processor") and you or the entity you represent ("Customer" or "Controller"). This DPA applies to the extent that StarZero processes Personal Data on behalf of Customer in the course of providing the Services.

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement. In this DPA:

  • "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (as applicable) the EU General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act (as amended by the CPRA), the Illinois Biometric Information Privacy Act ("BIPA"), and any other applicable data protection or privacy legislation.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "EEA" means the European Economic Area.
  • "Face Embedding Data" means the anonymized mathematical representations of faces generated by the Services' face detection features, as described in Section 4.5 of the Agreement.
  • "Personal Data" means any information relating to a Data Subject that is processed by StarZero on behalf of Customer in connection with the Services. For the avoidance of doubt, Personal Data may include data contained within video files, audio files, transcripts, metadata, and other Inputs submitted by Customer.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
  • "Processing" (and "process," "processed") means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries, as set out in Commission Implementing Decision (EU) 2021/914, or any successor clauses adopted by the European Commission.
  • "Sub-processor" means any third party engaged by StarZero to process Personal Data on behalf of Customer.

2. Scope and Roles

2.1 Roles

Customer is the Controller of Personal Data processed under this DPA. StarZero is the Processor, processing Personal Data on behalf of and under the instructions of Customer.

2.2 Details of Processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1 to this DPA.

2.3 Customer Obligations

Customer is responsible for (a) ensuring that it has a lawful basis under Applicable Data Protection Law for the processing of Personal Data by StarZero, (b) providing any required notices to, and obtaining any required consents from, Data Subjects, and (c) ensuring that the instructions it provides to StarZero comply with Applicable Data Protection Law. Customer will not submit to the Services any categories of Personal Data for which StarZero has not been engaged to process, including (unless explicitly agreed in writing) special categories of personal data as defined in Article 9 of the GDPR.

3. Processing Instructions

3.1 Instructions

StarZero will process Personal Data only on documented instructions from Customer, unless required to do so by applicable law. The Agreement (including this DPA) constitutes Customer's documented instructions. Customer may provide additional written instructions consistent with the Agreement.

3.2 Notification

If StarZero believes that an instruction from Customer infringes Applicable Data Protection Law, StarZero will promptly notify Customer. StarZero will not be required to assess the legality of Customer's instructions except where an infringement is apparent.

4. Confidentiality

StarZero will ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security

5.1 Security Measures

StarZero will implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures are described in Annex 2 to this DPA and will at a minimum include:

  1. Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  2. Logical access controls, including role-based access, multi-factor authentication for administrative access, and least-privilege principles.
  3. Network security controls, including firewalls, intrusion detection, and monitoring.
  4. Regular vulnerability assessments and penetration testing.
  5. Secure development practices, including code review and dependency management.
  6. Physical security controls at data center facilities operated by Sub-processors.
  7. Incident response and business continuity procedures.

5.2 Updates

StarZero may update its security measures from time to time, provided that such updates do not materially diminish the overall level of protection afforded to Personal Data.

6. Sub-processors

6.1 Authorized Sub-processors

Customer provides general authorization for StarZero to engage Sub-processors to process Personal Data. The current list of Sub-processors is available at starzero.ai/legal/sub-processors ("Sub-processor List").

6.2 Notification of Changes

StarZero will notify Customer at least 30 days before engaging a new Sub-processor or replacing an existing Sub-processor, by updating the Sub-processor List and notifying Customer by email. Customer may subscribe to Sub-processor change notifications through the Services or by contacting [email protected].

6.3 Objection Right

If Customer reasonably objects to a new Sub-processor on legitimate data protection grounds, Customer will notify StarZero in writing within 15 days of receiving notice. The parties will work together in good faith to address Customer's concerns. If no resolution is reached within 30 days, Customer may terminate the affected Services by providing written notice, and StarZero will refund any prepaid fees for the terminated Services covering the period after termination.

6.4 Sub-processor Obligations

StarZero will (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA, and (b) remain responsible for each Sub-processor's compliance with the obligations of this DPA.

7. Data Subject Rights

7.1 Assistance

StarZero will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

7.2 Direct Requests

If StarZero receives a request directly from a Data Subject, StarZero will promptly redirect the Data Subject to Customer, unless prohibited by law. StarZero will not respond to a Data Subject request directly unless instructed to do so by Customer.

8. Personal Data Breach

8.1 Notification

StarZero will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Notification will be made to the email address associated with Customer's account or to such other address as Customer has designated in writing.

8.2 Content of Notification

The notification will include, to the extent reasonably available: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) the contact details of a point of contact for further information.

8.3 Assistance

StarZero will cooperate with and assist Customer in investigating, mitigating, and remediating the Personal Data Breach, and in complying with any breach notification obligations under Applicable Data Protection Law.

8.4 Limitations

StarZero's notification of or response to a Personal Data Breach will not be construed as an acknowledgment of any fault or liability.

9. Data Protection Impact Assessments

StarZero will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law, taking into account the nature of the processing and the information available to StarZero.

10. International Data Transfers

10.1 Processing Locations

StarZero processes Personal Data primarily in the United States. Customer authorizes transfers of Personal Data to the United States and to any other country where StarZero or its Sub-processors maintain facilities, subject to the safeguards in this Section.

10.2 Transfer Mechanisms

To the extent that the processing of Personal Data involves a transfer from the EEA, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection:

  1. The Standard Contractual Clauses (Module Two: Controller to Processor) are hereby incorporated by reference and form part of this DPA. For the purposes of the SCCs: (a) Customer is the "data exporter" and StarZero is the "data importer"; (b) the details in Annexes 1 and 2 of this DPA serve as the annexes to the SCCs; (c) the optional docking clause in Clause 7 applies; (d) the optional language in Clause 9(a) applies and the time period for prior notice of Sub-processor changes is 30 days; (e) the governing law for the purposes of Clause 17 is the law of Ireland; and (f) disputes under Clause 18 will be resolved before the courts of Ireland.
  2. For transfers from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum"), issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018, is incorporated by reference with the information in Annexes 1 and 2 completing the relevant tables.
  3. For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

10.3 Alternative Mechanisms

If an alternative transfer mechanism becomes available under Applicable Data Protection Law (such as an adequacy decision or a certification framework), StarZero may adopt that mechanism for the relevant transfers, provided it meets the requirements of Applicable Data Protection Law.

11. Audits

11.1 Audit Reports

StarZero will make available to Customer, upon reasonable request and subject to confidentiality obligations, copies of relevant third-party audit reports or certifications (such as SOC 2 Type II) that demonstrate compliance with the security obligations in this DPA.

11.2 Customer Audits

If Customer reasonably determines that the information provided under Section 11.1 is insufficient to verify StarZero's compliance with this DPA, Customer may conduct or commission an audit of StarZero's processing activities, subject to the following: (a) Customer will provide at least 30 days' prior written notice; (b) audits will be conducted during normal business hours and will not unreasonably interfere with StarZero's operations; (c) Customer will bear the costs of the audit unless the audit reveals a material breach of this DPA by StarZero; (d) audits will be limited to once per twelve-month period unless required by a supervisory authority or triggered by a Personal Data Breach; and (e) Customer and its auditors will comply with reasonable confidentiality and security requirements.

12. Return and Deletion of Personal Data

12.1 During the Term

Customer may export or delete Personal Data through the functionality of the Services at any time during the term.

12.2 Upon Termination

Upon termination of the Agreement, StarZero will, at Customer's election (to be communicated within 30 days of termination), either return or delete all Personal Data in its possession or control, except to the extent that applicable law requires retention. StarZero will complete the return or deletion within 90 days of receiving Customer's instructions (or, if no instructions are received, within 90 days of termination). StarZero will certify deletion in writing upon Customer's request.

12.3 Retained Copies

To the extent StarZero is required by applicable law to retain any Personal Data, StarZero will (a) notify Customer of the retention requirement and the scope of the retained data, (b) continue to protect the retained data in accordance with this DPA, and (c) process the retained data only for the purposes required by law.

13. Face Embedding Data

13.1 Nature of Processing

The Services' face detection features generate Face Embedding Data as described in Section 4.5 of the Agreement. Face Embedding Data consists of anonymized mathematical vectors derived from visual analysis of video content. These vectors enable similarity-based search within Customer's content library and cannot be used to identify individuals without access to the corresponding source video.

13.2 Not Biometric Data

StarZero does not use Face Embedding Data for biometric identification or authentication purposes. However, Customer acknowledges that certain jurisdictions (including those subject to BIPA, GDPR, or analogous legislation) may classify face-derived data as biometric data or special category data regardless of its technical characteristics. Customer is responsible for determining whether its use of face-detection-enabled features triggers obligations under such legislation and for complying with those obligations.

13.3 Deletion

Face Embedding Data associated with a specific video is deleted when Customer deletes that video from the Services. Upon termination of the Agreement, Face Embedding Data is deleted in accordance with Section 12 of this DPA.

14. Duration and Termination

This DPA will remain in effect for as long as StarZero processes Personal Data on behalf of Customer. Termination of this DPA will not relieve either party of obligations that accrued before termination.

15. Governing Law

This DPA is governed by the law specified in the Agreement, except to the extent that Applicable Data Protection Law requires the application of a different governing law (in which case, that law applies to the extent required).

16. Contact

For questions about this DPA or to exercise rights under this DPA, contact us:

It Just Works, Inc. (dba StarZero)
51 Little Falls Drive
Wilmington, New Castle County, Delaware 19808
Email: [email protected]

Annex 1: Details of Processing

Subject matter Processing of Personal Data by StarZero as necessary to provide the Services under the Agreement.
Duration For the duration of the Agreement, plus any retention period specified in Section 12.
Nature and purpose Video ingestion, indexing, and storage; multimodal search (visual, audio, and textual); AI-driven content editing, clipping, and remixing via Skills; speech-to-text transcription; face detection and similarity-based search; content publishing and distribution as directed by Customer.
Types of Personal Data Visual likenesses of individuals appearing in video content; voices and speech of individuals; names and other identifying information contained in video metadata, transcripts, or on-screen text; Face Embedding Data (anonymized mathematical representations); any other personal data contained in Customer's Inputs.
Categories of Data Subjects Individuals appearing in or identifiable from Customer's video content, which may include Customer's employees, contractors, talent, interviewees, members of the public, and other individuals.
Special categories (if any) Face Embedding Data may be classified as biometric data under certain jurisdictions. No other special categories of personal data are intentionally processed unless Customer includes them in Inputs.

Annex 2: Technical and Organizational Security Measures

StarZero maintains the following security measures. These may be updated from time to time in accordance with Section 5.2 of this DPA.

Infrastructure and Access

  • Cloud infrastructure hosted on SOC 2-certified providers with industry-standard physical security, environmental controls, and redundancy.
  • Role-based access control (RBAC) with least-privilege principles for all production systems.
  • Multi-factor authentication (MFA) required for all administrative and privileged access.
  • Centralized identity management with regular access reviews.

Data Protection

  • Encryption in transit using TLS 1.2 or higher for all communications.
  • Encryption at rest using AES-256 or equivalent for all stored data, including Inputs, Outputs, and Face Embedding Data.
  • Logical separation of Customer data in multi-tenant environments.
  • Secure key management practices with regular key rotation.

Network Security

  • Network firewalls and segmentation to isolate production environments.
  • Intrusion detection and prevention systems.
  • DDoS mitigation services.
  • Logging and monitoring of network activity with alerting for anomalous behavior.

Application Security

  • Secure software development lifecycle (SDLC) practices, including code review and static analysis.
  • Regular vulnerability scanning and remediation.
  • Annual third-party penetration testing.
  • Dependency management and patching procedures.

Operational Security

  • Documented incident response plan with defined roles and escalation procedures.
  • Business continuity and disaster recovery procedures with regular testing.
  • Regular backups with tested restoration procedures.
  • Security awareness training for all personnel.

Personnel

  • Background checks for personnel with access to production systems (to the extent permitted by applicable law).
  • Confidentiality obligations for all personnel.
  • Termination procedures including prompt revocation of access upon departure.

Vendor Management

  • Due diligence review of Sub-processors' security practices before engagement.
  • Contractual data protection obligations imposed on all Sub-processors.
  • Periodic review of Sub-processor compliance.