Data Processing Addendum

Last Updated: May 13, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service or Master Services Agreement (the "Agreement") between It Just Works, Inc. (dba StarZero) ("StarZero," "we," "us," or "Processor") and you or the entity you represent ("Customer" or "Controller"). This DPA applies to the extent that StarZero processes Personal Data on behalf of Customer in the course of providing the Services.

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement. In this DPA:

  • "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (as applicable) the EU General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act (as amended by the CPRA), the Illinois Biometric Information Privacy Act ("BIPA"), and any other applicable data protection or privacy legislation.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "EEA" means the European Economic Area.
  • "Face Embedding Data" means transient mathematical representations of faces generated by the Services' face detection features during an individual video or processing job, as described in Section 4.5 of the Agreement.
  • "Personal Data" means any information relating to a Data Subject that is processed by StarZero on behalf of Customer in connection with the Services. For the avoidance of doubt, Personal Data may include data contained within video files, audio files, transcripts, metadata, and other Inputs submitted by Customer.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
  • "Processing" (and "process," "processed") means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries, as set out in Commission Implementing Decision (EU) 2021/914, or any successor clauses adopted by the European Commission.
  • "Sub-processor" means any third party engaged by StarZero to process Personal Data on behalf of Customer.

2. Scope and Roles

2.1 Roles

Customer is the Controller of Personal Data processed under this DPA, or a Processor where it processes Personal Data on behalf of another Controller. StarZero is the Processor when Customer is a Controller and the Sub-processor when Customer is a Processor, processing Personal Data on behalf of and under the instructions of Customer.

2.2 Details of Processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1 to this DPA.

2.3 Customer Obligations

Customer is responsible for (a) ensuring that it has a lawful basis under Applicable Data Protection Law for the processing of Personal Data by StarZero, (b) providing any required notices to, and obtaining any required consents from, Data Subjects, and (c) ensuring that the instructions it provides to StarZero comply with Applicable Data Protection Law. Customer will not submit to the Services any categories of Personal Data for which StarZero has not been engaged to process, including special categories of personal data as defined in Article 9 of the GDPR, except as expressly described in Annex 1 and enabled by Customer in the Services.

3. Processing Instructions

3.1 Instructions

StarZero will process Personal Data only on documented instructions from Customer, unless required to do so by applicable law. The Agreement (including this DPA) constitutes Customer's documented instructions. Customer may provide additional written instructions consistent with the Agreement.

3.2 Notification

If StarZero believes that an instruction from Customer infringes Applicable Data Protection Law, StarZero will promptly notify Customer. StarZero will not be required to assess the legality of Customer's instructions except where an infringement is apparent.

3.3 Product and Model Development

Customer's choices and the Agreement govern whether StarZero may use Customer Materials for product or model development beyond the processing needed to provide the Services. Where StarZero performs such processing as an independent controller or business, it is outside the scope of this DPA and will be performed only as permitted by Applicable Data Protection Law and the applicable agreement. StarZero will not use biometric or other sensitive data for product or model development unless it has the consent or other lawful authorization required for that processing.

4. Confidentiality

StarZero will ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security

5.1 Security Measures

StarZero will implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures are described in Annex 2 to this DPA and are appropriate to the nature of the processing and the risks to Data Subjects.

5.2 Updates

StarZero may update its security measures from time to time, provided that such updates do not materially diminish the overall level of protection afforded to Personal Data.

6. Sub-processors

6.1 Authorized Sub-processors

Customer provides general authorization for StarZero to engage Sub-processors to process Personal Data. The current list of Sub-processors is available at starzero.ai/legal/sub-processors ("Sub-processor List").

6.2 Notification of Changes

StarZero will provide Customer at least 15 days' prior written notice before engaging a new Sub-processor or replacing an existing Sub-processor, thereby giving Customer an opportunity to object on legitimate data protection grounds. StarZero may provide notice by updating the Sub-processor List and notifying Customer by email. Customer may subscribe to Sub-processor change notifications through the Services or by contacting [email protected].

6.3 Objection Right

If Customer reasonably objects to a new Sub-processor on legitimate data protection grounds, Customer will notify StarZero in writing within 15 days of receiving notice. The parties will work together in good faith to address Customer's concerns. If no resolution is reached within 30 days, Customer may terminate the affected Services by providing written notice, and StarZero will refund any prepaid fees for the terminated Services covering the period after termination.

6.4 Sub-processor Obligations

StarZero will (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA, and (b) remain responsible for each Sub-processor's compliance with the obligations of this DPA.

7. Data Subject Rights

7.1 Assistance

StarZero will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

7.2 Direct Requests

If StarZero receives a request directly from a Data Subject, StarZero will promptly redirect the Data Subject to Customer, unless prohibited by law. StarZero will not respond to a Data Subject request directly unless instructed to do so by Customer.

8. Personal Data Breach

8.1 Notification

StarZero will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Notification will be made to the email address associated with Customer's account or to such other address as Customer has designated in writing.

8.2 Content of Notification

The notification will include, to the extent reasonably available: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) the contact details of a point of contact for further information.

8.3 Assistance

StarZero will cooperate with and assist Customer in investigating, mitigating, and remediating the Personal Data Breach, and in complying with any breach notification obligations under Applicable Data Protection Law.

8.4 Limitations

StarZero's notification of or response to a Personal Data Breach will not be construed as an acknowledgment of any fault or liability.

9. Data Protection Impact Assessments

StarZero will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law, taking into account the nature of the processing and the information available to StarZero.

10. International Data Transfers

10.1 Processing Locations

StarZero processes Personal Data primarily in the United States. Customer authorizes transfers of Personal Data to the United States and to the processing locations identified in the Sub-processor List, subject to the safeguards in this Section.

10.2 Transfer Mechanisms

To the extent that the processing of Personal Data involves a transfer from the EEA, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection:

  1. The Standard Contractual Clauses ("SCCs") are hereby incorporated by reference and form part of this DPA. Module Two (Controller to Processor) applies where Customer is a Controller; Module Three (Processor to Processor) applies where Customer is a Processor. For the purposes of the SCCs: (a) Customer is the "data exporter" and StarZero is the "data importer"; (b) the details in Annexes 1 and 2 of this DPA serve as the annexes to the SCCs; (c) the optional docking clause in Clause 7 applies; (d) the optional language in Clause 9(a) applies and the time period for prior notice of Sub-processor changes is 15 days; (e) the governing law for the purposes of Clause 17 is the law of Ireland; and (f) disputes under Clause 18 will be resolved before the courts of Ireland.
  2. For transfers from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum"), issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018, is incorporated by reference with the information in Annexes 1 and 2 completing the relevant tables.
  3. For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

10.3 Alternative Mechanisms

If an alternative transfer mechanism becomes available under Applicable Data Protection Law (such as an adequacy decision or a certification framework), StarZero may adopt that mechanism for the relevant transfers, provided it meets the requirements of Applicable Data Protection Law.

11. Audits

11.1 Audit Reports

StarZero will make available to Customer, upon reasonable request and subject to confidentiality obligations, information reasonably necessary to demonstrate compliance with the security obligations in this DPA, including relevant third-party audit reports or certifications if available.

11.2 Customer Audits

If Customer reasonably determines that the information provided under Section 11.1 is insufficient to verify StarZero's compliance with this DPA, Customer may conduct or commission an audit of StarZero's processing activities, subject to the following: (a) Customer will provide at least 30 days' prior written notice; (b) audits will be conducted during normal business hours and will not unreasonably interfere with StarZero's operations; (c) Customer will bear the costs of the audit unless the audit reveals a material breach of this DPA by StarZero; (d) audits will be limited to once per twelve-month period unless required by a supervisory authority or triggered by a Personal Data Breach; and (e) Customer and its auditors will comply with reasonable confidentiality and security requirements.

12. Return and Deletion of Personal Data

12.1 During the Term

Customer may export or delete Personal Data through the functionality of the Services at any time during the term.

12.2 Upon Termination

Upon termination of the Agreement, StarZero will, at Customer's election (to be communicated within 30 days of termination), either return or delete all Personal Data in its possession or control, except to the extent that applicable law requires retention. StarZero will complete the return or deletion within 90 days of receiving Customer's instructions (or, if no instructions are received, within 90 days of termination). StarZero will certify deletion in writing upon Customer's request.

12.3 Retained Copies

To the extent StarZero is required by applicable law to retain any Personal Data, StarZero will (a) notify Customer of the retention requirement and the scope of the retained data, (b) continue to protect the retained data in accordance with this DPA, and (c) process the retained data only for the purposes required by law.

13. Face and Speaker Analysis

13.1 Nature of Processing

Within an individual video or processing job, the Services may use face detection, active-speaker detection, and speech diarization to associate a visible speaker with diarized speech. Face Embedding Data consists of transient mathematical vectors derived from visual analysis of video content and is discarded when the job completes. If a speaker identifies themself in Customer's content, the Services may change the corresponding transcript segments from a generic speaker label to that name. StarZero does not currently retain Face Embedding Data, face clusters, voiceprints, or voice models, or use them to match people across videos or libraries.

13.2 Biometric and Sensitive Data

StarZero does not compare Face Embedding Data to a public identity database or use it for identity verification or eligibility decisions. Customer acknowledges that certain jurisdictions may classify face-derived or voice-derived data as biometric data, sensitive personal data, or special category data. Customer is responsible for determining whether its use of face- or voice-enabled features triggers obligations under such legislation and for providing the notices and consents required when StarZero processes Personal Data on Customer's behalf.

13.3 Deletion

Face Embedding Data is discarded when the relevant processing job completes. Transcript and project labels generated from Customer's Inputs are deleted with the associated video in accordance with Section 12 of this DPA.

14. Duration and Termination

This DPA will remain in effect for as long as StarZero processes Personal Data on behalf of Customer. Termination of this DPA will not relieve either party of obligations that accrued before termination.

15. Governing Law

This DPA is governed by the law specified in the Agreement, except to the extent that Applicable Data Protection Law requires the application of a different governing law (in which case, that law applies to the extent required).

16. Contact

For questions about this DPA or to exercise rights under this DPA, contact us:

It Just Works, Inc. (dba StarZero)
51 Little Falls Drive
Wilmington, New Castle County, Delaware 19808
General privacy requests: [email protected]
Privacy contact: Paul Robert Cary, CEO — [email protected]

Annex 1: Details of Processing

Subject matter Processing of Personal Data by StarZero as necessary to provide the Services under the Agreement.
Duration For the duration of the Agreement, plus any retention period specified in Section 12.
Nature and purpose Video ingestion, indexing, and storage; multimodal search (visual, audio, and textual); AI-driven content editing, clipping, and remixing via Skills; speech-to-text transcription; per-video face detection, active-speaker detection, speech diarization, and transcript-label correction; and content publishing and distribution as directed by Customer.
Types of Personal Data Visual likenesses of individuals appearing in video content; voices and speech of individuals; names and other identifying information contained in video metadata, transcripts, or on-screen text; transient Face Embedding Data; speaker labels and other labels derived from Customer's Inputs; and any other personal data contained in Customer's Inputs.
Categories of Data Subjects Individuals appearing in or identifiable from Customer's video content, which may include Customer's employees, contractors, talent, interviewees, members of the public, and other individuals.
Special categories (if any) Face- and voice-derived data may be classified as biometric data or special category data under certain jurisdictions. No other special categories of personal data are intentionally processed unless Customer includes them in Inputs.

Annex 2: Technical and Organizational Security Measures

StarZero maintains the following security measures. These may be updated from time to time in accordance with Section 5.2 of this DPA.

StarZero maintains a security program appropriate to the nature of the processing and the risks to Data Subjects. The program includes administrative, technical, and physical measures addressing access management, confidentiality, data protection, network and application security, incident response, business continuity, personnel obligations, and vendor management. StarZero reviews and updates these measures as appropriate to its Services and applicable law.