Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service between Cuelist (the "Processor") and the customer organisation (the "Controller"). It applies to personal data processed on behalf of the Controller in connection with the Cuelist service.

Where Customer Content uploaded to Cuelist contains personal data relating to the Controller's employees, contractors, performers, or audience members, the Controller is the controller of that data and Cuelist is the processor. Capitalised terms used but not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679).

Subject matter. Processing of personal data contained in Customer Content for the purpose of providing the Cuelist platform (script annotation, cue management, live collaboration, exports).

Duration. For the term of the Terms of Service + the post-termination retention windows specified in §08.

Nature. Storage, transmission, indexing, real-time relay, generation of derivative artifacts (thumbnails, page text extraction, exported PDFs), and operational diagnostics.

Purpose. Solely to provide the service to the Controller. We do not use Customer Content for our own analytics, model training, or marketing.

Categories of personal data processed depend on what the Controller uploads, but typically include: names, email addresses, role within the production, performance schedules, and any annotations or comments authored by users in the Cuelist app.

Data subjects are typically: members of the Controller's organisation, performers and crew named in the script, and people referenced in annotations or comments.

We process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do otherwise by EU or member-state law (in which case we will inform the Controller before processing, where legally permitted).

The Controller's instructions are: the Terms, this DPA, and any additional documented instructions agreed in writing.

We ensure that personnel authorised to process personal data are subject to confidentiality obligations (contractual or statutory) and have received appropriate training.

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (Cloudflare R2 + D1 default at-rest encryption).
• Tenant isolation — every database query routes through a scoped wrapper that filters by organisation id; CI lints flag queries that bypass it.
• Role-based access control with least-privilege defaults, three-layer permission model (org → project → layer).
• Audit logging of all administrative + lifecycle events on organisations, projects, layers, members, and billing.
• Secrets management via Cloudflare's KV-backed secret store; no secrets in source.
• Read-only soft-lock toggle to prevent accidental mid-show edits independent of RBAC.
• Defence-in-depth at the edge: rate limits on auth endpoints, signed-URL access for stored objects, signature-verified webhooks.

The Controller authorises the use of the sub-processors listed below and on the Privacy Policy. We will give the Controller at least 30 days' prior notice of any new sub-processor (via the in-app inbox + billing contact email), during which the Controller may object on reasonable grounds and, failing resolution, terminate the affected portion of the service.

We have entered into written agreements with each sub-processor imposing data-protection obligations no less protective than those in this DPA.

Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Module 2 — controller to processor) and any additional measures necessary to ensure an essentially equivalent level of protection. Sub-processor transfers are likewise covered by equivalent clauses.

Taking into account the nature of the processing, we assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil obligations to respond to data subject requests under Articles 12–22 of the GDPR. Most requests can be self-served from /settings (export, delete). Where we receive a request directly, we will refer the data subject to the Controller and notify the Controller without undue delay.

We will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach, with the information necessary for the Controller to meet its own notification obligations under Articles 33 and 34. Notice is sent to the billing contact's email address; subscribe additional contacts via /admin.

On reasonable written request, we provide the Controller with the information needed to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. We may charge for time spent on audits beyond an annual reasonable allotment, except where required free of charge by applicable law.

On termination, we delete or return all Customer Content as described in §08 of the Privacy Policy. The Controller may export data via the platform's export tooling at any time during the term.

Liability under this DPA is governed by the limitation-of-liability clause in the Terms. This DPA is governed by the same law as the Terms (Norway), with the parties' agreement that, where applicable mandatory data-protection law in the Controller's jurisdiction imposes stricter requirements, those requirements prevail.

Data-protection inquiries: privacy@cuelist.dev. To request a counter-signed copy of this DPA, email legal@cuelist.dev from the billing-contact address with your organisation slug.