ScreenCI

Data Processing Agreement

Last Updated: April 22, 2026

Using This DPA

This DPA has 2 parts: (1) the Key Terms on this Cover Page and (2) the Common Paper DPA Standard Terms Version 1 posted at commonpaper.com/standards/data-processing-agreement/1.1 (“DPA Standard Terms”), which is incorporated by reference. If there is any inconsistency between the parts of the DPA, the Cover Page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on the Cover Page. However, if the Cover Page omits or does not define a highlighted word, the default meaning will be “none” or “not applicable” and the correlating clause, sentence, or section does not apply to this Agreement. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement.

Key Terms

The key legal terms of the DPA are as follows:

Agreement

The ScreenCI Terms of Service accepted by the Customer on the Effective Date. This DPA is an addendum to, and forms an integral part of, said Terms of Service.

Approved Subprocessors

Cloudflare, Inc.
Country of location: United States.
Anticipated processing task: Hosting, content delivery, serverless infrastructure and object storage.

Convex, Inc.
Country of location: United States.
Anticipated processing task: Backend infrastructure, database services, application functions, and related data processing for the SaaS platform.

Clerk, Inc.
Country of location: United States.
Anticipated processing task: Authentication, user account management, login/session handling, and organization/workspace management.

Polar Software Inc.
Country of location: United States.
Anticipated processing task: Payment processing support, subscription billing, invoicing, tax-related billing data, and related customer/payment administration.

PostHog, Inc.
Country of location: United States / EU, depending on the configured hosting region.
Anticipated processing task: Website analytics, product analytics, and related service improvement.

Fly.io, Inc.
Country of location: United States.
Anticipated processing task: Rendering and processing infrastructure.

Google LLC
Country of location: United States.
Anticipated processing task: Text-to-speech and related AI voice generation services used to generate audio from customer-provided text/scripts.

Grafana Labs
Country of location: United States.
Anticipated processing task: Log aggregation, monitoring, observability, and operational alerting for the Service.

Provider Security Contact

[email protected]

Security Policy

See Annex II for Technical and Organizational Security Measures.

DPA Covered Claim

The Agreement includes an additional Provider Covered Claims for any action, proceeding, or claim arising out of or relating to:

  1. Provider’s breach or alleged breach of the DPA, or
  2. Provider’s gross negligence or willful misconduct, in each case, that results in a Security Incident.

Service Provider Relationship

To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq (“CCPA”) applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA.

Restricted Transfers

Governing Member State

  • EEA Transfers: Finland
  • UK Transfers: England and Wales

Annex I(A) List of Parties

Data Exporter

  • Name: the Customer signing this DPA
  • Activities relevant to transfer: See Annex 1(B)
  • Role: Controller

Data Importer

  • Name: the Provider signing this DPA
  • Contact person: Olli Paloviita
  • Contact email: [email protected]
  • Address: Lauri Korpisen katu 6 F, Vantaa, Uusimaa 01370, FIN
  • Activities relevant to transfer: See Annex 1(B)
  • Role: Processor

Annex I(B) Description of Transfer and Processing Activities

Service

The Service is:

ScreenCI is a cloud-based Software-as-a-Service (SaaS) platform designed to automate the post-production and deployment of software product video documentation. The Service enables users to transform raw recordings and associated execution data from software tests into finished video content.

The core capabilities of the Service include:

  • Automated Video Processing: Processing and rendering of video material provided by the Customer, utilizing execution data to generate finalized product videos.
  • AI-Enhanced Localization: Tools for the automated generation of audio narration and subtitles in multiple languages based on Customer-provided text or metadata.
  • Content Hosting and Deployment: Hosting of rendered video files via a Content Delivery Network (CDN).
  • Video Management Interface: A web-based interface for reviewing, organizing, and managing processed video assets and facilitating internal collaboration.

The Service is provided as a hosted solution. The Customer is responsible for recording the initial video material and associated timing data using tools supported by ScreenCI, and for uploading this material to the Service for processing. The Customer remains solely responsible for the maintenance of their own test environments, the execution of tests, and the definition of video content. As a continuously evolving SaaS platform, ScreenCI reserves the right to modify and enhance Service features to improve quality, provided that such updates do not materially diminish the core functionality of automating video documentation from provided recordings.

Categories of Data Subjects

  • Customer’s end users or customers
  • Customer’s employees

Categories of Personal Data

  • Name
  • Contact information such as email, phone number, or address
  • Transactional information such as account information or purchases
  • User activity and analysis such as device information or IP address
  • Any personal data displayed within the Customer’s software user interface during the video rendering process (e.g., placeholder or actual user data in application screenshots/recordings)

Special Category Data

Is special category data (as defined in Article 9 of the GDPR) Processed?

No

Frequency of Transfer

Continuous

Nature and Purpose of Processing

  • Receiving data, including collection, accessing, retrieval, recording, and data entry
  • Holding data, including storage, organization, and structuring
  • Using data, including analysis, consultation, testing, automated decision making, and profiling
  • Updating data, including correcting, adaption, alteration, alignment, and combination
  • Protecting data, including restricting, encrypting, and security testing
  • Sharing data, including disclosure, dissemination, allowing access, or otherwise making available
  • Erasing data, including destruction and deletion

Automated rendering and processing of customer-provided inputs to generate video content and hosting the resulting media files.

Duration of Processing

Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws.

Annex I(C)

Competent Supervisory Authority

The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

Annex II

Technical and Organizational Security Measures

Pseudonymization and encryption of personal data

ScreenCI applies data separation and scoped identifiers within the Service, including organization-based identifiers and internal secrets for service-to-service access. Personal data and customer content are transmitted over encrypted network connections using HTTPS/TLS where the Service is deployed publicly. Where supported by our approved subprocessors and infrastructure providers, customer data is also encrypted at rest.

Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

ScreenCI relies on managed infrastructure and platform providers, including Cloudflare, Convex, Clerk, and other approved subprocessors, to support secure and resilient operation of the Service. Access to application functionality and customer data is restricted through authenticated sessions, bearer-token verification via Clerk for user-authenticated requests, custom secret-based header authentication for certain service and CLI flows, internal shared-secret header authentication for rendering-only service-to-service endpoints, environment-managed secrets, and organization-scoped access controls. The application also includes validation of required configuration and structured data models to reduce the risk of unauthorized or inconsistent processing.

Ability to restore the availability of and access to the Customer Personal Data in a timely manner following a physical or technical incident

ScreenCI uses managed cloud infrastructure and storage providers designed to provide service continuity and recovery capabilities. The application uses managed backend/database services to reduce the risk of data inconsistency following technical incidents. Recovery capabilities for infrastructure-level failures are supported in part by our approved subprocessors’ own backup, replication, and resilience controls.

User identification and authorization process and protection

ScreenCI uses Clerk for authentication and session management. Access to protected backend routes is verified using bearer tokens for user-authenticated requests, and application access is scoped to the authenticated user’s active organization/workspace. Certain service and CLI flows are protected using custom secret-based header authentication, and internal service-to-service endpoints are protected using separate internal shared-secret headers. Access to customer data is limited to authorized personnel and systems with a legitimate business need-to-know.

Protecting Customer Personal Data during transmission (in transit)

Customer Personal Data is transmitted using industry-standard encrypted transport protocols, including HTTPS/TLS, when users interact with the Service and when publicly deployed services communicate over the network. Authentication tokens and internal authorization secrets are required for access to protected endpoints.

Protecting Customer Personal Data during storage (at rest)

Customer content and related data are stored using managed cloud storage and backend providers, including Cloudflare R2 and Convex. Where supported by the relevant provider, data at rest is protected using the provider’s encryption and storage security controls. ScreenCI also uses logical access restrictions and organization-level data separation within the application.

Events logging

ScreenCI maintains application and operational logging for security, troubleshooting, and service reliability purposes. This includes system and error logging for backend processes and maintenance jobs, and logs may be generated and retained by ScreenCI and its infrastructure providers such as Cloudflare and other approved subprocessors.

Ensuring data minimization

ScreenCI is designed to process only the data needed to provide the Service, including account data, billing-related metadata, uploaded customer content, and related technical metadata required for rendering and service operation. Access to data is scoped by organization/workspace, and the Service avoids collecting unnecessary payment card data directly, relying instead on its billing provider for payment processing.

Allowing data portability and erasure

ScreenCI provides mechanisms to delete customer projects, videos, versions, and related stored assets. Deletion workflows are designed to remove corresponding application records and trigger storage deletion, including follow-up cleanup of pending deletions if an initial deletion attempt does not complete successfully. ScreenCI also supports responding to applicable data subject requests, including requests for erasure and data export/portability, in accordance with applicable law and the parties’ agreement.

Acceptance

Provider and Customer have not changed the DPA Standard Terms except for the details on the Cover Page above. By registering for an account, accessing the Product, or clicking to accept the ScreenCI Terms of Service, the Customer is deemed to have signed and accepted this DPA in its entirety. This DPA is effective as of the Effective Date of the Main Agreement (Terms of Service) between the Provider and the Customer.

PROVIDER: ScreenCI Oy (Ltd)

CUSTOMER: The legal entity or person accessing or using the Product (as identified in the Customer’s account settings or Order Form).