Table of Contents
This Data Processing Agreement ("DPA") forms part of the agreement between Customer (the "Controller") and Cutoverstream LLC (the "Processor") for the use of the CutoverStream Service. It satisfies the requirements of GDPR Article 28 for processing of personal data on behalf of the Controller.
1. Definitions
In this DPA, the following terms have the meanings given below:
- "Controller" means the Customer who determines the purposes and means of processing personal data.
- "Processor" means Cutoverstream LLC, which processes personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Subject" means the natural person whose Personal Data is being processed.
- "GDPR" means the EU General Data Protection Regulation 2016/679.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
2. Subject Matter & Duration
This DPA governs the processing of Personal Data by Cutoverstream LLC on behalf of the Customer in connection with the provision of the CutoverStream Service as described in the Terms of Service.
This DPA is effective for the duration of the subscription agreement and terminates upon expiration or termination of the Customer's account, subject to the data retention provisions in Section 9.
3. Nature, Purpose & Categories of Data Processed
| Category | Examples | Purpose |
|---|---|---|
| User Identity | Names, email addresses, usernames | Authentication, account management |
| Professional Data | Job titles, team names, phone numbers | User profile and collaboration features |
| Project Data | Cutover plan content, task assignments, comments | Core Service functionality |
| Usage Data | Login times, feature usage, API calls | Service operation and improvement |
| Technical Data | IP addresses, session tokens, error logs | Security and troubleshooting |
The Controller is responsible for ensuring that the Personal Data submitted to the Service is lawfully collected and that data subjects have been informed of processing in accordance with applicable law.
4. Obligations of the Processor
Cutoverstream LLC, as Processor, agrees to:
- Process Personal Data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA), unless required by law
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational security measures (see Section 7)
- Respect the conditions for engaging sub-processors (see Section 5)
- Assist the Controller in responding to data subject requests (see Section 6)
- Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation)
- Delete or return all Personal Data upon termination of the agreement (see Section 9)
- Provide all information necessary to demonstrate compliance with this DPA
5. Sub-processors
The Controller provides general authorization for Cutoverstream LLC to engage the following sub-processors:
| Sub-processor | Service | Location | Data Processed |
|---|---|---|---|
| Cloudflare, Inc. | Infrastructure, database, CDN | United States / Global | All Customer Data |
| Clerk, Inc. | Authentication & identity | United States | User identity data |
| Stripe, Inc. | Payment processing | United States | Billing & payment data |
| Resend, Inc. | Email delivery | United States | Email addresses, notification content |
| Functional Software (Sentry) | Error monitoring | United States | Technical error data |
| Anthropic, PBC | AI narrative generation | United States | Project data (only when AI feature used) |
Cutoverstream LLC will notify the Controller of any intended addition or replacement of sub-processors with at least 14 days' notice, giving the Controller the opportunity to object. Each sub-processor is bound by data processing terms providing equivalent protections to this DPA.
6. Data Subject Rights
If Cutoverstream LLC receives a request from a data subject exercising their rights under GDPR (access, rectification, erasure, portability, restriction, or objection), we will:
- Forward the request to the Controller without undue delay if the Controller is better positioned to respond
- Provide reasonable technical assistance to the Controller in fulfilling the request
- Not respond directly to the data subject on behalf of the Controller without authorization
Data subjects may also submit requests directly to privacy@cutoverstream.com and we will coordinate with the appropriate Controller.
7. Technical & Organizational Security Measures
Cutoverstream LLC implements the following measures in accordance with GDPR Article 32:
- Encryption in transit: All data transmitted over HTTPS/TLS 1.2+
- Encryption at rest: Data stored in Cloudflare D1 (encrypted at rest by Cloudflare)
- Access controls: Role-based access control (RBAC) with principle of least privilege
- Authentication: Multi-factor authentication available; bcrypt password hashing; signed JWT sessions
- Monitoring: Real-time error monitoring via Sentry; audit logs maintained for all data access events
- Data isolation: Multi-tenant architecture with row-level org_id and plan_id scoping on all queries
- Vendor security: All sub-processors maintain SOC 2 Type II certification or equivalent
- Vulnerability management: Regular security reviews; dependencies monitored via automated tooling
8. Data Breach Notification
In the event of a Personal Data breach, Cutoverstream LLC will:
- Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach
- Provide all information available regarding the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
- Document all breaches in accordance with GDPR Article 33(5)
The Controller is responsible for notifying the relevant supervisory authority and affected data subjects where required by law.
9. Return & Deletion of Data
Upon termination of the agreement, Cutoverstream LLC will:
- Retain Customer Data for a period of 30 days to allow data export
- Provide the Controller with tools to export all Customer Data in JSON format during this period
- Permanently delete all Customer Data after the 30-day retention period
- Upon request, provide written confirmation of deletion
Billing records required by law (typically 7 years) are retained in accordance with applicable tax regulations, with only the minimum necessary data retained.
10. Audit Rights
Cutoverstream LLC will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct audits or inspections, with at least 30 days' written notice, no more than once per calendar year, and at the Controller's expense.
Audits must be conducted during business hours and must not unreasonably disrupt Cutoverstream LLC's operations. The Controller agrees to treat all audit findings as confidential.
11. International Data Transfers
Customer Data is processed primarily in the United States. For transfers of Personal Data from the EEA or UK to the United States, Cutoverstream LLC relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission.
By accepting this DPA, the parties are deemed to have entered into the Module Two (Controller to Processor) Standard Contractual Clauses, which are incorporated herein by reference.
12. Governing Law
This DPA is governed by the laws of the State of North Carolina, United States, consistent with the Terms of Service, except where EU/UK GDPR requirements mandate otherwise.
Agreement Execution
This DPA is entered into automatically upon acceptance of the CutoverStream Terms of Service. For enterprise customers requiring a countersigned DPA for their records, contact legal@cutoverstream.com.
Need a countersigned DPA?
Email legal@cutoverstream.com with your organization details and we will provide a signed copy within 5 business days.