Data Processing Agreement
Last updated: February 23, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Cherrium LLC (“Processor” or “CinePlan”) and the entity or individual agreeing to these terms (“Controller” or “Customer”) for the use of the CinePlan service.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person processed by CinePlan on behalf of the Controller.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- “Data Protection Laws” means applicable data protection legislation including GDPR (EU), CCPA/CPRA (California), and equivalent laws in other jurisdictions.
- “Sub-processor” means a third-party service provider engaged by CinePlan to process Personal Data.
2. Scope and Roles
The Controller determines the purposes and means of processing Personal Data through the CinePlan service. CinePlan acts as the Processor, processing Personal Data only on documented instructions from the Controller (i.e., as necessary to provide the Service).
2.1 Categories of Data Subjects
- Controller's employees and authorized users
- Production contacts (crew, vendors, talent) entered by the Controller
2.2 Types of Personal Data
- Account data: name, email address
- Contact data: name, role, email, phone, company
- Production data: schedules, locations, equipment, notes
- Uploaded files: images, documents, scripts
3. Processor Obligations
CinePlan shall:
- Process Personal Data only as necessary to provide the Service and as instructed by the Controller.
- Implement appropriate technical and organizational measures to ensure security of Personal Data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of sensitive fields at rest (AES-256-GCM for contact emails, phones, and authentication secrets)
- Bcrypt password hashing
- Access controls and authentication
- Rate limiting and abuse prevention
- Not process Personal Data for any purpose other than providing the Service, unless required by law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality.
- Assist the Controller in responding to data subject requests (access, correction, deletion, portability).
- Delete or return all Personal Data upon termination of the Service, at the Controller's choice.
3.1 Instruction Compliance
If CinePlan believes that an instruction from the Controller infringes applicable Data Protection Laws, CinePlan will promptly inform the Controller and may suspend the relevant processing until the Controller provides revised instructions.
3.2 Sub-Processor Obligations
CinePlan ensures that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. CinePlan remains fully liable for the acts and omissions of its sub-processors.
3.3 Data Protection Impact Assessments
CinePlan will provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent required by Data Protection Laws.
4. Sub-Processors
The Controller authorizes CinePlan to engage the following sub-processors. CinePlan will inform the Controller of any intended changes to sub-processors and provide the Controller an opportunity to object within 30 days. If the Controller objects on reasonable data protection grounds and CinePlan cannot accommodate the objection, the Controller may terminate the Service.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Neon Inc. | PostgreSQL database hosting | United States |
| Vercel Inc. | Application hosting and file storage | United States |
| Stripe Inc. | Payment processing | United States |
| OpenAI Inc. | AI feature processing | United States |
| Resend Inc. | Transactional email delivery | United States |
| Upstash Inc. | Distributed rate limiting | United States |
| Cloudflare Inc. | Bot protection | United States |
| Liveblocks Inc. | Real-time collaboration | United States |
5. International Transfers
All Personal Data is processed and stored in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland, CinePlan relies on its sub-processors' Standard Contractual Clauses (SCCs) and any applicable adequacy decisions.
6. Data Breach Notification
CinePlan will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach that is likely to result in a risk to the rights and freedoms of data subjects. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.
7. Data Subject Rights
CinePlan provides the following self-service tools to support data subject rights:
- Access & Portability: “Download My Data” feature in Settings exports all personal data as JSON.
- Correction: Profile and production data are editable through the application UI.
- Deletion: Account deletion (Settings → Danger Zone) permanently removes all user data, including productions, contacts, and uploaded files.
For requests that cannot be fulfilled through self-service, contact hello@cherrium.com.
8. Audits
CinePlan will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
9. Term and Termination
This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination, CinePlan will delete all Personal Data within 30 days, unless retention is required by law.
10. Acceptance
By using the CinePlan service, you accept this DPA as part of the Terms of Service. For questions or to request a signed copy, contact hello@cherrium.com.
See also: Privacy Policy