Data Processing Agreement

The Processor provides video processing services (removing background music to produce clear speech for educational purposes). The Processor will only process personal data on behalf of the Controller in accordance with this DPA.

• "Personal Data" means any information relating to an identified or identifiable person.
• "Processing" means any operation performed on personal data (collection, storage, use, deletion).
• "Controller" means the party determining the purposes and means of processing personal data.
• "Processor" means the party processing personal data on behalf of the Controller.
• "Applicable Laws" include the General Data Protection Regulation (GDPR), UK GDPR, FERPA, COPPA, and other relevant privacy laws.

• The Controller is responsible for ensuring a lawful basis for processing (e.g., parental consent, school authorization, educational use exemptions).
• The Processor acts only on documented instructions from the Controller and does not determine purposes or means of processing.

• Categories of data: Uploaded video/audio files, user account data (email, name), technical logs and metadata.
• Purpose: Processing to remove background music and deliver clear speech for instructional use.
• Duration: Data retained only for the duration necessary to provide the Service and as set by retention policy ([X days] after completion).

The Processor shall:

• Maintain confidentiality; staff and contractors are bound by confidentiality obligations.
• Implement technical and organizational measures to ensure security (encryption, access controls, secure AWS hosting).
• Assist the Controller in responding to requests from data subjects (students, parents, or other individuals).

The Controller shall:

• Ensure a lawful basis for processing, particularly when student data is involved.
• Provide accurate and lawful instructions to the Processor.
• Remain responsible for compliance with FERPA, COPPA, and other applicable laws.

The Processor will assist the Controller, upon request, with:

• Access, correction, or deletion of personal data.
• Data portability or restriction of processing requests.

All such requests must be directed by the Controller; the Processor will not respond directly to end-users unless legally required.

In the event of a personal data breach, the Processor will notify the Controller without undue delay, providing sufficient details to enable the Controller to comply with its legal obligations.

Personal data may be transferred to and processed in the United States. Where required by law, such transfers will rely on appropriate safeguards (e.g., Standard Contractual Clauses for EU/UK users).

• Uploaded and processed files are automatically deleted after [X days] of order completion.
• Upon termination of the Service or written request by the Controller, the Processor will delete or return personal data, unless retention is required by law.

The Controller may request reasonable documentation or certifications demonstrating the Processor's compliance with this DPA. The Processor may limit disclosure to protect security and confidentiality.

• The Processor is liable only for breaches of its obligations under this DPA.
• The Controller is responsible for obtaining valid consent or ensuring other lawful grounds for processing.

This DPA remains in effect for as long as the Processor processes personal data on behalf of the Controller. Upon termination, the Processor will delete or return all personal data as specified in Section 10.

Questions about this DPA may be directed to:

• Email: dpa@ezaalah.com
• Address: Durham, NC 27703, USA