Last updated: April 17, 2026
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service (the “Agreement”) between The FilmAI GmbH, Drehbrückenstraße 5-11, 44147 Dortmund, Germany (“Storyboarder.ai,” “Processor,” “we”) and the customer identified in the Agreement (“Customer,” “Controller,” “you”).
This DPA applies to the extent that Storyboarder.ai processes Personal Data on behalf of Customer in the course of providing the Services. Where Storyboarder.ai processes Personal Data as Controller in its own right (e.g., account, billing, and usage data relating to Customer’s users), such processing is governed exclusively by our Privacy Policy and is outside the scope of this DPA.
By registering for an account, activating a free plan, or purchasing a subscription, Customer enters into this DPA with Storyboarder.ai. No separate signature is required; this DPA takes effect automatically when the Agreement takes effect.
1.1 Unless otherwise defined in this DPA, capitalized terms have the meaning given in the Agreement. The terms “Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” “Supervisory Authority,” and “Personal Data Breach” have the meaning given in Art. 4 GDPR.
1.2 “Applicable Data Protection Law” means Regulation (EU) 2016/679 (GDPR), the German Federal Data Protection Act (BDSG), and any other data protection or privacy laws applicable to the Processing of Personal Data under this DPA.
1.3 “Customer Data” means any data, including Personal Data, that Customer or Customer’s authorized users upload to, store in, or otherwise process through the Services.
1.4 “Services” means the Storyboarder.ai software-as-a-service tool as described in the Agreement.
1.5 “Sub-processor” means any third party engaged by Storyboarder.ai to process Customer Data on behalf of Customer.
1.6 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses adopted by the European Commission in Decision 2021/914 for the transfer of Personal Data to third countries.
2.1 The Parties acknowledge that in relation to Customer Data, Customer is the Controller and Storyboarder.ai is the Processor.
2.2 Storyboarder.ai shall process Customer Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, and any reasonable subsequent written instructions, except where required to do so by applicable law. In such a case, Storyboarder.ai shall inform Customer of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
2.3 Storyboarder.ai shall immediately inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
2.4 Nothing in this DPA releases Customer from its own obligations as Controller under Applicable Data Protection Law, including the obligation to ensure a valid legal basis for the Processing of Personal Data, to respond to Data Subjects’ requests, and to conduct a Data Protection Impact Assessment where required.
3.1 Subject matter. The Processing under this DPA relates to the provision of the Services, including AI-powered generation of storyboards, images, and videos from scripts and other inputs uploaded by Customer.
3.2 Nature of Processing. Collection, storage, structuring, organization, retrieval, consultation, transmission, analysis, transformation (including through AI models), backup, restriction, erasure, and destruction of Customer Data.
3.3 Purpose. To provide, maintain, operate, secure, troubleshoot, and improve the Services for Customer in accordance with the Agreement.
3.4 Duration. Processing continues for the term of the Agreement plus any additional period required for deletion or return of Customer Data pursuant to Section 11.
3.5 Categories of Data Subjects. Data Subjects whose Personal Data may be processed include, depending on Customer’s use of the Services: cast and crew, clients of Customer, real persons referenced in Customer’s scripts or uploads, image subjects used as references, end users of Customer, and any other individuals whose Personal Data Customer chooses to upload or input.
3.6 Categories of Personal Data. Depending on Customer’s use of the Services, categories may include: names, professional contact data, photographic likenesses, voice recordings, biographical or narrative descriptions, and any further Personal Data contained in Customer’s scripts, prompts, reference materials, metadata, or project descriptions.
3.7 Special categories of Personal Data. Customer acknowledges that the Services are not designed or intended for the Processing of special categories of Personal Data within the meaning of Art. 9 GDPR or data relating to criminal convictions and offenses within the meaning of Art. 10 GDPR. Where Customer nonetheless processes such data through the Services, Customer warrants that it has a valid legal basis for doing so and assumes sole responsibility for compliance.
Storyboarder.ai shall:
4.1 Process Customer Data only on documented instructions from Customer in accordance with Section 2.2;
4.2 Ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.3 Implement and maintain the technical and organizational measures set out in Annex 1 to ensure a level of security appropriate to the risk;
4.4 Respect the conditions set out in Sections 6 and 7 for engaging Sub-processors;
4.5 Taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in the fulfilment of Customer’s obligation to respond to Data Subjects’ requests under Chapter III of the GDPR;
4.6 Assist Customer in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR, taking into account the nature of the Processing and the information available to Storyboarder.ai;
4.7 At the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of Services, and delete existing copies, in accordance with Section 11;
4.8 Make available to Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, in accordance with Section 8.
5.1 Storyboarder.ai shall not use Customer Data — including scripts, prompts, images, videos, or metadata — to train, fine-tune, or otherwise improve any artificial intelligence or machine learning models, whether operated by Storyboarder.ai or any third party, including Sub-processors.
5.2 Storyboarder.ai shall contractually ensure that all AI and model-provider Sub-processors that process Customer Data operate with training on Customer Data disabled (e.g., via business-tier API settings, enterprise agreements, or equivalent contractual safeguards).
5.3 This commitment applies to all Customer accounts regardless of subscription tier and survives termination of the Agreement in respect of any Customer Data retained by Storyboarder.ai or any Sub-processor.
6.1 Customer grants Storyboarder.ai general written authorization to engage Sub-processors, provided that Storyboarder.ai complies with the conditions of this Section 6.
6.2 The Sub-processors engaged by Storyboarder.ai as of the effective date of this DPA are listed in Annex 2.
6.3 Storyboarder.ai shall impose on each Sub-processor, by way of a written contract, data protection obligations that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.
6.4 Storyboarder.ai shall remain fully liable to Customer for the performance of each Sub-processor’s obligations.
6.5 Changes to Sub-processors. Storyboarder.ai shall notify Customer at least thirty (30) days in advance of the addition or replacement of any Sub-processor by updating the Sub-processor list referenced in Section 6.2 and by notification via email to Customer’s account email address or via an in-product notification.
6.6 Right to object. Customer may object to the engagement of a new Sub-processor on reasonable data protection grounds within fifteen (15) days of notification. In such a case, the Parties shall work together in good faith to resolve the objection. If no resolution is reached, Customer may, as its sole remedy, terminate the affected Services by written notice to Storyboarder.ai with effect at the end of the notice period, and Storyboarder.ai shall refund any prepaid fees for the Services covering the period after termination.
7.1 Customer acknowledges that Storyboarder.ai and its Sub-processors may process Customer Data in countries outside the European Economic Area, including the United States.
7.2 Where Personal Data is transferred to a country outside the EEA that is not the subject of an adequacy decision pursuant to Art. 45 GDPR, Storyboarder.ai shall ensure that an appropriate safeguard within the meaning of Art. 46 GDPR is in place, in particular:
7.3 The Parties agree that for purposes of the SCCs:
7.4 Storyboarder.ai shall, upon reasonable request, provide Customer with a Transfer Impact Assessment summary for material international transfers.
8.1 Storyboarder.ai shall make available to Customer, upon reasonable request and no more than once per calendar year (except where required by a Supervisory Authority or following a material Personal Data Breach), the information necessary to demonstrate compliance with this DPA and Art. 28 GDPR.
8.2 Storyboarder.ai’s obligation under Section 8.1 shall be fulfilled primarily through the provision of up-to-date third-party certifications, audit reports, security questionnaires (e.g., completed CAIQ), or summaries of internal audits, to the extent available.
8.3 Where, in Customer’s reasonable opinion, the information provided under Section 8.2 is insufficient, Customer may conduct an on-site audit on the following conditions: (a) at least thirty (30) days’ prior written notice; (b) during normal business hours; (c) in a manner that does not unreasonably interfere with Storyboarder.ai’s business operations; (d) at Customer’s cost, except where the audit reveals a material breach of this DPA by Storyboarder.ai, in which case Storyboarder.ai shall bear its own costs; (e) subject to a confidentiality agreement protecting Storyboarder.ai’s and its customers’ confidential information; and (f) limited to information reasonably required to verify compliance with this DPA.
8.4 Audits may be conducted by Customer or by an independent qualified third-party auditor mandated by Customer, provided the auditor is not a competitor of Storyboarder.ai.
9.1 Storyboarder.ai shall notify Customer of a Personal Data Breach affecting Customer Data without undue delay, and in any event within seventy-two (72) hours after becoming aware of it, by email to Customer’s account email address or through an in-product notification.
9.2 The notification shall contain, to the extent known at the time of notification:
9.3 Where and insofar as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
9.4 Storyboarder.ai’s notification of or response to a Personal Data Breach shall not be construed as an acknowledgement of any fault or liability.
10.1 Storyboarder.ai shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligation to respond to requests from Data Subjects seeking to exercise their rights under Chapter III of the GDPR.
10.2 If Storyboarder.ai receives a request from a Data Subject seeking to exercise rights in respect of Customer Data, Storyboarder.ai shall (a) not respond to the request directly without Customer’s prior authorization, and (b) promptly forward the request to Customer.
10.3 Customer shall be responsible for reimbursing Storyboarder.ai for reasonable and documented costs arising from assistance under this Section 10 beyond the standard self-service functionality provided within the Services.
11.1 Upon termination or expiry of the Agreement, Storyboarder.ai shall, at Customer’s choice, delete or return all Customer Data to Customer, and delete existing copies, unless applicable law requires storage of the Personal Data.
11.2 Customer may export Customer Data using the export functionality within the Services at any time during the term of the Agreement and for a period of thirty (30) days following termination.
11.3 Storyboarder.ai shall delete Customer Data within thirty (30) days of termination or of Customer’s written deletion request, whichever is earlier, save for Personal Data that Storyboarder.ai is required to retain under applicable law (in particular tax and commercial retention periods under German law, currently up to ten years). Any such retained data shall be subject to the confidentiality and security obligations of this DPA for as long as it is retained.
11.4 Backups containing Customer Data shall be deleted in accordance with Storyboarder.ai’s standard backup rotation cycle, not exceeding ninety (90) days from termination.
11.5 Upon written request, Storyboarder.ai shall confirm deletion in writing.
12.1 The limitations and exclusions of liability set out in the Agreement shall apply to each Party’s liability arising out of or in connection with this DPA.
12.2 Nothing in this DPA excludes or limits a Party’s liability to Data Subjects under Art. 82 GDPR or to Supervisory Authorities under Applicable Data Protection Law, to the extent such limitation or exclusion is not permitted by law.
13.1 This DPA takes effect on the effective date of the Agreement and continues until the Agreement terminates.
13.2 Provisions which by their nature are intended to survive termination — including Sections 4.7, 5, 9, 11, 12, and 14 — shall survive termination of this DPA.
14.1 Order of precedence. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail in relation to matters of Personal Data protection. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail in relation to international transfers.
14.2 Amendments. Storyboarder.ai may amend this DPA from time to time as reasonably required to reflect changes in Applicable Data Protection Law, guidance from Supervisory Authorities, certifications, or material changes to the Services. Material amendments require at least thirty (30) days’ notice to Customer.
14.3 Governing law and jurisdiction. This DPA is governed by the law of the Federal Republic of Germany, excluding its conflict of laws rules. The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA is Dortmund, Germany, to the extent permitted by law.
14.4 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
14.5 Contact. Questions concerning this DPA or data protection matters generally may be directed to info@storyboarder.ai.
Storyboarder.ai implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk pursuant to Art. 32 GDPR. Measures are reviewed and updated regularly and may be updated over time, provided that the overall level of security is not materially diminished.
Access control (physical). Customer Data is processed in data centers operated by our infrastructure Sub-processors (see Annex 2). Physical access control is the responsibility of those Sub-processors and is certified under recognized industry standards (e.g., ISO 27001, SOC 2).
Access control (logical / system). Access to production systems is restricted to authorized personnel on a need-to-know basis. Authentication requires strong passwords and multi-factor authentication (MFA) for administrative access. Access is reviewed on a regular basis and revoked upon role change or termination.
Access control (data). Role-based access control (RBAC) is implemented at the application level. Customer Data is logically separated between tenants. Administrative access to Customer Data is limited to a defined group of personnel and is logged.
Pseudonymization and encryption.
Input control. Actions affecting Customer Data (creation, modification, deletion) are logged with user identifier and timestamp. Administrative actions on production systems are logged separately.
Transmission control. External data transmission is encrypted. Internal service-to-service communication uses authenticated channels.
Backups. Regular automated backups of Customer Data are performed. Backups are encrypted and stored separately from primary systems. Backup restoration is tested periodically.
Disaster recovery and business continuity. Storyboarder.ai maintains a documented incident response and business continuity plan. Infrastructure is deployed in redundant configurations where provided by the underlying Sub-processor.
Availability monitoring. Production systems are continuously monitored for availability and performance. Service status is published at https://status.storyboarder.ai.
Vulnerability management. Dependencies and infrastructure are scanned for known vulnerabilities on a regular basis. Critical vulnerabilities are remediated in accordance with a defined severity and timeframe matrix.
Secure software development. Changes to production systems follow a defined software development lifecycle including code review, automated testing, and staged deployment.
Penetration testing. Independent penetration tests are performed on a periodic basis, at least once per year for material changes to the Services.
Confidentiality obligations. All personnel with access to Customer Data are bound by written confidentiality obligations that survive termination of employment.
Training. Personnel receive data protection and information security awareness training upon onboarding and periodically thereafter.
Data protection governance. Storyboarder.ai has designated a contact point for data protection matters reachable at info@storyboarder.ai. Compliance with this DPA and Applicable Data Protection Law is reviewed on a regular basis.
Sub-processor management. Sub-processors are selected based on a review of their technical, organizational, and contractual data protection safeguards. Written contracts imposing data protection obligations consistent with this DPA are concluded with each Sub-processor.
Incident response. A documented incident response process is in place, including procedures for detection, escalation, containment, notification, and post-incident review.
Data minimization and retention. Customer Data is retained only for as long as necessary for the purposes set out in this DPA and is deleted or anonymized in accordance with Section 11.
As set out in Section 5, Customer Data is not used to train, fine-tune, or improve AI or machine learning models. This is enforced both by Storyboarder.ai’s internal practices and by contractual arrangements with model-provider Sub-processors.
The following Sub-processors are engaged by Storyboarder.ai as of the effective date of this DPA.
| Sub-processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Railway Corp. | Application hosting, compute, managed databases | USA | SCCs |
| Amazon Web Services, Inc. / AWS EMEA SARL | Cloud infrastructure, object storage, compute | EU and USA | EU–U.S. DPF and/or SCCs |
| Google LLC / Google Cloud EMEA Limited | Cloud infrastructure, managed services | EU and USA | EU–U.S. DPF and/or SCCs |
| Sub-processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| OpenAI, L.L.C. | Text/script analysis, prompt generation | USA | EU–U.S. DPF and/or SCCs |
| Features and Labels Inc. (fal.ai) | Image and video generation | USA | SCCs |
| Replicate, Inc. | Image and video generation (hosted AI models) | USA | SCCs |
| Stability AI Ltd. | Image generation | United Kingdom | UK adequacy decision |
All AI and model Sub-processors listed above are contractually bound not to use Customer Data for training, fine-tuning, or improvement of their models, in accordance with Section 5 of this DPA.
| Sub-processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Functional Software, Inc. (d/b/a Sentry) | Error and performance monitoring | USA | EU–U.S. DPF and/or SCCs |
| PostHog Inc. | Product analytics, feature usage telemetry | European Union | Not applicable (intra-EEA) |
| Better Stack s.r.o. | Infrastructure logging, uptime monitoring | European Union (Czech Republic) | Not applicable (intra-EEA) |
| Sub-processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Intercom R&D Unlimited Company / Intercom, Inc. | Customer support messaging, help center | Ireland and USA | EU–U.S. DPF and/or SCCs |
| Resend (Mach Labs, Inc.) | Transactional email delivery | USA | SCCs |
| Sub-processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Stripe Payments Europe Limited / Stripe, Inc. | Subscription billing, payment processing | Ireland and USA | EU–U.S. DPF and/or SCCs |
This DPA is drafted in English. In case of any translation provided for convenience, the English version shall prevail.