Rundown

Data Processing Agreement

Last updated: February 9, 2026

1. Parties & Scope

This Data Processing Agreement ("DPA") is entered into pursuant to Art. 28(3) GDPR between:

  • Data Controller ("Controller"): The customer who has entered into a service agreement with Strana for use of the Rundown platform.
  • Data Processor ("Processor"): Strana UG (haftungsbeschränkt), Schackstr. 1, c/o Kleinhempel & Partner, 80539 München, Germany.

This DPA supplements and forms part of the Terms and Conditions and governs the Processor's processing of personal data on behalf of the Controller in connection with the Rundown platform.

2. Processing Details

Subject Matter & Duration

The processing concerns the provision of AI-powered screencast recording services and continues for the duration of the service agreement plus the data retention period specified in our Privacy Policy.

Nature & Purpose

Processing includes storage, organization, retrieval, and transmission of data as necessary to provide the Rundown screencast recording service, including replication of authenticated browser sessions.

Types of Personal Data

  • Account data (name, email)
  • Screencast recordings and associated metadata
  • URLs and instructions submitted for recording
  • Browser session data (cookies, localStorage, sessionStorage) submitted via extension or manually
  • Usage and technical data (IP addresses, session logs)
  • Payment and billing information

Categories of Data Subjects

  • Controller's employees and authorized users
  • End users whose data may appear in recorded screencasts (as determined by Controller)

3. Security Measures (Art. 32 GDPR)

The Processor implements the following technical and organizational measures:

Encryption

  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • Encrypted backups with separate key management

Access Control

  • Role-based access control (RBAC)
  • Multi-factor authentication for administrative access
  • Principle of least privilege
  • Regular access reviews

Infrastructure

  • EU-hosted infrastructure (AWS Frankfurt, EU-West-1)
  • Network isolation and firewalls
  • Intrusion detection and monitoring
  • Automated vulnerability scanning

Personnel

  • Confidentiality agreements for all staff
  • Regular data protection training
  • Background checks for personnel with access to personal data

4. Sub-processors (Art. 28(2), (4) GDPR)

The Controller grants general authorization for the Processor to engage the following sub-processors:

  • Amazon Web Services (AWS) — Cloud hosting, storage, compute — EU (Frankfurt)
  • Stripe — Payment processing — EU / US

The Processor will notify the Controller at least 30 days in advance of any intended changes to the list of sub-processors. The Controller may object to such changes within 14 days. If a reasonable objection cannot be resolved, the Controller may terminate the agreement.

All sub-processors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.

5. International Transfers (Art. 44-50 GDPR)

  • EU Primary Processing: All core data processing, including screencast recording and storage, is performed within the EU (AWS Frankfurt).
  • US Transfers: Limited to payment processing via Stripe, which is certified under the EU-US Data Privacy Framework.
  • Safeguards: Where transfers to third countries occur, they are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, by adequacy decisions under the EU-US Data Privacy Framework (DPF).
  • Transfer Impact Assessments: The Processor conducts transfer impact assessments for all international data transfers and implements supplementary measures where necessary.

6. Controller Obligations

The Controller is responsible for:

  • Legal Basis (Art. 6): Ensuring a valid legal basis exists for the processing of personal data, including any personal data contained in recorded screencasts or submitted browser session data.
  • Transparency (Art. 13-14): Informing data subjects about the processing of their personal data, including the use of Strana as a processor.
  • Data Protection Impact Assessment: Conducting DPIAs where required by Art. 35 GDPR, particularly for processing that involves recording of third-party web applications.
  • Rights of Data Subjects: Handling data subject requests and informing the Processor where assistance is required.
  • Session Data: Ensuring appropriate authorization for any browser session data submitted to the platform, including third-party authentication tokens.

7. Processor Obligations (Art. 28(3)(a-h) GDPR)

The Processor shall:

  • Instructions Only: Process personal data only on documented instructions from the Controller, unless required by EU or member state law.
  • Confidentiality: Ensure that all persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation.
  • Security: Implement and maintain the technical and organizational measures described in Section 3.
  • Sub-processing: Only engage sub-processors in accordance with Section 4 and impose equivalent data protection obligations.
  • Assistance: Assist the Controller in responding to data subject requests and in ensuring compliance with Arts. 32-36 GDPR.
  • Deletion/Return: At the Controller's choice, delete or return all personal data upon termination of services, as described in Section 9.
  • Audit Support: Make available all information necessary to demonstrate compliance and allow for audits as described in Section 10.
  • Notification: Immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other data protection provisions.

8. Breach Notification (Art. 33-34 GDPR)

  • Notification Timeline: The Processor will notify the Controller of any personal data breach without undue delay, and in any event within 48 hours of becoming aware of the breach.
  • Initial Report: The initial notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
  • Final Report: A comprehensive final report will be provided as soon as reasonably practicable, including root cause analysis and remediation steps.
  • Cooperation: The Processor will cooperate with the Controller in investigating and remediating the breach and in fulfilling notification obligations to supervisory authorities and data subjects.

9. Data Deletion (Art. 28(3)(g) GDPR)

Upon termination of the service agreement:

  • Data Export: The Controller has 30 days from termination to export their data via the platform or by request to privacy@strana.ai.
  • Production Deletion: After the 30-day export period, all Controller data is deleted from production systems.
  • Backup Deletion: Data is removed from backup systems within 90 days of production deletion.
  • Certification: Upon request, the Processor will provide written confirmation that data deletion has been completed.

10. Audit Rights (Art. 28(3)(h) GDPR)

  • Right to Audit: The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA.
  • Frequency: Audits may be conducted up to once per year, with reasonable advance notice (minimum 30 days).
  • Alternatives: In lieu of on-site audits, the Controller may review relevant third-party certifications and audit reports (e.g., SOC 2 Type II, ISO 27001) maintained by the Processor.
  • Costs: Each party bears its own costs for audits, unless the audit reveals material non-compliance, in which case the Processor bears reasonable audit costs.
  • Confidentiality: Audit findings are treated as confidential information by both parties.

11. Liability & Governing Law

  • Liability (Art. 82 GDPR): Each party is liable for damages caused by processing that infringes the GDPR. The Processor is liable only for damages caused by processing that does not comply with the Processor's obligations under GDPR or this DPA.
  • Indemnification: Each party will indemnify the other for any fines, damages, or costs arising from the indemnifying party's breach of this DPA or the GDPR.
  • Governing Law: This DPA is governed by the laws of the Federal Republic of Germany.
  • Jurisdiction: The exclusive place of jurisdiction is Munich, Germany.

12. Contact

For questions about this Data Processing Agreement:

Related documents: Privacy Policy | Terms and Conditions