Data Processing Agreement
Last updated: February 2026
CastProof Inc. ("CastProof," "we," or "us") acts as the data controller for personal data processed through the CastProof platform. This Data Processing Agreement ("DPA") describes how we engage sub-processors to support our services and the safeguards we require to protect your data.
1. Introduction
CastProof acts as the data controller for personal data collected and processed through our platform. In providing our services, we engage third-party vendors who act as sub-processors. All sub-processors are bound by contractual obligations that meet or exceed applicable data protection requirements.
2. Sub-Processor List
The following table lists our current sub-processors, their purposes, locations, and the categories of data shared with each:
| Sub-Processor | Purpose | Location | Data Shared |
|---|---|---|---|
| Tavus Inc. | Video replica training | United States | Video likeness assets, training prompts, generated video outputs |
| HeyGen Inc. | Video avatar generation | United States | Likeness assets, scripts, generation parameters |
| ElevenLabs Inc. | Voice cloning | United States | Voice samples, text for synthesis, generation parameters |
| OpenAI | Video generation / script assist | United States | Prompts, scripts, generation parameters |
| Google Cloud / Veo | Video generation | United States | Video assets, prompts, generation parameters |
| Stripe Inc. | Payment processing / identity verification | United States | Payment details, billing information, KYC data for verification |
| Postmark | Email delivery | United States | Email addresses, email content, delivery metadata |
| Twilio | SMS verification | United States | Phone numbers, verification codes, SMS content |
| Cloudflare | CDN / security / CAPTCHA | United States | IP addresses, request metadata, CAPTCHA responses |
| Sentry | Error monitoring | United States | Error logs, stack traces, device/browser metadata |
| PostHog | Product analytics | United States / EU | Usage events, page views, feature interactions, anonymized identifiers |
3. Data Shared with Sub-Processors
The "Data Shared" column in the table above summarizes the categories of personal data transmitted to each sub-processor. We share only the minimum data necessary for each sub-processor to perform its designated function. We do not sell personal data to sub-processors or any third parties.
4. Security Requirements
All sub-processors must meet the following security requirements:
- Encryption: Encrypt data at rest and in transit using industry-standard protocols (e.g., TLS 1.2+ for transit, AES-256 or equivalent for data at rest).
- Access controls: Limit access to personal data to authorized personnel on a need-to-know basis.
- Data deletion: Delete or return personal data upon CastProof's request or upon termination of the sub-processing relationship.
- Breach notification: Notify CastProof of any personal data breach within 48 hours of discovery.
5. International Transfers
When personal data is transferred from the European Economic Area (EEA) or United Kingdom to countries outside those jurisdictions, we ensure appropriate safeguards are in place. For transfers to the United States and other non-adequate countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or UK authorities, as applicable.
6. Data Subject Rights
We fulfill data subject rights (access, rectification, erasure, restriction, portability, objection) in accordance with our Privacy Policy. When a request requires action by a sub-processor, we coordinate with that sub-processor to ensure the request is fulfilled within the timelines required by applicable law.
7. Sub-Processor Changes
We may add or replace sub-processors from time to time. We will provide at least 30 days' notice before adding a new sub-processor that will process personal data. If you object to a new sub-processor, you may terminate your use of the affected services within the notice period. Continued use after the notice period constitutes acceptance of the new sub-processor.
8. Contact Information
For questions about this Data Processing Agreement or our sub-processors, please contact us at:
- Email: privacy@castproof.com
- Website: castproof.com