Data Processing Agreement

Last updated on June 2, 2026

Data Processing Addendum (DPA)

Last updated: 12/05/2026

This Data Processing Addendum (“DPA”) forms part of the HyperFake Terms of Service and governs the processing of personal data carried out by BLAUMAR MEDIA LABS, S.L. (“HyperFake”) on behalf of the client when, in the context of the contracted services, HyperFake acts as processor and the client acts as controller.

1. Purpose

This DPA governs the conditions under which HyperFake will process personal data on behalf of the client in connection with the provision of the contracted services.

2. Roles of the parties

For the purposes of this DPA:

  • the client shall act as controller, to the extent that it determines the purposes and means of the processing of the personal data covered by the service;

  • HyperFake shall act as processor, to the extent that it processes such personal data on behalf of the client for the provision of the contracted service.

If, in any specific processing activity, the client also acts as processor for a third party, it represents and warrants that it is duly authorised to instruct HyperFake and to enter into this DPA.

3. Term

This DPA shall apply from the date on which it becomes applicable under the Terms of Service and shall remain in force while HyperFake processes personal data on behalf of the client in connection with the contracted services.

4. Nature and purpose of the processing

HyperFake may process personal data on behalf of the client for the purpose of providing the contracted services, including, where applicable:

  • access to and management of the account;

  • hosting and storage of project materials;

  • organisation of assets and content;

  • execution of onboarding, briefing, creative work, production and delivery;

  • management of feedback, validations and reviews;

  • technical support and customer service;

  • security measures, abuse prevention and service maintenance;

  • and any other operations necessary for the proper provision of the contracted service.

5. Categories of data subjects and types of data

Personal data processed by HyperFake on behalf of the client may include, depending on the client’s use of the service:

a) Categories of data subjects

  • employees, collaborators or representatives of the client;

  • clients, users or leads of the client;

  • suppliers or collaborators of the client;

  • talent, voice, image or identifiable persons included in materials uploaded by the client;

  • and any other person whose personal data the client incorporates into the service under its responsibility.

b) Types of data

  • identification data;

  • contact data;

  • written, visual, sound or audiovisual materials;

  • comments, instructions, feedback and project content;

  • metadata associated with use of the service;

  • and any other personal data incorporated by the client or processed on its behalf within the scope of the contracted service.

HyperFake will not process special categories of personal data unless this is strictly necessary for the provision of the service, the client has expressly authorised it and there is a sufficient legal basis for doing so.

6. Documented instructions

HyperFake shall process personal data only on documented instructions from the client, unless required to do so by European Union or Member State law. In such a case, HyperFake shall inform the client of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

The client’s instructions shall be deemed to be incorporated, among other things, in the Terms of Service, this DPA, the configuration of the service used by the client and any additional documented instructions compatible with the contracted services.

HyperFake may reject any instruction that, in its reasonable judgment, infringes applicable law or exceeds the scope of the contracted services.

7. Confidentiality

HyperFake shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8. Security measures

HyperFake shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons.

Such measures may include, where appropriate:

  • access control to systems and services;

  • authentication and credential management;

  • encryption or pseudonymisation where appropriate;

  • integrity, availability and resilience measures;

  • event logging and monitoring;

  • security incident management;

  • access and permission segmentation;

  • and reasonable backup, restoration and continuity procedures.

The GDPR requires the processor to implement appropriate security measures and for the processing contract to include that commitment.

9. Sub-processors

The client authorises HyperFake to engage third-party sub-processors for the provision of the service.

HyperFake shall impose on such sub-processors data protection obligations substantially equivalent to those set out in this DPA, to the extent relevant to their access to personal data processed on behalf of the client.

HyperFake shall remain responsible to the client for the performance of the sub-processor’s obligations to the extent required by applicable law.

Information about sub-processors may be provided through contractual documentation, a specific list, a legal hub or upon the client’s reasonable request.

Article 28 GDPR expressly provides for the use of sub-processors, subject to the controller’s authorisation and the imposition of the same data protection obligations.

10. International data transfers

Where HyperFake or its sub-processors process personal data outside the European Economic Area, or from jurisdictions that imply an international transfer under applicable law, HyperFake shall implement the safeguards required by such law.

These safeguards may include, as appropriate:

  • adequacy decisions adopted by the European Commission;

  • standard contractual clauses approved by the European Commission;

  • or other legally valid international transfer mechanisms.

The European Commission recognises adequacy decisions and SCCs as valid mechanisms for international transfers under the GDPR.

11. Assistance to the client

Taking into account the nature of the processing and the information available to HyperFake, HyperFake shall assist the client, in a reasonable and appropriate manner, in complying with its legal obligations in relation to:

  • requests for the exercise of data subject rights;

  • security of processing;

  • notification of security breaches;

  • data protection impact assessments, where applicable;

  • and prior consultations with supervisory authorities, where legally required.

12. Requests from data subjects

If HyperFake receives directly a request from a data subject concerning data processed on behalf of the client, it shall forward it to the client, unless otherwise required by law or unless the contracted service includes a specific functionality for handling such requests.

The client shall be responsible for responding to requests for the exercise of rights, except to the extent that HyperFake must assist under the previous clause.

13. Personal data breaches

HyperFake shall notify the client, without undue delay, of any personal data breach of which it becomes aware and that affects data processed on behalf of the client, providing the information reasonably available so that the client can assess its legal obligations.

14. Audit and information

HyperFake shall make available to the client the information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and applicable law.

Any audit or additional review must:

  • be justified by reasonable compliance grounds;

  • not compromise the security, confidentiality or rights of other clients or third parties;

  • be limited to relevant information and systems;

  • be carried out with reasonable prior notice and during normal business hours;

  • and, unless required by law or by a serious incident, be carried out preferably through documentation, security questionnaires or equivalent evidence.

15. Return or deletion of data

At the client’s choice and unless retention is required by law, HyperFake shall delete or return the personal data processed on behalf of the client once the provision of the service has ended, within a reasonable period and in accordance with the functionalities, processes and retention policies applicable to the service.

HyperFake may nevertheless retain blocked data or data minimally necessary where required by legal obligations, defence against claims, security, fraud prevention or regulatory compliance, for the strictly necessary periods.

16. Client obligations

The client represents and warrants that:

  • it has a sufficient legal basis for the processing and for instructing HyperFake to process the personal data covered by the service;

  • it has informed data subjects, where required, about such processing;

  • the instructions given to HyperFake comply with applicable law;

  • and it will not provide HyperFake with unnecessary or disproportionate personal data for the purpose of the contracted service.

The client shall be solely responsible for the accuracy, quality and lawfulness of the personal data it incorporates into the service or instructs HyperFake to process.

17. Liability

Each party’s liability arising from this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service, except where such liability cannot be limited or excluded under applicable law.

18. Precedence

In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data on behalf of the client, this DPA shall prevail in relation to that matter.

19. Applicable law

This DPA shall be interpreted in accordance with the law applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 and the applicable national law.

HyperFake is redefining commercial video production

Strategy, creativity and production — without friction.

Get Started
enes