DATA PROCESSING AGREEMENT
(DPA)
(Language Priority — Applicable to this DPA only / For Merchants domiciled or with a place of business in the Republic of Korea, the Korean-language version shall prevail; for Merchants domiciled or with a place of business outside the Republic of Korea, the English-language version shall prevail. In the event of any discrepancy between the Korean and English versions, the version corresponding to the Merchant's location governs. This rule applies to this DPA only and is separate from the Korean-original-prevails rule applicable to the Charlla Terms of Service and Privacy Policy.)
Charlla Service | Catenoid Inc.
Version 1.2.3
Notice Date: April 30, 2026
Effective Date: June 1, 2026
Last Updated: April 2, 2026
DATA CONTROLLER Merchant / Customer (Party subscribing to Charlla) | DATA PROCESSOR Catenoid Inc. (Operator of Charlla Service) |
This Data Processing Agreement ("DPA" or "Agreement") is entered into between:
(A) The Merchant identified in the Charlla Service subscription agreement ("Controller", "Merchant", or "you"); and
(B) Catenoid Inc., a company incorporated under the laws of the Republic of Korea, with its principal office at Seoul, Korea, operating the Charlla short-form video hosting service ("Processor", "Catenoid", or "we").
WHEREAS:
(1) The Controller uses the Charlla Service to embed and deliver short-form video content to end-users on the Controller's websites or storefronts.
(2) In the course of providing the Charlla Service, the Processor processes certain personal data on behalf of the Controller, as further described in Annex I.
(3) The parties wish to set out their respective obligations and rights in relation to such processing.
(4) This DPA forms part of, and is incorporated into, the Charlla Terms of Service (v5.5 or later) agreed between the parties.
NOW, THEREFORE, the parties agree as follows:
In this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meaning given in the Charlla Terms of Service or applicable data protection law.
| Term | Definition |
| "Applicable Data Protection Law" | All laws and regulations concerning the processing of Personal Data applicable to a party, including without limitation: the EU GDPR, UK GDPR, CCPA/CPRA, APPI (Japan), PDPA (Singapore), Privacy Act 1988 (Australia), and the Korean Personal Information Protection Act (PIPA). |
| "Controller" | The entity that determines the purposes and means of the processing of Personal Data. In the context of this DPA, the Controller is the Merchant. |
| "Processor" | The entity that processes Personal Data on behalf of the Controller. In the context of this DPA, the Processor is Catenoid Inc. |
| "Personal Data" | Any information relating to an identified or identifiable natural person ("data subject"), as defined under Applicable Data Protection Law. |
| "Processing" | Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, disclosure, or deletion. |
| "Data Subject" | A natural person whose Personal Data is processed under this DPA. |
| "Merchant Account Data" | Personal Data of the Merchant (i.e., the subscriber's email address used for account login and service administration). |
| "End-User Access Data" | Data automatically collected from visitors to the Merchant's website or storefront when they view Charlla-hosted video content, at the level of W3C web access logs. |
| "Sub-Processor" | Any third party engaged by the Processor to carry out processing activities on behalf of the Controller. |
| "Security Incident" | Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. |
| "SCCs" | Standard Contractual Clauses adopted by the European Commission for international transfers of Personal Data. |
| "Services" or "Charlla Service" | The short-form video hosting and delivery service operated by Catenoid Inc. under the Charlla brand, as described in the Terms of Service. |
2.1 Subject Matter. This DPA governs the processing of Personal Data by Catenoid as Processor on behalf of the Merchant as Controller, in connection with the provision of the Charlla Service.
2.2 Details of Processing. The details of the processing activities covered by this DPA are set out in Annex I (Details of Processing), which forms an integral part of this Agreement.
2.3 Role Allocation and Data Minimization.
(a) Merchant Account Data (email address, service configuration, billing information, customer support records, etc.): Catenoid independently determines the purposes and means of processing such data for its own service operations, account management, billing, security, and customer support. Catenoid acts as an independent controller in this regard. Catenoid's Privacy Policy applies to such processing.
(b) End-User Access Data: With respect to end-users who view video content on the Merchant's websites, Catenoid acts as a processor on the Merchant's (Controller's) instructions and automatically collects the following technical data: web access log-level technical data at the W3C standard (IP address, browser type/version, timestamp, page URL), player events (video load, play start/end, playback duration), and store domain identifiers. Such data is collected solely for the purposes of load measurement and billing calculation. Catenoid does not require end-users to submit personal data directly.
(c) Payment Data: All payment and billing information is processed directly by Stripe, Inc. as an independent controller under Stripe's own terms. Catenoid does not store or process credit card numbers, bank account details, or other sensitive financial data.
The Processor obligations set forth in Articles 3 through 9 of this DPA apply to the processing of End-User Access Data described in (b) above.
2.4 Instructions. The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Controller's use and configuration of the Charlla Service constitutes its primary documented instructions to the Processor. The Controller may issue additional instructions through the Service console or by written notice.
2.5 Compliance with Instructions. The Processor shall inform the Controller if, in its opinion, any instruction given by the Controller infringes Applicable Data Protection Law.
3.1 Confidentiality. The Processor shall ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.
3.2 Security. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Annex II. These measures shall include, at a minimum:
Encryption of Personal Data in transit using TLS 1.2 or higher;
Encryption of stored Personal Data, including passwords and sensitive identifiers;
Access controls and the principle of least privilege for Processor personnel;
Regular security assessments and vulnerability testing;
Physical security measures for data centers operated by approved Sub-Processors.
3.3 Assistance — Data Subject Rights. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests for exercising Data Subjects' rights (including rights of access, rectification, erasure, restriction, portability, and objection). For requests received via Shopify or other platform webhooks (customers/data_request, customers/redact, shop/redact), the Processor shall process such requests without undue delay and within timeframes required by Applicable Data Protection Law.
3.4 Assistance — Security Obligations. The Processor shall assist the Controller in ensuring compliance with security obligations, data protection impact assessments, and prior consultations with supervisory authorities, to the extent reasonably possible given the nature of the processing and the information available to the Processor.
3.5 Deletion and Return. Upon termination or expiry of the Charlla Service subscription, the Processor shall process Personal Data as follows:
(a) Merchant Account Data: retained and deleted in accordance with the Charlla Privacy Policy and applicable law (e.g., deleted within 30 days of service termination); not recoverable. Data required to be retained by applicable law (e.g., billing records) shall be retained for the statutory retention period.
(b) End-User Access Data: Following an app uninstall via a platform marketplace, shop and end-user data associated with the store will be deleted within 48 hours of receipt of the shop/redact webhook.
3.6 Records. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, as required by Article 30(2) GDPR, and shall make such records available to competent supervisory authorities upon request.
3.7 Prohibition on Secondary Use. The Processor shall not use End-User Access Data for any purpose beyond the provision of the Charlla Service to the Controller. Specifically, the Processor shall not use such data for: (a) training or improving AI or machine learning models for commercial purposes; (b) advertising or marketing to the Controller's end-users; (c) profiling end-users; or (d) sharing or selling to third parties for their own commercial purposes.
3.8 California Privacy Law (CCPA/CPRA) Additional Obligations. Where the Personal Data of California consumers is processed, the Processor shall act as a Service Provider as defined under CCPA/CPRA and shall:
(a) provide the same level of privacy protection for Personal Data processed on behalf of the Controller as required by CCPA/CPRA;
(b) notify the Controller without undue delay if the Processor can no longer meet its obligations under this DPA; and
(c) take reasonable steps to stop and remediate any unauthorized use of Personal Data, and notify the Controller of any such unauthorized use.
4.1 General Authorization. The Controller provides a general written authorization to the Processor to engage Sub-Processors, subject to the conditions set out in this Article 4.
4.2 Current Sub-Processors. The current list of approved Sub-Processors is set out in Annex III. The Controller acknowledges and agrees to the engagement of the Sub-Processors listed in Annex III as at the date of this DPA.
4.3 Notification of Changes. The Processor shall inform the Controller of any intended addition or replacement of Sub-Processors by updating Annex III and providing reasonable advance notice (not less than 30 days) through the Charlla Service notification channel or by email to the Controller's registered email address. If the Controller reasonably objects to the new Sub-Processor within such notice period, the parties shall work together in good faith to resolve the objection. If the objection cannot be resolved, the Controller may terminate the relevant Services with 30 days' written notice.
4.4 Sub-Processor Obligations. The Processor shall impose on each Sub-Processor, by written contract, data protection obligations equivalent to those imposed on the Processor under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of Applicable Data Protection Law. The Processor remains fully liable to the Controller for the acts or omissions of its Sub-Processors.
Current Sub-Processors as of the date of this DPA are listed in Annex III. These include Amazon Web Services (AWS) for cloud infrastructure.
5.1 Cooperation. The Processor shall assist the Controller in responding to Data Subject rights requests within the timeframes required by Applicable Data Protection Law. Upon receiving a Data Subject request directly (e.g., via email), the Processor shall promptly notify the Controller and shall not respond to the Data Subject directly unless instructed by the Controller or required by law.
5.2 Platform Webhooks. Where the Charlla Service is deployed via an external platform marketplace (e.g., Shopify, Cafe24, or similar e-commerce platforms), the Processor shall implement and maintain the platform's required data management webhooks:
customers/data_request — Provide personal data report for the specified customer.
customers/redact — Delete or anonymize personal data for the specified customer.
shop/redact — Delete all personal data associated with the merchant's store, to be executed within 48 hours of receipt.
5.3 End-User Rights. Where end-users exercise their data rights directly with the Controller (e.g., pursuant to GDPR, CCPA, or other applicable law), the Controller may submit a deletion or access request to the Processor via privacy@charlla.io. The Processor shall fulfill such requests within the timeframes specified in the applicable law (not to exceed 30 days for GDPR/UK GDPR requests, and 45 days for CCPA requests).
5.4 Verification. The Processor may request reasonable information from the Controller to verify the identity of the Data Subject and the scope of the request before taking action.
6.1 Technical and Organizational Measures. The Processor has implemented and shall maintain the technical and organizational security measures described in Annex II. The Processor shall regularly review and update these measures to reflect evolving threats and best practices.
6.2 Personnel. The Processor shall restrict access to Personal Data to personnel who need access for the performance of the Services, and shall ensure such personnel are subject to appropriate confidentiality obligations and trained on data protection requirements.
6.3 Updates. In the event that the Processor intends to materially reduce the level of security measures described in Annex II, the Processor shall provide the Controller with advance notice and both parties shall work together to agree on alternative measures prior to any reduction.
7.1 Notification to Controller. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident affecting Personal Data processed under this DPA. Such notification shall include, to the extent known at the time:
A description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
The name and contact details of the data protection officer or other relevant contact point;
A description of the likely consequences of the Security Incident;
A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.
7.2 Supplemental Information. The Processor shall supplement its initial notification with additional information as it becomes available, without further undue delay.
Note: Where the Processor acts as an independent controller for Merchant Account Data and a Security Incident triggers notification obligations under applicable Korean data protection law (PIPA), the Processor shall comply with the notification timelines required by PIPA (notification to the PIPC within 72 hours).
7.3 Cooperation. The Processor shall cooperate fully with the Controller in responding to the Security Incident, including taking reasonable steps to contain the incident, conducting an investigation, and providing information necessary for the Controller to fulfill its own breach notification obligations under Applicable Data Protection Law (e.g., 72-hour notification to supervisory authorities under GDPR).
7.4 No Acknowledgment of Fault. Any notification made pursuant to this Article 7 shall not constitute an acknowledgment by the Processor of any fault or liability with respect to the Security Incident.
8.1 General. Personal Data may be transferred to, stored in, or processed in countries outside the Controller's country of residence, including countries that may not provide the same level of data protection as the Controller's home jurisdiction.
8.2 Safeguards. The Processor shall ensure that any international transfer of Personal Data is subject to appropriate safeguards, including:
For transfers from the EU/EEA to the Republic of Korea: based on the European Commission's adequacy decision for the Republic of Korea;
For onward transfers from the Republic of Korea to the United States or other non-adequate countries: the European Commission's Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914 or equivalent safeguards;
For transfers from the United Kingdom to the Republic of Korea: based on the United Kingdom's adequacy regulations for the Republic of Korea;
For transfers from Japan: pursuant to Article 28 of the Act on the Protection of Personal Information (APPI), the Processor ensures that the Controller's end-users in Japan are informed that their data is transferred to the Republic of Korea, which is not designated as a country with equivalent data protection standards by the PPC. The Processor shall maintain a personal information protection system conforming to the standards set forth in the PPC's rules, including contractual safeguards equivalent to the obligations imposed by the APPI on domestic processors;
For transfers from other jurisdictions: any other appropriate safeguards required by Applicable Data Protection Law.
8.3 Infrastructure Locations. Personal Data is primarily processed and stored on AWS infrastructure in the Asia-Pacific region. Additional processing may occur in the United States for payment processing via Stripe. Details of infrastructure locations are set out in Annex III.
8.4 Execution of Transfer Mechanisms. Where required by Applicable Data Protection Law (e.g., where the Controller is established in the EU/EEA), the parties shall execute the applicable Standard Contractual Clauses or other required transfer mechanism as a supplement to this DPA. Upon request, Catenoid shall provide a signed copy of the applicable transfer mechanism.
9.1 Audit Rights. The Controller may, upon providing at least 30 days' prior written notice, exercise the right to audit the Processor's processing activities and security measures, or to commission an independent third-party auditor to do so. Audits shall be conducted during normal business hours, shall not unreasonably disrupt the Processor's operations, and shall be subject to appropriate confidentiality obligations.
9.2 Audit Reports. The Processor shall, upon request, provide the Controller with access to relevant audit reports, certifications, or summaries of third-party security assessments (such as SOC 2, ISO 27001, or similar), where available, as an alternative to or supplement to a direct audit.
9.3 Costs. Each party shall bear its own costs in connection with any audit conducted under this Article 9.
9.4 Regulatory Inquiries. Each party shall promptly notify the other of any inquiry, investigation, or request from a supervisory authority that relates to the processing of Personal Data under this DPA.
10.1 Term. This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller pursuant to the Charlla Terms of Service.
10.2 Effect of Termination. Upon termination of the Charlla Service subscription for any reason, the Processor shall continue to be bound by the obligations in this DPA with respect to any Personal Data still in its possession. The Processor shall delete or return Personal Data in accordance with Article 3.5 of this DPA.
10.3 Survival. Articles 3.7, 6, 9, 11, and 12 shall survive the termination of this DPA.
11.1 General. Each party's liability to the other under or in connection with this DPA shall be subject to the limitations and exclusions set out in the Charlla Terms of Service.
11.2 Processor Liability. The Processor shall be liable for damages caused by processing where it has not complied with obligations of Applicable Data Protection Law specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the Controller.
11.3 Controller Liability. The Controller shall be liable for damages caused by processing that infringes Applicable Data Protection Law and for any instructions it gives that violate Applicable Data Protection Law.
11.4 Contribution. If both parties are responsible for the same damage, they shall be held jointly and severally liable to the Data Subject, and may seek contribution from each other in proportion to their respective fault.
11.5 Cap. Without prejudice to mandatory provisions of Applicable Data Protection Law, the Processor's aggregate liability to the Controller under this DPA shall not exceed the total fees paid or payable by the Controller for the Charlla Service in the twelve (12) months immediately preceding the event giving rise to the claim.
12.1 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the Republic of Korea, unless a mandatory provision of Applicable Data Protection Law in the Controller's jurisdiction requires otherwise.
12.2 Dispute Resolution. Any dispute arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Charlla Terms of Service. For disputes with overseas Merchants, the parties shall first engage in good faith consultation for 30 days. If the dispute is not resolved, it shall be settled by arbitration under the rules of the Singapore International Arbitration Centre (SIAC). The seat of arbitration shall be Singapore and the language of arbitration shall be English. The parties may, by mutual agreement, elect to arbitrate under the Korean Commercial Arbitration Board (KCAB) instead.
12.3 Mandatory Law. Where Applicable Data Protection Law provides rights and remedies to Data Subjects that are more protective than those set out in this DPA, such mandatory provisions shall prevail.
12.4 Supervisory Authority. Nothing in this DPA shall prevent a Data Subject from lodging a complaint with the competent supervisory authority in the Data Subject's jurisdiction (including but not limited to relevant EU/EEA supervisory authorities, the UK ICO, and the Korean Personal Information Protection Commission).
This DPA automatically applies to (i) Merchants (Controllers) who use the Charlla Service through an external e-commerce platform's app marketplace (e.g., Shopify, Cafe24), and (ii) overseas Merchants who install and operate the Charlla Service directly on their own websites (direct-signup global customers). Such Merchants are deemed to have agreed to this DPA upon app installation and acceptance of the Charlla Terms of Service. Customers domiciled or with a place of business in the Republic of Korea who subscribe directly are not automatically bound by this DPA and may, upon request, execute this DPA separately in writing with Catenoid Inc.
| DATA CONTROLLER (Merchant) | DATA PROCESSOR (Catenoid Inc.) |
| Company Name: ___________________________ | Company: Catenoid Inc. CEO: Hyungseok Kim Business Registration No.: 114-86-89540 Head Office: 4F-5F, Samha Building, 502 Bongeunsa-ro, Gangnam-gu, Seoul, Republic of Korea |
| Authorized Signatory: ___________________________ | Authorized Signatory: ___________________________ |
| Title: ___________________________ | Title: ___________________________ |
| Date: ___________________________ | Date: ___________________________ |
This Annex sets out the details of the processing activities carried out by Catenoid Inc. as Processor on behalf of the Controller, as required by Article 28(3) GDPR and equivalent provisions of Applicable Data Protection Law.
| Party | Details |
| Controller | The Merchant as identified in the Charlla Service subscription. Contact: Controller's registered email address. |
| Processor | Catenoid Inc. (CEO: Hyungseok Kim / Business Registration No.: 114-86-89540 / Head Office: 4F-5F, Samha Building, 502 Bongeunsa-ro, Gangnam-gu, Seoul, Republic of Korea). Data protection inquiries: privacy@charlla.io. EU Representative (GDPR Article 27): Catenoid Inc. has designated its 100% subsidiary located in Spain as its EU Representative. Legal name: HISPlayer SDK SL (NIF: B44544773) / Address: Calle Poeta Joan Maragall 1, Floor 16, 28020 Madrid, Spain / E-mail: privacy@hisplayer.com. UK Representative (UK GDPR Article 27): Not appointed pursuant to the exemption under UK GDPR Article 27(2)(a). The Company's processing of UK-resident data subjects' data is limited to passive server-log recording and monthly statistical aggregation, constituting ancillary (occasional) processing, and no profiling that identifies individuals is performed. See the Charlla Privacy Policy for detailed grounds. Japan Local Contact: Data subjects residing in Japan may contact Catenoid Inc. (株式会社カテノイド) / Address: Turm Kanda 7F, 4-9 Kanda-Iwamotocho, Chiyoda-ku, Tokyo 101-0033, Japan / Department: Sales & Marketing / Email: jp_sales@catenoid.net |
(For Reference: Catenoid processes Merchant Account Data as an independent Controller. Catenoid's Controller obligations for such data are governed by its Privacy Policy. The Processor obligations under this DPA apply to End-User Access Data described in Section C below.)
| Element | Description | Notes |
| Data Subjects | Merchants (B2B subscribers to Charlla Service) | |
| Categories of Personal Data | Email address (login credential) | Payment data handled by Stripe; not processed by Catenoid |
| Purpose of Processing | Account authentication; service administration; billing notifications; service-related communications | |
| Legal Basis (GDPR) | Art. 6(1)(b) — Performance of contract | |
| Retention Period | In accordance with the Charlla Privacy Policy (deleted within 30 days of service termination) | |
| Nature of Processing | Collection, storage, use, deletion |
| Element | Description | Notes |
| Data Subjects | End-users (visitors to Merchant's website or storefront who view Charlla-hosted video content) | |
| Categories of Personal Data | IP address, browser type/version, timestamp, page URL (W3C web access log standard) Player events: video load, play start/end, playback duration Store domain identifier | No active collection; all data is automatically generated by the viewer's browser/device interaction |
| Purpose of Processing | Load measurement for billing; delivery of video player; service performance monitoring | Data is NOT used for advertising, profiling, or AI/ML training |
| Legal Basis (GDPR) | Art. 6(1)(f) — Controller’s legitimate interest in accurate load-based billing and secure video delivery. The Processor collects and aggregates load-metering data strictly on the Controller’s documented instructions and does not determine the purposes or means of processing this data. Where technical identifiers used by the Charlla player (cookies, local storage, etc.) fall within the scope of the ePrivacy Directive (2002/58/EC) or the UK PECR, the Controller (Merchant) is responsible for obtaining appropriate consent mechanisms in compliance with those laws. | |
| Retention Period | Rolling 90-day retention for billing purposes; access logs anonymized or deleted after 90 days from collection | |
| Nature of Processing | Automatic collection, temporary storage, aggregation for billing, deletion |
No special categories of personal data (as defined under Article 9 GDPR) are processed under this DPA.
Server logs are passively recorded when end-users view Charlla-hosted video content on the Controller's websites. Statistical aggregation for billing purposes is processed in batch at monthly billing cycles. No profiling or individual-level behavioral analysis is performed during statistical processing.
The following technical and organizational measures are implemented by Catenoid Inc. to ensure an appropriate level of security for the Personal Data processed under this DPA.
| Measure Category | Implemented Measures | Standard / Reference |
| Encryption in Transit | All data transmitted between end-users, Merchants, and Catenoid servers is encrypted using TLS 1.2 or higher. HTTPS is enforced across all service endpoints. | TLS 1.2+ / HTTPS |
| Encryption at Rest | Passwords are hashed using a strong one-way algorithm (bcrypt or equivalent). Sensitive Personal Data fields are encrypted at rest in Catenoid's databases. | AES-256 or equivalent |
| Access Controls | Role-based access control (RBAC) is applied to all systems processing Personal Data. Access is granted on a need-to-know basis (principle of least privilege). Access is reviewed regularly. | RBAC / Least Privilege |
| Authentication | Multi-factor authentication (MFA) is required for Catenoid personnel accessing production systems containing Personal Data. | MFA |
| Personnel & Training | Catenoid personnel with access to Personal Data are bound by confidentiality agreements and receive regular data protection and security training. | Internal policy |
| Vulnerability Management | Regular vulnerability scanning and penetration testing are conducted on Catenoid's infrastructure. Critical vulnerabilities are remediated on a risk-prioritized basis. | Periodic assessment |
| Incident Response | A documented Security Incident response plan is in place. The plan includes detection, containment, notification (including to Controllers within 48 hours), and post-incident review procedures. | Internal IR plan |
| Physical Security | Catenoid relies on AWS data centers for physical infrastructure. AWS maintains industry-leading physical security controls including 24/7 surveillance, biometric access, and environmental controls. | AWS SOC 2 / ISO 27001 |
| Data Minimization | Only the data categories described in Annex I are collected. No additional personal attributes are added or inferred. | GDPR Art. 5(1)(c) |
| Pseudonymization | Where technically feasible, end-user IP addresses are hashed or anonymized after the initial access log processing for billing purposes. | GDPR Art. 25 |
| Logging & Monitoring | Access to systems containing Personal Data is logged. Logs are monitored for anomalous activity. | SOC 2 Type II-aligned |
| Sub-Processor Controls | Each Sub-Processor is contractually bound to maintain security measures equivalent to those set out in this Annex II, and is assessed for security compliance prior to engagement. | DPA Art. 4.4 |
Part A. Approved Sub-Processors
The following Sub-Processors are approved as of the date of this DPA. Catenoid will provide 30 days' advance notice of any changes to this list.
| Sub-Processor | Service Provided | Data Processed / Location |
Amazon Web Services, Inc. (AWS) aws.amazon.com | Cloud infrastructure: compute, storage, content delivery network (CDN) for video hosting | End-User Access Data; Merchant Account Data (encrypted) Primary region: Asia-Pacific (Seoul, ap-northeast-2) Backup/CDN: Multiple AWS regions globally AWS SCCs apply for EU/EEA data transfers. |
Part B. Independent Controllers — Reference
The entities listed below are NOT Sub-Processors under this DPA but independent controllers. They are listed here for transparency purposes only.
| Entity | Role & Service | Data Processed / Location |
|---|---|---|
| Stripe, Inc. stripe.com | Independent Controller — Payment processing for Merchant billing (subscription fees, overage charges). Stripe processes payment data under its own terms and DPA (stripe.com/legal/dpa). | Merchant billing data (name, email, payment method) United States (primary) / EU (Stripe EU entity for EU Merchants) |
| External E-Commerce Platform Operators | Independent Controller — App-payment processing through respective platforms. Each platform processes personal information under its own terms and privacy policy. | Per platform location |
Catenoid does not receive, store, or have access to full credit card numbers or sensitive payment credentials. Merchants should review Stripe's Data Processing Agreement (stripe.com/legal/dpa) and the applicable platform's privacy policy separately.
Last updated: April 2, 2026