Data Processing Agreement

1. Definitions

• Controller: you, the customer, who determines the purposes and means of processing personal data of your crew members and other contacts.
• Processor: us, Holy Callsheet, who process personal data on your behalf to deliver the service.
• Personal data: any information relating to an identified or identifiable natural person, as defined by Article 4 of the GDPR.
• Sub-processor: a third party engaged by us to process personal data in the context of providing the service.

2. Subject matter and duration

This DPA applies to all processing of personal data carried out by Holy Callsheet on behalf of the Controller in the course of providing the service. It remains in effect for the duration of your active subscription and terminates upon account deletion or subscription expiry, whichever is later, subject to Section 11 (Return and deletion).

3. Nature and purpose of processing

Holy Callsheet processes personal data of crew members and contacts on behalf of the Controller for the following purposes:

• Creating, editing, and storing callsheets and project data.
• Generating and distributing callsheet share links to crew.
• Producing PDF exports of callsheets.
• Managing the Controller’s crew database and contact records.

4. Categories of data subjects

• Crew members (cast and crew listed on callsheets).
• Location contacts (point-of-contact persons for shoot locations).
• Project points of contact (producers, ADs, coordinators listed on a production).

5. Categories of personal data

• Full name
• Phone number
• Email address
• Role or position on a production
• Optional profile photo

6. Sub-processors

We currently use the following sub-processors to deliver the service:

• Supabase: database, authentication, and file storage (EU, Frankfurt, eu-central-1).
• Vercel: web hosting and edge network (EU edge locations for EU traffic).
• Stripe: payment processing (US/EU, PCI-DSS Level 1).
• Resend: transactional email delivery (US/EU).

7. Security measures

We maintain the following technical and organisational measures:

• TLS 1.3 encryption for all data in transit.
• Encryption at rest provided by Supabase (AES-256).
• Row-Level Security (RLS) policies enforced at the database layer, cross-account data access is impossible by design.
• All infrastructure in the EU for primary data storage.
• Bcrypt hashing for share-link passwords.
• Access to production infrastructure limited to the operator on a need-to-know basis.

For a full overview, see our security page.

8. Data subject rights

We will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection) within 30 days of the request being forwarded to us. Contact privacy@holycallsheet.com to initiate such requests.

9. Breach notification

In the event of a personal data breach affecting the Controller’s data, we will notify the Controller within 72 hours of becoming aware of the breach. The notification will include, to the extent known at the time: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

10. Audit rights

The Controller may request a written summary of our security posture and sub-processor compliance once per calendar year. Such requests should be directed to privacy@holycallsheet.com. We will respond within 30 days.

11. Return and deletion

Upon termination of the subscription or account deletion, we will permanently delete the Controller’s data within 30 days. Database backups containing Controller data will expire within 90 days of the deletion request. We do not retain copies for any other purpose.

12. Liability

Liability under this DPA is governed by the limitation of liability clause in our Terms of Service.

13. Contact

DPA-related enquiries: privacy@holycallsheet.com

Postal address: Willem Runderkampstraat 6, 1132HX Volendam, Nederland