Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between PurposeForce ("Processor," "we," "us") and the entity using Rewind Reels for Salesforce ("Controller," "you," "your"), collectively referred to as the "Parties." This DPA applies where and to the extent that PurposeForce processes Personal Data on behalf of the Controller in the course of providing the Rewind Reels service.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws including the GDPR.
- "Controller" means the entity that determines the purposes and means of the processing of Personal Data — i.e., the Customer.
- "Processor" means the entity that processes Personal Data on behalf of the Controller — i.e., PurposeForce.
- "Sub-Processor" means any third party engaged by PurposeForce to process Personal Data on behalf of the Controller.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Scope and Purpose of Processing
2.1 Nature of Processing
PurposeForce processes Personal Data solely for the purpose of providing the Rewind Reels service — specifically, querying Salesforce CRM data, generating AI-powered narration scripts, rendering video summaries, and delivering completed videos back to the Controller's Salesforce org.
2.2 Types of Personal Data
The following categories of Personal Data may be processed:
- Contact information (names, email addresses, phone numbers) from Salesforce records
- Business relationship data (account names, opportunity details, case information)
- Activity data (task descriptions, event details, notes)
- Any other CRM field data included in the Controller's Rewind Config settings
2.3 Categories of Data Subjects
- The Controller's customers, prospects, and business contacts
- The Controller's employees and authorized users
2.4 Duration of Processing
Processing occurs only for the duration of each video generation request. Salesforce data is queried in real time, processed through the AI narration pipeline, and is not retained after the narration is generated. Video data (narration JSON and theme) is stored on the Salesforce record in the customer's org. No video files are stored on PurposeForce servers.
3. Obligations of the Processor
PurposeForce shall:
- Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data outside the EEA
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
- Implement appropriate technical and organizational security measures as described in Section 6
- Respect the conditions for engaging Sub-Processors as set out in Section 4
- Assist the Controller in responding to Data Subject requests as described in Section 7
- Assist the Controller in ensuring compliance with breach notification obligations
- Delete or return all Personal Data upon termination of the service, as described in Section 9
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
4. Sub-Processors
4.1 Authorized Sub-Processors
The Controller hereby provides general written authorization for PurposeForce to engage the following Sub-Processors:
| Sub-Processor | Purpose | Location | Contact |
|---|---|---|---|
| Amazon Web Services, Inc. | Legacy video file storage (S3, for pre-March 2026 videos only) | United States (us-east-1) | aws.amazon.com/privacy |
| Anthropic, PBC | AI narration script generation (Claude API) | United States | anthropic.com/privacy |
| Stripe, Inc. | Payment processing and billing | United States | stripe.com/privacy |
| Vercel, Inc. | Backend application hosting | United States | vercel.com/legal/privacy-policy |
4.2 Changes to Sub-Processors
PurposeForce shall notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds related to data protection, the Parties shall discuss the concern in good faith. If no resolution can be reached, the Controller may terminate the agreement.
4.3 Sub-Processor Obligations
PurposeForce shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.
5. International Data Transfers
5.1 Transfer Mechanisms
All data processing occurs in the United States. For transfers of Personal Data from the EEA, United Kingdom, or Switzerland to the United States, PurposeForce relies on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
- The UK International Data Transfer Addendum to the EU SCCs, where applicable
5.2 Supplementary Measures
In addition to the SCCs, PurposeForce implements the following supplementary measures:
- Encryption of all data in transit using TLS 1.2+
- Encryption of data at rest managed by Salesforce infrastructure (video data stored in-org)
- Minimal data retention (real-time processing only; no permanent storage of CRM data)
- Access controls limiting data access to authorized personnel only
6. Security Measures
PurposeForce implements the following technical and organizational measures to protect Personal Data:
6.1 Technical Measures
- TLS 1.2+ encryption for all data in transit
- Video data stored within Salesforce infrastructure (customer-controlled encryption)
- Per-org API key authentication with HMAC token verification
- Rate limiting (30 requests per minute per API key)
- Salesforce CRUD/FLS enforcement via Security.stripInaccessible
- No persistent storage of Salesforce CRM data on Rewind servers
- Share links secured with 128-bit cryptographic tokens for video access
6.2 Organizational Measures
- Access to production systems restricted to authorized personnel
- Security-aware development practices (no SOQL injection, no XSS, static error messages)
- Regular security reviews and vulnerability assessments
- Incident response procedures as described in Section 8
7. Data Subject Rights
PurposeForce shall assist the Controller in fulfilling its obligation to respond to Data Subject requests under applicable data protection laws. Given that Salesforce CRM data is not permanently stored by PurposeForce:
- Access Requests: The Controller manages Data Subject data within their Salesforce org. PurposeForce can confirm whether any Personal Data is currently being processed (e.g., in an active render).
- Deletion Requests: Since CRM data is not stored permanently, deletion of source data in the Controller's Salesforce org is sufficient. Video Video data is stored as JSON on the Salesforce record and is deleted when the record is deleted.
- Portability Requests: The Controller maintains all source data in Salesforce. Generated video data is stored as JSON on Salesforce records under the Controller's control.
8. Data Breach Notification
8.1 Notification Timeline
PurposeForce shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach, by email to the Controller's designated contact.
8.2 Notification Content
The breach notification shall include:
- A description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned
- The name and contact details of our point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach and mitigate its effects
8.3 Cooperation
PurposeForce shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each breach.
9. Return and Deletion of Data
Upon termination of the agreement or upon the Controller's written request:
- PurposeForce shall delete all Personal Data in its possession or control within 30 days, except as required by applicable law
- Any legacy video files stored on S3 will be deleted immediately upon request
- Data stored in the Controller's Salesforce org (narration JSON, theme data, video metadata) remains under the Controller's control
- PurposeForce shall certify deletion in writing upon the Controller's request
10. Audit Rights
The Controller has the right to audit PurposeForce's compliance with this DPA, subject to the following conditions:
- Audits shall be conducted with at least 30 days' prior written notice
- Audits shall be conducted during regular business hours and shall not unreasonably interfere with PurposeForce's operations
- The Controller shall bear the costs of any audit
- PurposeForce may satisfy audit requests by providing relevant certifications, audit reports, or other documentation demonstrating compliance
- Audit findings and any information obtained shall be treated as confidential
11. Liability
Each Party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. This DPA does not limit either Party's liability with respect to breaches of data protection obligations to the extent such limitation is not permitted under applicable law.
12. Term and Termination
This DPA shall remain in effect for the duration of PurposeForce's processing of Personal Data on behalf of the Controller. The obligations of PurposeForce under this DPA shall survive termination to the extent necessary to fulfill its data protection obligations, including the return or deletion of Personal Data.
13. Governing Law
This DPA shall be governed by the laws of the State of Indiana, United States, without prejudice to the application of mandatory data protection laws of the Controller's jurisdiction.
14. Contact
For questions about this Data Processing Agreement, contact us:
PurposeForce
Email: hello@purposeforce.org
Web: purposeforce.org