CLN — Where Humans & AI Build Together

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

Data Processor: Masterwork Films Ltd, the operator of CLN Work (“Processor”).
Data Controller: The organisation that has created an account on CLN Work (“Controller”).

This DPA supplements the Terms of Service and Privacy Policy and governs the processing of personal data by the Processor on behalf of the Controller.

2. Scope and Purpose

The Processor processes personal data solely to provide the CLN Work platform services as described in the Terms of Service. Processing activities include hosting, storage, retrieval, display, and transmission of data as part of the normal operation of the platform.

3. Categories of Data

Personal data processed under this DPA may include:

Names, email addresses, and profile images of team members.
Organisational structure data (departments, roles, hierarchy).
Content created within the platform (tasks, comments, notes, updates, files).
Authentication and access log data.

4. Data Subjects

Data subjects include the Controller's employees, contractors, and other individuals whose personal data is processed through the CLN Work platform.

5. Processor Obligations

The Processor shall:

Process personal data only on documented instructions from the Controller.
Ensure that persons authorised to process personal data have committed to confidentiality.
Implement appropriate technical and organisational measures to ensure security of processing.
Not engage another processor without prior written authorisation from the Controller.
Assist the Controller in responding to data subject access requests.
Delete or return all personal data upon termination of services, at the Controller's choice.
Make available to the Controller all information necessary to demonstrate compliance.

6. Security Measures

The Processor implements the following security measures:

256-bit TLS encryption for all data in transit.
Encryption at rest for all stored data.
Multi-tenant data isolation with per-organisation access controls.
Secure authentication with bcrypt password hashing and OAuth 2.0.
Regular security assessments and vulnerability scanning.
Access logging and monitoring.
Incident response procedures with notification within 72 hours of breach detection.

7. Sub-processors

The Processor currently uses the following sub-processors:

Railway: Cloud hosting and database infrastructure (United States).
Stripe: Payment processing (United States).
Google: OAuth authentication (United States).

The Controller will be notified of any changes to sub-processors at least 30 days in advance.

8. International Transfers

Where personal data is transferred outside the UK/EEA, the Processor ensures that appropriate safeguards are in place in accordance with UK GDPR, including the use of Standard Contractual Clauses (SCCs) or reliance on adequacy decisions where applicable.

9. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include the nature of the breach, categories of data affected, estimated number of data subjects affected, and measures taken or proposed to address the breach.

10. Data Retention and Deletion

Upon termination of the service agreement, the Processor shall delete all personal data within 30 days unless retention is required by applicable law. The Controller may request data export in a structured, machine-readable format prior to deletion.

11. Audits

The Processor shall allow and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, with reasonable advance notice and during normal business hours.

12. Governing Law

This DPA is governed by the laws of England and Wales and is subject to the jurisdiction of the courts of England and Wales.

13. Contact

Masterwork Films Ltd
Data Protection enquiries: privacy@cln.work