Tapemetric

Legal

Data Processing Agreement

Effective April 1, 2026

This Data Processing Agreement (“DPA”) supplements your Terms of service and governs how Tapemetric processes personal data on your behalf. It is designed to satisfy obligations under India’s Digital Personal Data Protection Act (DPDP) and the EU General Data Protection Regulation (GDPR).

1. Roles

  • Customer — the streaming platform using Tapemetric. Acts as the data fiduciary (DPDP) or controller (GDPR) for end-viewer data.
  • Tapemetric — acts as the data processor / fiduciary-by-instruction for end-viewer event data sent through our SDK or API.

2. Subject matter and duration

We process the personal data described in our Privacy policy for the purpose of providing the analytics service. Processing continues for the term of your subscription plus the data retention windows described in section 7 below.

3. Categories of data

  • Anonymous SDK identifiers, session identifiers.
  • Optional user identifiers you provide via identify().
  • Playback events: timestamps, content IDs, position, bitrate, buffer duration.
  • Device and browser context derived from the User-Agent header.
  • Approximate location: country, region, city — derived from IP and discarded.

4. Categories of data subjects

  • End-viewers of your streaming service.
  • Authorized users of your Tapemetric admin workspace.

5. Customer instructions

We process data only on your documented instructions, including the configuration choices you make in the admin panel. If we believe an instruction violates DPDP, GDPR, or other applicable law, we will inform you immediately.

6. Security measures

We implement the technical and organizational measures described on the Security page, including encryption at rest and in transit, access controls with MFA, audit logging, and an annual penetration test.

7. Sub-processors

You authorize us to engage the sub-processors listed on our Security page. We will give at least 30 days’ notice before adding a new sub-processor; you may object during that period and, if we cannot accommodate your objection, terminate the affected service for a pro-rated refund.

8. Data subject rights

Where we receive a data subject rights request (access, rectification, erasure, objection, portability) directly, we forward it to you within 5 business days. We provide an admin panel API for you to fulfill these requests yourself; we apply the underlying erasure or export within 72 hours of your request.

9. International transfers

Indian customer data is stored in ap-south-1 (Mumbai) and does not leave India. For cross-border transfers (EU customer with EU residency, US customer with US residency) we rely on the EU Standard Contractual Clauses or equivalent transfer mechanism.

10. Breach notification

We will notify you of any confirmed personal data breach without undue delay, and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate volume of data involved, and the measures taken or proposed to address it.

11. Audits

Once per year, on 30 days’ written notice, you may audit our compliance with this DPA. In lieu of an in-person audit, we will provide our most recent SOC 2 Type II report and security questionnaire responses under NDA. Any in-person audit is at your expense and must be conducted by a qualified third party that signs our NDA.

12. Return or deletion

On termination of the service, we will delete or return all personal data within 60 days, except where retention is required by law. You can export raw events at any time during the term using our bulk export endpoint (Enterprise) or the analytics API (Pro).

13. Liability

Each party’s liability under this DPA is subject to the limitations in the Terms of service.

14. Signing

For most customers, accepting our Terms of service constitutes acceptance of this DPA. If your procurement process requires a signed counterpart, request one at legal@tapemetric.com.