Flash ai. — Data Processing Agreement (DPA)
DRAFT — pending legal review. Not legal advice. Do not publish until reviewed by a qualified Indian lawyer.
Effective date: [EFFECTIVE DATE]
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Flash Production Intelligence Private Limited ("Flash", the "Processor") and the Customer ("you", the "Data Fiduciary"). It governs Flash's processing of personal data that you upload or make available through Flash ai. (the "Customer Personal Data"). Terms not defined here have the meaning given in the DPDP Act, 2023.
1. Roles
For Customer Personal Data (your crew, cast, vendors, staff, and their details), you are the Data Fiduciary and Flash is the Data Processor, processing only on your documented instructions — which include your configured use of the platform and any written instruction you give.
2. Scope and purpose of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Flash ai. platform |
| Duration | For the term of your subscription, plus the deletion window in §9 |
| Nature & purpose | Storing, organising, displaying, extracting from, and computing on Customer Personal Data to operate production, finance, crew, and document workflows for you |
| Types of personal data | Names, contact numbers, email addresses, consent records, bank/UPI/payment details, salary and payment amounts, identity and contract documents, travel/hotel assignments, vehicle logs including location data |
| Categories of Data Principals | Your crew, cast, vendors, staff, and your own users |
3. Flash's obligations
Flash will:
- process Customer Personal Data only on your instructions and for the purposes above, not for its own purposes;
- keep Customer Personal Data confidential and ensure personnel with access are bound by confidentiality;
- apply reasonable security safeguards (§5);
- assist you, taking into account the nature of processing, to (a) respond to Data Principal rights requests, (b) meet your security, breach-notification, and (if applicable) data-protection-impact obligations;
- make available information reasonably necessary to demonstrate compliance with this DPA;
- notify you without undue delay on becoming aware of a personal data breach affecting Customer Personal Data (§6); and
- not sell or share Customer Personal Data or use it to train foundation AI models.
4. Sub-processors
You authorise Flash to engage sub-processors to provide the Service. Flash imposes data-protection obligations on each and remains responsible for their performance. The current sub-processors are:
| Sub-processor | Function | Processing location |
|---|---|---|
| Supabase | Database, authentication, file storage | Outside India (confirm region) |
| Vercel | Application hosting, edge/CDN | Outside India (US/global) |
| Anthropic | AI model processing of documents/prompts | Outside India (US) |
| Meta Platforms (WhatsApp Cloud API) | OTP and notification messaging | Global |
| Google (Workspace / Gmail) and/or Resend | Transactional email | Global |
| YouTube Data API (Google) | Public channel statistics (no personal data of Data Principals) | Global |
Review note: confirm this list is complete and accurate, confirm the Supabase/Vercel regions, and confirm cross-border transfer wording meets DPDP Act requirements and any Central Government restrictions. Flash will give you reasonable notice of new or replacement sub-processors so you may object.
5. Security
Flash maintains, at minimum:
- tenant isolation via Row-Level Security, with automated cross-tenant leak testing;
- encryption in transit and at rest;
- restricted, role-based access to production data; finance data limited to authorised roles;
- secrets kept out of source control and automatically scanned on every change;
- human approval and audit logging for all money movement;
- error monitoring and alerting.
6. Personal data breach
On becoming aware of a breach affecting Customer Personal Data, Flash will notify you without undue delay with the information available, assist your assessment, and cooperate with any notifications you must make to the Data Protection Board of India and affected Data Principals under the DPDP Act.
7. Data Principal requests
If Flash receives a request from one of your Data Principals (e.g. a crew member) to access, correct, or erase data you control, Flash will not respond directly except to direct them to you, and will assist you in responding as required by law.
8. International transfers
Where sub-processors process Customer Personal Data outside India, Flash relies on contractual safeguards and processes such transfers in accordance with the DPDP Act and any Government-notified restrictions. See §4 for locations.
9. Return and deletion
On termination or your request, Flash will make Customer Personal Data available for export for a limited window (default 30 days), then delete or anonymise it, except where retention is required by law (e.g. financial records under the Companies Act 2013 / Income Tax Act), in which case Flash will retain only what the law requires, isolated and access-restricted, until it may be deleted. See data-retention-erasure.md.
10. Audit
Flash will, on reasonable written request and no more than once a year (unless required by an authority or after a breach), provide information reasonably necessary to demonstrate compliance, subject to confidentiality and without compromising other tenants' security.
11. Liability
Liability under this DPA is subject to the limitations in the Terms of Service.
Flash ai. is a product of Flash Production Intelligence Private Limited. OPM Cinemas is a tenant of the platform, not the operator.