← Flash ai.Legal
Draft — pending legal review. This document is not yet in force.

Flash ai. — Data Processing Agreement (DPA)

DRAFT — pending legal review. Not legal advice. Do not publish until reviewed by a qualified Indian lawyer.

Effective date: [EFFECTIVE DATE]

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Flash Production Intelligence Private Limited ("Flash", the "Processor") and the Customer ("you", the "Data Fiduciary"). It governs Flash's processing of personal data that you upload or make available through Flash ai. (the "Customer Personal Data"). Terms not defined here have the meaning given in the DPDP Act, 2023.


1. Roles

For Customer Personal Data (your crew, cast, vendors, staff, and their details), you are the Data Fiduciary and Flash is the Data Processor, processing only on your documented instructions — which include your configured use of the platform and any written instruction you give.

2. Scope and purpose of processing

ItemDetail
Subject matterProvision of the Flash ai. platform
DurationFor the term of your subscription, plus the deletion window in §9
Nature & purposeStoring, organising, displaying, extracting from, and computing on Customer Personal Data to operate production, finance, crew, and document workflows for you
Types of personal dataNames, contact numbers, email addresses, consent records, bank/UPI/payment details, salary and payment amounts, identity and contract documents, travel/hotel assignments, vehicle logs including location data
Categories of Data PrincipalsYour crew, cast, vendors, staff, and your own users

3. Flash's obligations

Flash will:

  • process Customer Personal Data only on your instructions and for the purposes above, not for its own purposes;
  • keep Customer Personal Data confidential and ensure personnel with access are bound by confidentiality;
  • apply reasonable security safeguards (§5);
  • assist you, taking into account the nature of processing, to (a) respond to Data Principal rights requests, (b) meet your security, breach-notification, and (if applicable) data-protection-impact obligations;
  • make available information reasonably necessary to demonstrate compliance with this DPA;
  • notify you without undue delay on becoming aware of a personal data breach affecting Customer Personal Data (§6); and
  • not sell or share Customer Personal Data or use it to train foundation AI models.

4. Sub-processors

You authorise Flash to engage sub-processors to provide the Service. Flash imposes data-protection obligations on each and remains responsible for their performance. The current sub-processors are:

Sub-processorFunctionProcessing location
SupabaseDatabase, authentication, file storageOutside India (confirm region)
VercelApplication hosting, edge/CDNOutside India (US/global)
AnthropicAI model processing of documents/promptsOutside India (US)
Meta Platforms (WhatsApp Cloud API)OTP and notification messagingGlobal
Google (Workspace / Gmail) and/or ResendTransactional emailGlobal
YouTube Data API (Google)Public channel statistics (no personal data of Data Principals)Global

Review note: confirm this list is complete and accurate, confirm the Supabase/Vercel regions, and confirm cross-border transfer wording meets DPDP Act requirements and any Central Government restrictions. Flash will give you reasonable notice of new or replacement sub-processors so you may object.

5. Security

Flash maintains, at minimum:

  • tenant isolation via Row-Level Security, with automated cross-tenant leak testing;
  • encryption in transit and at rest;
  • restricted, role-based access to production data; finance data limited to authorised roles;
  • secrets kept out of source control and automatically scanned on every change;
  • human approval and audit logging for all money movement;
  • error monitoring and alerting.

6. Personal data breach

On becoming aware of a breach affecting Customer Personal Data, Flash will notify you without undue delay with the information available, assist your assessment, and cooperate with any notifications you must make to the Data Protection Board of India and affected Data Principals under the DPDP Act.

7. Data Principal requests

If Flash receives a request from one of your Data Principals (e.g. a crew member) to access, correct, or erase data you control, Flash will not respond directly except to direct them to you, and will assist you in responding as required by law.

8. International transfers

Where sub-processors process Customer Personal Data outside India, Flash relies on contractual safeguards and processes such transfers in accordance with the DPDP Act and any Government-notified restrictions. See §4 for locations.

9. Return and deletion

On termination or your request, Flash will make Customer Personal Data available for export for a limited window (default 30 days), then delete or anonymise it, except where retention is required by law (e.g. financial records under the Companies Act 2013 / Income Tax Act), in which case Flash will retain only what the law requires, isolated and access-restricted, until it may be deleted. See data-retention-erasure.md.

10. Audit

Flash will, on reasonable written request and no more than once a year (unless required by an authority or after a breach), provide information reasonably necessary to demonstrate compliance, subject to confidentiality and without compromising other tenants' security.

11. Liability

Liability under this DPA is subject to the limitations in the Terms of Service.


Flash ai. is a product of Flash Production Intelligence Private Limited. OPM Cinemas is a tenant of the platform, not the operator.

Data Processing Agreement — Flash ai.