logo

Book a demo

logo
logo

Book a demo

Data processing Addendum

Version: 1.0.1

Effective date: 2025-08-02

Applies to: All Saltfish customers who accept the Saltfish Terms of Service via online signup or order. By using the Service, Customer agrees this DPA forms part of the Agreement (as defined below).

1. Parties and incorporation

This DPA is incorporated by reference into the Saltfish Terms of Service (the "Agreement") between Saltfish AB, Roslagsgatan 45, 113 54 Stockholm, Sweden ("Saltfish") and the Customer that accepted the Agreement online ("Customer"). Capitalized terms not defined here have the meanings in the Agreement.

2. Roles; subject matter; duration

Roles. For Customer's use of the Studio and Widget on Customer properties, Customer acts as controller (or a processor to its own customer) and Saltfish acts as processor (or sub-processor). For Saltfish's own site analytics and operations (billing, account admin, service logs), Saltfish is an independent controller (outside this DPA).

Subject matter. Saltfish processes Personal Data to provide the Service described in the Agreement and Annex I.

Duration. For the term of the Agreement and any post-termination period specified in Section 10.

3. Customer instructions

Saltfish will process Personal Data only on documented instructions from Customer, including the Agreement, this DPA, and Customer's configurations and API calls. Saltfish will promptly inform Customer if an instruction infringes applicable law.

4. Special-category data and prohibited uses

The Service is not designed to process special-category data (GDPR Article 9) or other sensitive data. Customer will not submit such data unless strictly necessary and supported by a valid legal basis (typically explicit consent) with safeguards such as minimization, masking or redaction, and limited retention. The Service must not be used for biometric identification, liveness detection, or identity recognition, and must not be used to impersonate real people without authorization.

5. Confidentiality and personnel

Saltfish ensures personnel authorized to process Personal Data are bound by confidentiality, receive appropriate privacy and security training, and access data on a need-to-know basis.

6. Security measures

Saltfish implements appropriate technical and organizational measures described in Annex II, including encryption in transit and at rest, access controls, vulnerability management, logging and monitoring, incident response, and business continuity.

7. Sub-processors

Authorization. Customer authorizes Saltfish to use sub-processors to deliver the Service.

Transparency and notice. A current list of material sub-processors is available to Customer upon request. Saltfish will provide prior notice of material changes.

Objection. Customer may reasonably object on privacy or security grounds within the notice window. The parties will work in good faith to resolve; if unresolved, Customer may disable the affected feature or terminate the impacted order for a pro-rata refund of prepaid, unused fees.

Flow-down and retention carve-out. Saltfish will bind sub-processors by written terms no less protective than this DPA in substance, including confidentiality, security, purpose limitation, and transfer safeguards. Sub-processors will not use Customer Personal Data, Customer Content, or Outputs for model training or product improvement. Sub-processors will delete data in line with Section 10; however, where a sub-processor's standard terms impose a fixed retention period that cannot be shortened (for example, up to 36 months), deletion of copies held by that sub-processor will occur according to its standard terms. In such cases, Saltfish will use the most privacy-protective configuration available and limit data disclosed to what is necessary for the Service. Saltfish will not use any sub-processor for Customer data where training on such data cannot be disabled.

Customer-enabled integrations. Third-party services Customer enables are governed by their own terms; Saltfish processes data sent to such integrations on Customer's instructions.

8. International transfers

Where Personal Data is transferred outside the EEA/UK (and Switzerland, mutatis mutandis), Saltfish will implement valid transfer mechanisms, including:

  • EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) Module 2 (controller to processor) and/or Module 3 (processor to processor), as applicable; and

  • the UK International Data Transfer Addendum (IDTA/Addendum) for UK data.

The SCCs and UK Addendum are incorporated by reference and completed as set out in Annex I and Annex II. Saltfish will apply supplementary measures where appropriate.

9. Breach notification and cooperation

Saltfish will notify Customer without undue delay and in any event within 72 hours after confirmation of a personal data breach involving Customer Personal Data. Saltfish will provide available details, cooperate on mitigation and notifications, and document corrective actions.

10. Return and deletion; off-boarding

During term. Customer may export Customer Personal Data and Customer Content via available features or request Saltfish's assistance.

On termination or written request:

a) Saltfish will provide a machine-readable export within 30 days.

b) Saltfish will delete Customer Personal Data and Customer Content within 60 days of export or request, and will ensure sub-processors do the same.

c) Backups purge on normal rotation and in any case within 90 days, unless longer retention is required by law or to establish, exercise, or defend legal claims.

Where a sub-processor's standard terms mandate a fixed retention period longer than the timelines above, deletion of copies held by that sub-processor will occur according to its standard terms. Saltfish will not instruct retention beyond those terms.

11. Assistance and DPIAs

Taking into account the nature of processing, Saltfish will assist Customer with data subject requests and with data protection impact assessments and prior consultations that relate to the Service, using information reasonably available to Saltfish.

12. Audit and verification

On reasonable written notice, once per 12 months (or more frequently if required by a regulator or following a material incident), Saltfish will make available independent audit reports or equivalent information demonstrating compliance. Where such information is insufficient, Customer may conduct a focused audit (on-site or remote) of relevant controls, subject to confidentiality, reasonable scheduling, and minimal disruption.

13. No training or product-improvement use

Saltfish will not use Customer Content, Outputs, or Customer Personal Data to train, fine-tune, or otherwise improve models or products, and will require sub-processors to adhere to the same prohibition. Saltfish will not use any sub-processor for Customer data where training on such data cannot be disabled.

14. Government and third-party requests

Saltfish will review and challenge unlawful or overbroad requests, seek to narrow scope, and notify Customer before disclosure unless legally prohibited or there is a clear risk of harm or emergency. Saltfish may publish aggregate transparency information where lawful.

15. Liability; precedence; changes

This DPA forms part of the Agreement; the Agreement's limitations and exclusions of liability apply to this DPA. If there is a conflict between this DPA and the Agreement on privacy or security topics, this DPA controls. The SCCs and UK Addendum control to the extent of conflict with either. Saltfish may update this DPA to reflect legal or operational changes; for material changes, Saltfish will provide advance notice (for example, 14–30 days). Continued use after the effective date constitutes acceptance.

16. Contact

For privacy matters: simon@saltfish.ai (subject: "DPA").

Annex I — Details of processing (GDPR Art. 28(3); SCCs Appendix)

A. Parties and roles

Data exporter: Customer (controller) and, where applicable, Customer acting as processor to its own customer.

Data importer: Saltfish AB (processor) and Saltfish's sub-processors (sub-processors).

B. Subject matter and purpose

Provision of the Service: hosting, avatar rendering, generating and delivering avatar media, event telemetry, optional session replay (DOM events only), support, security, and billing.

C. Nature of processing

Collection, recording, organization, structuring, storage, retrieval, transmission, display, and deletion.

D. Categories of data subjects

Creators: Customer personnel who create or upload recordings to make avatars.

End Users (Viewers): Individuals who view or interact with the embedded Widget.

Customer admins: Account holders and billing contacts.

E. Categories of Personal Data

  • Account/admin data (name, work email).

  • Customer-directed content: Creator recordings (video/audio), scripts/prompts; generated Outputs (avatar video/audio).

  • Event/telemetry (for example, load and completion events).

  • Optional session replay (DOM events only; no screen, audio, or video capture).

  • Support and billing metadata.

Saltfish does not require special-category data and instructs Customers to avoid it.

F. Special-category data

Not intended. If Customer instructs such processing, Customer ensures a valid legal basis and safeguards; processing remains subject to this DPA.

G. Frequency and duration

Continuous for the term of the Agreement; retention per Section 10 and the Privacy Policy.

H. Transfers

As needed for the Service; may include the EEA and non-EEA countries (for example, the United States) under the SCCs and UK Addendum with supplementary measures.

I. Competent supervisory authority (SCCs)

Determined per the SCCs based on the exporter's EEA location.

Annex II — Technical and organizational measures (TOMs)

  • Governance and access control (role-based access, least privilege, SSO/MFA for admin access, periodic reviews)

  • Encryption (TLS in transit; encryption at rest with managed keys)

  • Network and infrastructure security (segmentation, firewalls, hardening, vulnerability management, DDoS protections)

  • Application security (secure SDLC, code review, dependency scanning, secrets management, environment separation)

  • Logging and monitoring (centralized logs, alerting on anomalous events)

  • Data minimization and retention (collect only necessary data; automated log retention; retention per Section 10)

  • Business continuity and backup (encrypted backups; tested restoration; disaster recovery planning)

  • Incident response (documented playbooks; breach triage; notification workflow meeting Section 9)

  • Personnel security (background checks where lawful; confidentiality commitments; security training)

  • Vendor management (risk-based due diligence; contractual security/privacy commitments; ongoing monitoring)

  • Physical security (cloud provider data-center controls)

  • Testing (periodic penetration testing; timely remediation of high/critical findings)

  • Customer controls (export/delete features; configuration of session replay and masking)

Annex III — Sub-processors

Saltfish uses sub-processors for hosting, media generation, payments, and support. A current list is available to Customer upon request. Some media generation providers may apply a fixed retention period under their standard terms (for example, up to 36 months). Where applicable, Saltfish uses the most privacy-protective settings available, minimizes data disclosed to what is necessary for the Service, and does not permit model training on Customer data. Saltfish will provide prior notice of material changes and an objection process as described in Section 7.