Skip to main content

Data Processing Agreement

Last updated: February 27, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between ConvertIntoMP4 ("Processor", "we", "us") and you ("Controller", "you") for the use of the ConvertIntoMP4 file conversion service ("the Service"). This DPA sets out the terms under which we process personal data on your behalf in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection legislation.

This DPA applies automatically to all users of ConvertIntoMP4 who are subject to the GDPR or similar data protection laws. Enterprise customers may request a separately executed DPA by contacting [email protected].

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by us to process Personal Data on behalf of the Controller. A current list is available at our Sub-processor List.
  • "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the ConvertIntoMP4 file conversion service, including file upload, conversion between formats, temporary storage, and delivery of converted files.

3.2 Categories of Data Subjects

  • Users of the ConvertIntoMP4 service (registered and anonymous)
  • Third parties whose personal data may be contained within files uploaded for conversion

3.3 Types of Personal Data

  • Account information: email address, name, profile picture URL (if provided)
  • File content: any personal data contained within files uploaded for conversion
  • Technical data: IP addresses, browser metadata, error logs
  • Usage data: conversion types, file formats, timestamps
  • Payment data: billing information processed by DodoPayments (we do not store card numbers)

3.4 Duration of Processing

Processing of file content is strictly temporary. All uploaded and converted files are automatically deleted within 2 hours. Account data is retained for the lifetime of the account and deleted upon account termination. See our Data Retention Policy for detailed retention schedules.

4. Obligations of the Processor

ConvertIntoMP4, as Processor, shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law to which the Processor is subject.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6).
  • Not engage another processor (sub-processor) without prior general written authorization of the Controller and a written contract imposing equivalent data protection obligations (see Section 7).
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR.
  • Assist the Controller in ensuring compliance with security obligations, data breach notification, data protection impact assessments, and prior consultations (Articles 32-36 of the GDPR).
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, unless EU or Member State law requires storage.
  • Make available all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for audits, including inspections, by the Controller or an auditor mandated by the Controller.

5. Obligations of the Controller

The Controller shall:

  • Ensure that the processing of Personal Data has a lawful basis under the GDPR.
  • Provide all necessary instructions to the Processor regarding the processing of Personal Data.
  • Ensure that files uploaded for conversion do not contain special categories of personal data (Article 9 GDPR) unless appropriate safeguards and lawful bases are in place.
  • Inform Data Subjects about the processing of their data through the Service, as required by Articles 13 and 14 of the GDPR.

6. Technical and Organizational Security Measures

ConvertIntoMP4 implements the following measures to protect Personal Data:

Encryption

  • All data in transit is encrypted using TLS 1.2+ (256-bit encryption)
  • File storage on Cloudflare R2 uses server-side encryption at rest
  • Database connections use encrypted SSL/TLS channels
  • Passwords are hashed with bcrypt; API keys are hashed before storage

Access Control

  • Principle of least privilege applied to all system and personnel access
  • Two-factor authentication (2FA) available for user accounts
  • SSH key-based access to production servers (no password authentication)
  • API key authentication with scoped permissions and per-key rate limiting

Infrastructure Security

  • Hosting on Hetzner Cloud in Helsinki, Finland (ISO 27001 certified data center)
  • Cloudflare DDoS protection, Web Application Firewall (WAF), and bot management
  • ClamAV virus scanning on all uploaded files
  • Automated security updates and vulnerability patching
  • Content Security Policy (CSP), CSRF protection, and rate limiting implemented

Data Isolation

  • Files are processed in isolated containers and never accessed by staff
  • Automatic file deletion within 2 hours with no backup retention of user files
  • Disk janitor service performs orphaned file cleanup every 5-30 minutes

Monitoring

  • Sentry error monitoring with real-time alerting
  • Structured logging with Pino (all file paths sanitized in logs)
  • Circuit breakers on all external service integrations
  • Health check endpoints with PostgreSQL and Redis connectivity validation

7. Sub-processor Engagement

The Controller provides general authorization for the Processor to engage sub-processors listed on our Sub-processor List. When engaging a new sub-processor:

  • We will notify the Controller at least 30 days before the new sub-processor begins processing Personal Data.
  • The Controller may object to the engagement within 30 days of notification.
  • We impose equivalent data protection obligations on all sub-processors through written agreements.
  • We remain liable for the acts and omissions of our sub-processors to the same extent as our own acts and omissions.

8. International Data Transfers

Our primary infrastructure is located in the European Union (Helsinki, Finland). Where Personal Data is transferred to sub-processors outside the EU/EEA, we rely on: (a) European Commission adequacy decisions, where available; (b) Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR; and (c) additional supplementary measures, including encryption in transit and at rest, where required by the specific circumstances of the transfer.

9. Data Breach Notification

In the event of a personal data breach (as defined in Article 4(12) of the GDPR):

  • Notification timeline: We will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
  • Content of notification: The notification will include the nature of the breach, categories and approximate number of Data Subjects and records concerned, the likely consequences of the breach, and the measures taken or proposed to mitigate its effects.
  • Ongoing communication:We will provide additional information as it becomes available and cooperate fully with the Controller's breach response procedures.
  • Documentation: We will document all breaches, including the facts relating to the breach, its effects, and the remedial action taken.

10. Data Subject Rights

We will assist the Controller in responding to Data Subject requests under the GDPR, including the right of access, rectification, erasure, data portability, restriction of processing, and the right to object. Given the transient nature of our file processing (automatic deletion within 2 hours) and the availability of self-service account management in the user dashboard (profile editing, account deletion, data export), most Data Subject requests can be fulfilled directly by the Controller without our intervention.

11. Audits

Upon reasonable request and at the Controller's expense, we will make available information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or a qualified third-party auditor, subject to reasonable confidentiality obligations. Audit requests should be submitted at least 30 days in advance to [email protected].

12. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service. Upon termination, we will delete all Personal Data processed on behalf of the Controller within 30 days, unless EU or Member State law requires further storage. The Controller may request confirmation of deletion.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Finland, without regard to its conflict of law principles, to the extent not superseded by the GDPR or other mandatory data protection legislation.

Contact

For questions about this Data Processing Agreement or to request a separately executed DPA, contact us at [email protected]