1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Vexa ("Processor") and you, the user or business ("Controller"), and governs the processing of personal data Vexa carries out on your behalf when you use the Vexa AI video generation platform.
This DPA is designed to comply with the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable data protection laws. Where you act as a Controller and Vexa acts as a Processor within the meaning of Article 4(8) GDPR, this DPA sets out the obligations of each party.
2. Definitions
- Personal Data — any information relating to an identified or identifiable natural person.
- Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- Controller — the natural or legal person who determines the purposes and means of processing Personal Data.
- Processor — Vexa, which processes Personal Data on behalf of the Controller.
- Sub-processor — any third party engaged by Vexa to process Personal Data.
- Data Subject — the individual whose Personal Data is processed.
3. Nature and Purpose of Processing
Subject matterAI video generation services provided via sora-2.run
DurationFor the term of your account, plus any legally required retention period
NatureStorage, processing of prompts and generated outputs, billing data, usage analytics
Categories of dataAccount identifiers (name, email), payment metadata, text prompts, uploaded images, generated video outputs, usage logs
Data subjectsVexa account holders and, where applicable, individuals depicted in uploaded images
Vexa processes Personal Data solely for the purposes set out above and strictly in accordance with the Controller's documented instructions, unless required to do otherwise by applicable law.
4. Processor Obligations
Vexa agrees to:
- Process Personal Data only on documented instructions from the Controller.
- Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures (see Section 5).
- Assist the Controller in fulfilling its obligations to respond to Data Subject requests (see Section 7).
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach affecting Controller data.
- Delete or return all Personal Data upon termination of services, at the Controller's choice, unless retention is required by law.
- Make available all information necessary to demonstrate compliance and allow for audits conducted by the Controller or its auditor, subject to reasonable notice and confidentiality protections.
5. Security Measures
Vexa implements the following technical and organizational measures to ensure a level of security appropriate to the risk:
- Encryption in transit — all data is transmitted over TLS 1.2+ (HTTPS).
- Encryption at rest — database and file storage is encrypted using AES-256.
- Access controls — role-based access control (RBAC) limits access to Personal Data to authorized personnel only.
- Authentication — multi-factor authentication is enforced for internal administrative access.
- Incident response — we maintain a documented incident response plan with defined escalation paths and breach notification timelines.
- Vendor assessments — we conduct security assessments of Sub-processors before engagement.
- Data minimization — we collect only Personal Data necessary for the stated processing purpose.
6. Sub-processors
Vexa may engage the following categories of Sub-processors to assist in delivering the service. All Sub-processors are bound by data protection obligations no less stringent than those set out in this DPA:
| Sub-processor | Purpose | Location |
|---|
| Vercel | Hosting & edge delivery | USA / Global |
| Neon / PostgreSQL | Database (user accounts, credits, history) | USA |
| Cloudflare R2 | Object storage (uploaded images) | USA / EU |
| Kie AI | AI video generation inference | USA / Global |
| Creem | Payment processing | USA |
| Resend | Transactional email | USA |
We will notify the Controller of any intended changes to Sub-processors with reasonable advance notice. The Controller may object to any new Sub-processor within 14 days of notification.
7. Data Subject Rights
Vexa will assist the Controller in fulfilling its obligations to respond to Data Subject requests under applicable law, including:
- Right of access — providing a copy of the Personal Data we hold.
- Right to rectification — correcting inaccurate or incomplete data.
- Right to erasure — deleting Personal Data upon request, subject to legal retention obligations.
- Right to data portability — exporting Personal Data in a machine-readable format.
- Right to restrict processing — limiting how we process data in certain circumstances.
- Right to object — objecting to processing based on legitimate interests.
To exercise any of the above rights, please contact us at support@sora-2.run. We will respond within 30 days.
8. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, Vexa will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission, or reliance on an adequacy decision. Our primary infrastructure is hosted in the United States.
9. Data Breach Notification
In the event of a Personal Data breach that affects Controller data, Vexa will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, providing sufficient information to allow the Controller to meet its own notification obligations under applicable law.
10. Contact
For DPA-related inquiries, please contact us at support@sora-2.run with the subject line "DPA Inquiry".