Data Processing Addendum
​
This Data Processing Addendum (“DPA”) forms part of the [Service Agreement / Master Services Agreement / Terms of Service] (“Agreement”) between Farm Cove Limited (“Processor” or “Farm Cove”) and the undersigned party or entity (“Controller” or “Customer”). This DPA applies whenever Farm Cove processes Personal Data on behalf of Customer under the Agreement.
​
1. Definitions
​
1.1 Applicable Data Protection Law
Means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including the UK GDPR, the EU GDPR (if applicable), the UK Data Protection Act 2018, and any other applicable law.
​
1.2 Controller
Means the entity (e.g., the Customer) that determines the purposes and means of the processing of Personal Data.
1.3 Processor
Means Farm Cove Limited, which processes Personal Data on behalf of the Controller.
1.4 Personal Data
Means any information relating to an identified or identifiable natural person (“Data Subject”) that is protected under Applicable Data Protection Law and that Farm Cove processes on behalf of the Controller in connection with the Services.
1.5 Services
Means the services provided by Farm Cove to the Controller as described in the Agreement.
1.6 Sub-processor
Means any third party appointed by or on behalf of Farm Cove to process Personal Data.
Other capitalized terms used but not defined in this DPA shall have the meaning set forth in the Agreement or under Applicable Data Protection Law.
2. Subject Matter and Duration
​
2.1 Subject Matter
Farm Cove shall process Personal Data on behalf of the Controller for the purpose of providing the Services, as further described in the Agreement.
2.2 Duration
This DPA will remain in effect as long as Farm Cove processes Personal Data on behalf of the Controller under the Agreement and will automatically terminate upon the deletion or return of all Personal Data by Farm Cove.
3. Roles and Responsibilities
​
3.1 Controller
The Controller determines the purposes and means of the processing of Personal Data. The Controller bears all responsibility for ensuring that it has a valid legal basis for the processing (e.g., consent, legitimate interests, contractual necessity) and for compliance with all Applicable Data Protection Law obligations.
3.2 Processor
Farm Cove processes Personal Data on behalf of the Controller solely in accordance with this DPA, the Agreement, and the Controller’s documented instructions. If Farm Cove believes an instruction violates Applicable Data Protection Law, it shall promptly inform the Controller.
4. Nature and Purpose of Processing
​
4.1 Nature of Processing
Farm Cove will process Personal Data as necessary to provide the Services described in the Agreement and any related technical support.
4.2 Purpose
The purpose of the processing is to enable Farm Cove to deliver its platform services for film production, crew onboarding, payroll, compliance management, or other services detailed in the Agreement.
4.3 Categories of Data Subjects
-
Employees and crew of the Controller
-
Contractors, suppliers, or other individuals whose data the Controller inputs into Farm Cove’s systems
4.4 Categories of Personal Data
May include Identity Data, Contact Data, Financial Data, and other Personal Data as described in the Agreement or the Farm Cove Privacy Policy.
5. Processor Obligations
5.1 Compliance
Farm Cove shall process Personal Data in compliance with Applicable Data Protection Law and this DPA.
5.2 Confidentiality
Farm Cove ensures that its personnel authorized to process Personal Data are subject to obligations of confidentiality.
5.3 Technical and Organizational Measures
Farm Cove implements appropriate technical and organizational measures to protect the Personal Data from unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures are outlined in the Farm Cove Privacy Policy and may include encryption, access controls, and regular security assessments.
5.4 Data Subject Requests
-
If Farm Cove receives a request from a Data Subject relating to Personal Data processed on the Controller’s behalf (e.g., requests to access, erase, or rectify Personal Data), Farm Cove shall promptly notify the Controller.
-
Farm Cove shall not respond to such request except on documented instructions of the Controller or as required by Applicable Data Protection Law.
5.5 Assistance
Farm Cove shall provide reasonable assistance to the Controller in fulfilling its obligations under Applicable Data Protection Law, including with regard to data protection impact assessments, breach notifications, and responding to Data Subject requests.
6. Controller Obligations
6.1 Lawful Basis
The Controller will ensure that it has all necessary consents and lawful bases in place to collect, process, and transfer Personal Data to Farm Cove for the purposes described in the Agreement.
6.2 Accuracy
The Controller is responsible for the accuracy, quality, and legality of the Personal Data and for the means by which it acquired such Personal Data.
6.3 Instructions
The Controller shall only provide documented instructions to Farm Cove that are lawful and consistent with the Agreement and this DPA.
7. Sub-processing
7.1 Authorized Sub-processors
The Controller provides general authorization for Farm Cove to engage Sub-processors for providing the Services (e.g., hosting providers, payment processors).
7.2 Sub-processor Obligations
Where Farm Cove engages Sub-processors, Farm Cove shall ensure, by way of a written contract, that the Sub-processor is bound by data protection obligations similar to those in this DPA.
7.3 Notification of Changes
Farm Cove shall maintain a list of Sub-processors upon request and will notify the Controller of any intended changes concerning addition or replacement of Sub-processors, giving the Controller an opportunity to object.
8. International Transfers
Where Farm Cove transfers Personal Data outside of the UK or European Economic Area (EEA), Farm Cove will ensure that such transfers comply with Applicable Data Protection Law, including by implementing appropriate safeguards such as Standard Contractual Clauses or data transfer frameworks recognized under UK/EU law. More details on transfers are set out in the Farm Cove Privacy Policy.
9. Personal Data Breaches
Farm Cove shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data processed on the Controller’s behalf. Such notification shall include sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Data Protection Law.
10. Return or Deletion of Personal Data
Upon termination or expiration of the Agreement, or at any time upon the Controller’s request, Farm Cove shall, at the Controller’s choice, either return all Personal Data to the Controller or securely delete it, unless Applicable Data Protection Law requires storage of the Personal Data. Farm Cove may retain aggregated or anonymized data for lawful analytics and product improvement.
11. Audits and Inspections
At the Controller’s written request, Farm Cove shall make available information and allow for audits necessary to demonstrate its compliance with this DPA. Any audits shall be conducted during regular business hours, with reasonable notice, and shall not interfere with Farm Cove’s business operations. The Controller is responsible for any costs incurred by such audits.
12. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except to the extent prohibited by applicable law.
13. Governing Law and Jurisdiction
This DPA is governed by and construed in accordance with the laws stated in the Agreement. Any disputes arising in connection with this DPA shall be subject to the dispute resolution provisions and jurisdiction set out in the Agreement.
14. Miscellaneous
14.1 Entire Agreement
This DPA, together with the Agreement, constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes any prior agreements on the same subject matter.
14.2 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect.
14.3 Counterparts
This DPA may be executed in counterparts, each of which is deemed an original, but all of which together constitute one and the same instrument.
​