1. About This Agreement
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Film Installers (“Processor”) and employer accounts that use the Platform (“Controller”). It sets out the terms on which Film Installers processes personal data on behalf of employers as required under the General Data Protection Regulation (“GDPR”) and the UK GDPR.
This DPA is relevant to employer accounts that are established in the European Economic Area (EEA) or United Kingdom, or that access and process personal data of EEA/UK residents via the Platform. If neither of these applies to you, this DPA is provided for reference only and does not impose additional obligations.
Processor: Film Installers (“Film Installers”), operating at filminstallers.com
Controller: The employer account holder who accepts the Terms of Service
DPA Version: 2026-03-14-v1
Effective Date: March 14, 2026
Document version: 2026-03-14-v1
2. Definitions
In this DPA, the following terms have the meanings given below. Other capitalized terms not defined here have the meanings given in the GDPR or in the Terms of Service.
- "Personal Data" — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR
- "Processing" — any operation performed on Personal Data, including collection, storage, retrieval, disclosure, or erasure
- "Data Subject" — the identified or identifiable natural person to whom Personal Data relates (in this context, primarily installer profile holders)
- "Sub-processor" — any third party engaged by the Processor to process Personal Data on behalf of the Controller
- "GDPR" — the General Data Protection Regulation (EU) 2016/679 and, where applicable, UK GDPR as retained in UK law
- "Supervisory Authority" — the relevant national data protection authority (e.g. the ICO in the UK, or the applicable EU member state DPA)
3. Subject Matter and Purpose of Processing
3.1 Nature and Purpose
Film Installers processes Personal Data as a Processor on behalf of employer accounts solely to provide the Platform services described in the Terms of Service, which include:
- Displaying installer profiles to authenticated employer accounts
- Facilitating job postings and employer-to-installer connections
- Storing employer account data and preferences
- Providing account management and security functionality
3.2 Categories of Personal Data
The Personal Data processed includes installer profile information made available on the Platform:
- Identity data: first name, last name
- Contact data: city, state/province, phone number (if provided)
- Professional data: years of experience, service types, work history, experience level
- Account metadata: member since date, profile visibility status
3.3 Categories of Data Subjects
The Data Subjects are installer account holders who have created profiles on the Platform and whose profiles are visible to authenticated employer accounts.
3.4 Duration
Processing continues for the duration of the employer account's active subscription or access to the Platform, or until this DPA is terminated in accordance with Section 10.
4. Obligations of the Processor
As Processor, Film Installers agrees to the following obligations in respect of Personal Data processed on behalf of the Controller:
4.1 Instructions
Process Personal Data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA), unless required to do so by applicable law. If required by law to process beyond these instructions, Film Installers will inform the Controller unless prohibited by law.
4.2 Confidentiality
Ensure that authorized personnel who process Personal Data are subject to appropriate confidentiality obligations.
4.3 Security
Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, including the measures described in Section 6 below and in the Privacy Policy.
4.4 Sub-processors
Not engage sub-processors without informing the Controller. Current sub-processors are listed in Section 7. Film Installers will provide reasonable notice (not less than 30 days) before engaging new sub-processors. The Controller may object on reasonable grounds within that period.
4.5 Data Subject Rights
Assist the Controller in fulfilling obligations to respond to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection) where technically feasible, taking into account the nature of processing. Data Subjects may exercise most rights directly through their account settings.
4.6 Data Protection Impact Assessments
Provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) required under Article 35 GDPR where the processing carried out by Film Installers is relevant to such assessment.
4.7 Breach Notification
Notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data breach affecting the Controller's data, providing sufficient information to enable the Controller to meet its own notification obligations.
4.8 Deletion or Return
At the end of the provision of services, at the Controller's option, delete or return all Personal Data and delete existing copies unless applicable law requires retention.
4.9 Audit Rights
Make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA, and allow for and contribute to audits or inspections conducted by the Controller or a third-party auditor mandated by the Controller, subject to reasonable prior notice and confidentiality protections.
5. Obligations of the Controller
As Controller, the employer account holder agrees to:
- Ensure that Personal Data accessed through the Platform is used only for legitimate recruitment and employment-related purposes
- Not download, export, or compile installer profile data for purposes other than direct recruitment on the Platform
- Comply with applicable data protection law in respect of Personal Data obtained via the Platform, including maintaining a lawful basis for any further processing
- Ensure that any Data Subject rights requests received directly by the Controller relating to installer profile data are forwarded to privacy@filminstallers.com without undue delay
- Not share installer Personal Data obtained via the Platform with third parties except as required for a specific hiring transaction
6. Security Measures
Film Installers implements the following technical and organizational security measures:
- All data transmitted between users and the Platform is encrypted using TLS 1.2 or higher
- Passwords stored as bcrypt hashes; no plaintext credential storage
- Row-level security policies on all database tables ensuring users can only access their own data
- Role-based access controls limiting staff access to user data
- Database hosted on Supabase infrastructure with SOC 2 Type II certification
- Regular security reviews and dependency updates
7. Sub-processors
Film Installers currently uses the following sub-processors to provide the Platform services. All sub-processors are bound by data processing agreements incorporating GDPR-compliant terms.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, and API infrastructure | United States |
| Resend (or equivalent) | Transactional email delivery | United States |
| Netlify / Vercel (or equivalent) | Application hosting and CDN | United States / Global CDN |
For transfers to sub-processors outside the EEA/UK, Film Installers relies on Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) as the transfer mechanism.
8. International Data Transfers
Personal Data processed under this DPA may be transferred to and processed in the United States. Film Installers ensures that all such transfers comply with GDPR Chapter V through the following mechanisms:
- Standard Contractual Clauses (SCCs) — EU Commission Decision 2021/914 for EEA-to-US transfers
- UK International Data Transfer Agreements (IDTAs) for UK-to-US transfers
- Adequacy decisions where applicable and available
Copies of applicable transfer documentation are available upon request to privacy@filminstallers.com.
9. Data Subject Rights Support
Data Subjects (installer profile holders) may exercise their GDPR rights directly through their account settings:
- Right of Access / Data Portability: Data Export feature in Account Settings
- Right to Rectification: Profile editing available in the Dashboard
- Right to Erasure: Account Deletion feature in Account Settings (processed within 30 days)
- Right to Object to targeted advertising: Advertising Preferences in Account Settings
For rights requests that cannot be fulfilled through self-service, Data Subjects or Controllers may contact privacy@filminstallers.com. We respond within 30 days.
10. Term and Termination
This DPA is effective from the date the employer account accepts the Terms of Service and remains in effect for as long as the employer account has access to the Platform.
On termination of the employer account or the Terms of Service, Film Installers will, at the Controller's written request, delete all Personal Data processed under this DPA within 90 days, unless retention is required by applicable law.
11. Liability
Each party is liable for damages caused by processing that violates the GDPR to the extent that party is responsible for the damage. The liability limitations in the Terms of Service apply to this DPA to the maximum extent permitted by applicable law, subject to any rights that cannot be excluded under GDPR or applicable consumer protection law.
12. Contact and DPA Acceptance
If you are an employer account requiring formal DPA acceptance for your GDPR compliance records, please contact us to request a countersigned DPA:
Film Installers — Legal / Privacy Team
Email: legal@filminstallers.com
Privacy: privacy@filminstallers.com
Website: filminstallers.com
See also our Privacy Policy and Terms of Service.