Data Processing Agreement

When you use Setso for your production, you (the production company) are the data controller — you decide what data is collected and why. Setso (Setflow B.V.) is the data processor — we handle that data on your behalf, only as needed to run the platform.

This means you stay in control of your crew's personal data at all times. We only process it to deliver the service you signed up for.

We process the following categories of personal data on your behalf:

• Names, email addresses, and phone numbers
• Date of birth and address
• Role/position on the production
• Dietary preferences and clothing sizes
• Emergency contact information
• Agent or company affiliation
• Hours worked and overtime
• Transport data (kilometers driven)
• End-of-day sentiment (emoticon)

This data relates to your employees, freelancers, and other participants on your productions.

We take the following measures to keep your data safe:

• All data is encrypted in transit (TLS) and at rest (AES-256)
• Email authentication via DKIM, SPF, and DMARC to prevent spoofing
• Accounts are protected with passwords and MFA (web) or PIN/biometric (app)
• Regular monitoring for unusual activity
• Periodic penetration testing

Our team only accesses personal data when strictly necessary to operate the platform. Everyone involved is bound by confidentiality obligations.

We use the following third-party services to operate Setso. All data is stored within the EU:

• Microsoft Azure (Ireland) — Cloud infrastructure and hosting
• MongoDB (US company, EU hosting) — Database for the Setso platform, hosted on Azure
• PostHog (US company, EU hosting) — Product analytics
• Clerk (US company, EU hosting) — User authentication and account management
• Attio (UK) — Customer relationship management (CRM)
• Sequence (UK) — Billing and subscription management
• Stripe (US company, EU hosting) — Payment processing

If we add or change a sub-processor, we'll notify you at least 14 days in advance so you can raise any objections.

If we detect a data breach affecting your personal data, we'll inform you as soon as possible and provide all information you need to meet your GDPR notification obligations (Article 33). It's up to you as the controller to decide whether to notify the Dutch Data Protection Authority and/or affected individuals.

Most personal data is kept only for the duration of your agreement with us. When the agreement ends, we delete all personal data within 60 days — or transfer it to you, if you prefer.

Basic identification data (first name, last name, role) may be retained longer to generally develop and improve our services.

We don't transfer personal data outside the European Economic Area unless there's an adequacy decision, Standard Contractual Clauses are in place, or you've given prior written consent. All our core infrastructure is in the EU.

As the data controller, you can:

• Access, correct, or delete personal data directly in the app
• Request our assistance with data subject requests
• Audit our compliance with this agreement
• Request a Data Protection Impact Assessment (DPIA) if required

For anything you can't handle directly in the app, contact us at privacy@setso.com.

Setflow B.V.

Johan van Hasseltkade 257, 1032 LP Amsterdam, the Netherlands

KvK: 91658942

Privacy questions: privacy@setso.com