hostmyvideo
Start free

Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated by reference into the HostMyVideo Terms of Service when you process personal data of individuals in the European Union, the United Kingdom, or another jurisdiction with comparable data-protection law through HostMyVideo. It applies automatically to every paid customer; no separate signature is required, and it takes precedence over the Terms to the extent of any conflict in respect of personal data.

1. Definitions

Capitalised terms not defined here have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) or the UK GDPR. In this DPA:

  • Controller means the entity that determines the purposes and means of processing personal data — typically you, the customer.
  • Processor means HostMyVideo (operated by QueryWing) when it processes personal data on the Controller's behalf.
  • Personal Data means information relating to an identified or identifiable natural person processed through the service.
  • Subprocessor means any third party engaged by the Processor to process Personal Data.
  • SCCs means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914.

2. Subject matter and duration

The subject matter of the processing is the provision of the HostMyVideo service: ingestion, transcoding, storage, AI processing (where enabled by the Controller), and delivery of video content, plus the operation of the dashboard, analytics, and billing surfaces around it. Processing continues for the duration of the Controller's subscription and for the limited retention period described in our Privacy Policy.

3. Categories of data subjects and personal data

Data subjects may include:

  • the Controller's administrators and team members;
  • individuals appearing in or referenced by uploaded video content;
  • viewers of videos delivered through the service.

Categories of Personal Data may include:

  • identifiers (name, email, account ID);
  • profile information voluntarily provided;
  • video and audio recordings, transcripts, and AI-generated derivatives;
  • technical and usage data (IP address truncated for analytics, user agent, viewer region, watch-time).

Special categories of data should not be uploaded unless the Controller has an appropriate lawful basis under Article 9 GDPR. HostMyVideo is not a HIPAA-covered service and Protected Health Information must not be uploaded.

4. Subprocessors

The current list of authorised subprocessors, together with their regions, is published in the Privacy Policy. The Controller grants a general authorisation for the Processor to engage these subprocessors and any future replacement or addition that meets equivalent obligations. The Processor remains responsible for the performance of any subprocessor.

5. Security measures

The Processor implements the technical and organisational measures described on the Security page, including encryption in transit and at rest, access controls, logging, vulnerability management, and a documented incident-response process. These measures meet the requirements of Article 32 GDPR.

6. Standard Contractual Clauses

Where the Processor transfers Personal Data of EEA, UK, or Swiss data subjects to a country that has not received an adequacy decision, the parties incorporate the EU Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor), by reference. The optional docking clause and the option in Clause 17 selecting the law of Ireland apply. For UK transfers, the UK International Data Transfer Addendum (issued by the ICO) is incorporated by reference and modifies the SCCs accordingly. For Swiss transfers, references to the GDPR are read as references to the Swiss Federal Act on Data Protection.

7. Audit rights

The Processor will make available, on the Controller's reasonable request, the information necessary to demonstrate compliance with Article 28 GDPR — including third-party audit reports such as SOC 2 once available. Where the Controller requires an on-site audit, the parties will agree on scope, timing, confidentiality, and reasonable cost in advance, and audits will be conducted no more than once per year except where required by a competent supervisory authority or following a confirmed security incident.

8. International transfers

The Processor and its subprocessors operate in the United States and the European Union. The Controller authorises transfers to those regions, subject to the safeguards in Section 6. The Processor maintains a transfer impact assessment for material data flows and will provide a summary on reasonable request.

9. Subprocessor changes

Where the Processor engages a new subprocessor that processes Personal Data, it will notify Controllers on Business or Enterprise plans at least 30 days before the subprocessor is granted access, by email to the account's billing contact. The Controller may object on reasonable grounds related to data protection within that period; if the parties cannot agree on a resolution, the Controller may terminate the affected portion of the service without penalty for the unused prepaid period.

10. Contact

DPA-related correspondence — including signed copies, questionnaire responses, audit requests, and subprocessor objections — should be sent to support@querywing.com. We aim to acknowledge within two business days.

Last updated: 2026-05-07

HostMyVideoA QueryWing productPremium video hostingFounded 2026Worldwide
Data Processing Addendum | HostMyVideo