Skip to main content

DPA Statement v1.0

Transparency statement

This statement explains how Remotion handles personal data for the Remotion Pro licensing platform and why a separate GDPR Article 28 Data Processing Addendum is generally not required. It is provided for transparency and is not a contract or legal advice.

Table of contents

Data Processing Addendum (DPA) Statement

Version 1.0. Effective July 6, 2026

This DPA Statement explains how Remotion AG, Neunbrunnenstrasse 38, 8050 Zürich, Switzerland ("Remotion", "we", "us") handles personal data in connection with its license sales and usage telemetry system, and why a separate GDPR Article 28 Data Processing Addendum (a "DPA") is generally not required for the Remotion Pro licensing platform in its current form.

This statement is provided for transparency. It is not a contract and does not create rights or obligations beyond those set out in the Terms and Conditions ("Main Agreement") and the Privacy Policy. A related DPIA Statement explains why the licensing platform and its telemetry are not likely to result in a high risk and why a formal Data Protection Impact Assessment is not required. Where there is any conflict, the Main Agreement and Privacy Policy prevail. This statement is not legal advice.

A DPA under GDPR Article 28 (and equivalent provisions under UK GDPR and the Swiss nFADP) is required where a processor processes personal data on behalf of a controller, acting only on that controller's documented instructions.

For the Remotion Pro licensing platform in its current form, that relationship does not arise:

  • Remotion does not offer a hosted rendering service. Server rendering runs in the customer's own infrastructure, and client-side rendering runs in the end user's browser. Rendered media, project source code, and customer end-user content remain under the customer's control and are not transmitted to Remotion.
  • The personal data Remotion does handle (account, billing, store, support, license verification, and telemetry data) is processed for Remotion's own purposes, not on customer instructions.

Because Remotion does not process customer-controlled personal data on customer instructions, Remotion acts as an independent controller for this data rather than as the customer's processor. An Article 28 processor DPA is therefore not the appropriate instrument for the current platform.

This does not mean data protection law is irrelevant: GDPR, UK GDPR, and the Swiss nFADP may still apply to Remotion's own controller activities, and Remotion meets those obligations through its Privacy Policy and the practices described below.

Remotion determines the purposes and means of processing for the following and acts as an Independent Controller for:

  • Creating and managing user accounts and authentication (GitHub / Google / Email).
  • Processing payments, subscriptions, and invoices (via Stripe).
  • Operating the store and fulfilling store purchases.
  • Issuing and validating license keys and managing licensing relationships.
  • Collecting limited usage telemetry to verify license compliance, calculate usage-based billing, and give customers visibility into their own rendering activity.
  • Providing customer and community support (including via Discord for priority support customers).
  • Preventing abuse and fraud and ensuring the security of the licensing system.
  • Complying with legal obligations (tax, accounting, and valid law enforcement requests).

The categories of personal data, legal bases, retention, and data subject rights for this processing are described in the Privacy Policy.

As part of the licensing platform, Remotion does not receive or process:

  • Customer-rendered media or its content or metadata.
  • Customer project source code or Remotion project content.
  • Rendered output or media assets generated by the customer.
  • End-user content, datasets, or uploads belonging to the customer or the customer's own users.

Because Remotion has no access to this content, Remotion is not processing it on the customer's behalf, either as a controller or as a processor.

Telemetry is limited to operational and license metadata that Remotion needs to verify license compliance, support usage-based billing and accountability, and show customers their own rendering activity. As described in the Telemetry section of the Terms, the information collected is limited to:

  • IP address;
  • domain name;
  • whether the render was in production or development; and
  • whether the render was a video or a still image.

No information about the content or metadata of the rendered media, and no other user data, is collected through telemetry. Remotion processes this telemetry as an Independent Controller for its own licensing and billing purposes.

If a customer's integration causes personal data of the customer's own end users (for example, end-user IP addresses or technical identifiers) to be transmitted to Remotion through client-side rendering or other integrations, the customer is responsible for providing any notices and obtaining any consents required under applicable data protection law, and for referencing Remotion's telemetry in the customer's own privacy notices where required.

To operate its licensing and usage telemetry system, Remotion relies on the service providers listed below. This list is derived from actual integrations in the remotion.pro codebase (environment variables, SDK dependencies, and deployment configuration). It is provided for transparency.

Most of these providers process personal data on Remotion's behalf and on Remotion's instructions as processors engaged by Remotion (i.e. they are Remotion's subprocessors, not the customer's). Some providers, such as payment processors, additionally act as Independent Controllers for their own legal, fraud-prevention, and compliance purposes. Where a provider acts as an Independent Controller, that processing is governed by the provider's own terms, not by Remotion.

Note on remotion.dev: The remotion.dev website contains developer documentation, it is operated by the same legal entity (Remotion AG) but maintained in a separate repository. Its infrastructure and provider arrangement is not covered by this list.

Service provider Location Service / Purpose
ActiveCampaign, LLC. (Postmark) US Transactional email delivery
Amazon Web Services, Inc. US / EU Database hosting
Discord, Inc. US Community support and priority support channels
Functional Software, Inc. (Sentry) DE (EU) Error monitoring and performance diagnostics
GitHub, Inc. US / global OAuth authentication and store purchase fulfillment
Google, LLC. US / global OAuth authentication
MailerLite, Ltd. IE (EU) Newsletter and marketing communications
Mux, Inc. US Video streaming and encoding for public store product demo videos and documentation
Slack Technologies, Ltd. IE (EU) Priority support channels
Stripe, LLC. / Stripe Payments Europe, Ltd. US / IE (EU) Payment processing, subscription management, fraud prevention, and compliance
Sudory NL / CH Compliance platform
Vercel, Inc. US / global Application hosting, serverless functions, and CDN

Ancillary infrastructure services (e.g. DNS): Remotion uses third-party providers for essential internet infrastructure, including authoritative DNS services (currently Cloudflare). These providers may receive limited technical data in the course of DNS resolution, such as the IP address of the querying recursive resolver and the domain name being resolved. Such providers generally process this data as Independent Controllers for the purposes of operating, securing, and improving their global infrastructure services. They are not engaged as service providers acting on Remotion's instructions for this purpose.

Note on payment processors (including Stripe): Payment providers such as Stripe (Stripe, Inc. and Stripe Payments Europe, Ltd. in Dublin, Ireland) process the personal data Remotion transmits to them to handle payments, subscriptions, and billing on Remotion's behalf. They may additionally process certain categories of data as Independent Controllers (not on Remotion's instructions) for their own legal obligations, including fraud prevention, sanctions screening, and financial crime prevention. This dual role is common for payment processors. Customers can review the processor's own data processing terms for the Independent Controller processing (see Stripe's DPA at https://stripe.com/legal/dpa).

Remotion has a data processing agreement (DPA) in place with each of the service providers listed above that process personal data on Remotion's behalf, binding them to equivalent data protection obligations.

We will update this list as our service providers change. Material questions can be directed to privacy@remotion.dev.

Remotion maintains and develops a security program designed with reference to ISO 27001 principles. That said, we do not currently hold any formal security certifications or attestations as a small team. Key measures include but are not limited to:

  • Encryption: TLS 1.3 (or better) in transit for all external connections; AES-256 (or equivalent) encryption at rest for databases and object storage containing personal data.
  • Access control: Principle of least privilege; unique user accounts; multi-factor authentication required for all internal access to production systems; just-in-time privileged access where feasible.
  • Network security: Firewalls, DDoS protection, and regular vulnerability scanning.
  • Data minimization & retention: Personal data is collected only as necessary; automatic deletion or anonymization of telemetry and logs according to published retention schedules.
  • Logging & monitoring: Logging of access to systems handling personal data and alerting on suspicious activity.
  • Vendor management: Security and data protection due diligence on service providers; contractual flow-down of equivalent obligations where they act on our instructions.
  • Employee practices: Background checks where legally permitted; mandatory security and privacy training; confidentiality agreements.
  • Physical & environmental: All production infrastructure hosted with certified providers (physical security, redundancy, environmental controls).

We may update these measures from time to time provided the overall level of protection is not reduced.

Where personal data is transferred from the EEA, the United Kingdom, or Switzerland to a service provider in a country that does not ensure an adequate level of protection (primarily the United States), Remotion relies on appropriate safeguards, including the Standard Contractual Clauses issued by the European Commission (Commission Implementing Decision (EU) 2021/914), together with the Swiss Addendum or the UK International Data Transfer Addendum where applicable. Remotion (or the relevant service provider) carries out transfer risk assessments and applies supplementary measures where necessary.

Several of the U.S.-based service providers listed above also self-certify under the EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. Data Privacy Framework). You can verify a provider's current certification status, including the categories of data and the cross-border transfer commitments it covers, on the official Data Privacy Framework list at https://dataprivacyframework.gov/list.

Some Enterprise customers, or customers whose integration or contractual setup differs from the standard licensing platform, may have specific data protection requirements. If your organization requires a separate data processing agreement or a tailored arrangement, contact privacy@remotion.dev and we will assess what is appropriate for your use case.

Privacy contact: privacy@remotion.dev
Security contact: security@remotion.dev


Remotion AG, Neunbrunnenstrasse 38, 8050 Zürich, Switzerland. Contact: privacy@remotion.dev