Data Transfers to the United States
Some of our sub-processors are based in the United States. We ensure that all transfers of personal data to these sub-processors comply with GDPR and EU data protection standards through one of the following legal mechanisms:
EU-U.S. Data Privacy Framework (DPF) Several of our US-based infrastructure providers are certified under the EU-U.S. Data Privacy Framework. The European Commission has determined that this framework provides a level of data protection comparable to EU standards, meaning transfers to DPF-certified providers are treated as equivalent to intra-EU transfers.
Standard Contractual Clauses (SCCs) For US-based sub-processors not certified under the DPF, we use the EU Standard Contractual Clauses — legal contracts approved by the European Commission that bind the receiving party to protect personal data in accordance with EU standards.
Following the "Schrems II" ruling by the Court of Justice of the EU, concerns were raised about whether SCCs alone could ensure adequate protection against US government surveillance. Since then, the United States has implemented significant legal reforms through Executive Order 14086, which limits intelligence activities to what is necessary and proportionate and establishes a Data Protection Review Court where EU citizens can seek redress. The European Commission has confirmed that these safeguards strengthen the validity of SCCs as a transfer mechanism.
Regardless of the mechanism used, all our sub-processors are contractually bound to maintain strict security measures and technical safeguards to protect personal data.
AI Sub-Processors — Safety and Compliance
To power advanced automation and creative features, Storykit uses industry-leading AI models provided by third-party sub-processors through their enterprise API services.
How we protect your data
No model training. Your data is never used to train or improve AI models. We have contractually opted out of all model training across our AI sub-processors.
No data retention. Data sent to AI sub-processors is used solely to generate the requested output. It is not stored or retained after processing, except for short-term security and abuse monitoring windows (typically less than 30 days), after which it is automatically deleted.
Encryption. All data is encrypted in transit and at rest.
GDPR compliance. All AI sub-processors are bound by Data Processing Agreements (DPAs) and operate under valid transfer mechanisms (DPF or SCCs) as described above.
What we use AI for
These services may process selected user-uploaded content to:
- Generate structured text outputs such as video scripts, copy suggestions, or content recommendations.
- Create text summaries and descriptive metadata for video or image assets.
AI processing is limited to these use cases. No autonomous decisions are made by AI on behalf of users.
Opting out
AI-powered features are enabled by default so that you have immediate access to Storykit's full feature set. No additional agreement is required to use them.
If you prefer not to use AI sub-processors, you can opt out at any time. Please note that opting out will disable the specific Storykit features that rely on these services. To request an opt-out, please contact the account manager responsible for your company.