Legal and Policies

Origami Platform is operated by Mission Digital Limited, a company registered in England and Wales (company number 07688023), registered office Unit 16, Townsend Industrial Estate, Waxlow Road, London NW10 7NU, VAT number GB 118437611. Contact: support@origamiplatform.io.

Last updated: 2 June 2026

This page contains:

Privacy Policy
Cookie Policy
Terms of Use
Acceptable Use Policy
Data Processing Agreement
Sub-processors

Privacy Policy

This policy explains how we handle personal data when we act as a controller, that is, for our own purposes such as running your account, securing the service, understanding how the platform is used, and our sales and marketing.

When you upload or generate production content and metadata in the platform, we handle the personal data inside that content as a processor on your organisation’s instructions. That processing is governed by our Data Processing Agreement with your organisation, not by this policy. We do not use your production content or metadata for any purpose other than providing the service to you. If you are an individual whose personal data appears in a customer’s production data, please contact that customer (the controller) to exercise your rights, and we will support them in responding.

We are a business-to-business service, intended for organisations (studios, post houses, VFX vendors and similar), not consumers. For any privacy question, or to exercise your rights, contact support@origamiplatform.io. We have not appointed a Data Protection Officer; privacy queries are handled through that address.

The personal data we collect (as controller)

Category	Examples	Where it comes from
Account and identity data	Name, work email address, organisation, role/permissions	You, your colleagues, or your organisation’s administrator when an account is created
Authentication data	Login and multi-factor authentication details handled through our identity provider (WorkOS), including single sign-on via Google where you use it	You / your identity provider
Usage and product-analytics data	Pages and features used, actions taken, device and browser information, approximate location derived from IP, and session-replay recordings of our own interface with input fields masked	Automatically, via our analytics provider (PostHog)
Support and feedback data	Bug reports, feedback, correspondence, and a redacted technical snapshot you submit with a report	You
Sales and marketing data	Contact details, demo requests, and communication preferences	You, via our website demo form and our CRM (HubSpot)
Technical and security logs	Server and application logs, from which we redact identifiers (such as tokens, secrets and email addresses) before storage	Automatically

Our session-replay analytics record only our own application interface, not the content of the production media or metadata you process. We do not seek to collect special-category personal data; please do not enter it into free-text fields.

Why we use it, and our lawful basis

Purpose	Lawful basis
Creating and administering your account; providing the platform	Performance of a contract with your organisation, and our legitimate interests in operating the service
Authentication and account security (including MFA)	Our legitimate interests in keeping the platform and your data secure; legal obligation where applicable
Product analytics and improving the platform	Our legitimate interests in understanding and improving the service
Responding to support requests and feedback	Our legitimate interests in supporting and improving the service
Sending service and administrative messages	Performance of a contract; our legitimate interests
Marketing to business contacts	Our legitimate interests in promoting the service to relevant businesses. Every marketing message includes an unsubscribe option
Meeting legal, accounting and security obligations	Compliance with a legal obligation; our legitimate interests

Where we rely on legitimate interests, we have weighed those interests against your rights and keep a record of that assessment, available on request.

Who we share it with

We share personal data with the service providers that help us run Origami. Each is bound by contract to protect it and to use it only on our instructions. Our current providers include Amazon Web Services (cloud hosting and storage, UK region), WorkOS (authentication), PostHog (product analytics, EU-hosted), HubSpot (CRM and marketing, EU-hosted), Sanity and Vercel (our marketing website), and DigitalOcean (website front end and a supporting database). The providers that process customer production data on our customers’ behalf are listed in the Sub-processors section below.

We may also disclose personal data to professional advisers, to a buyer in connection with a corporate transaction, or where required by law or to protect our rights or the security of the service. We do not sell your personal data.

International transfers

Our platform and customer data are hosted in the United Kingdom (AWS London region). Where personal data is transferred to a provider outside the UK, we rely on an appropriate safeguard under UK data protection law: an adequacy decision; the UK-US Data Bridge where the provider is certified under the EU-US Data Privacy Framework and its UK Extension; or the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, with a transfer risk assessment where required.

How long we keep it

Account and identity data: deleted within 90 days of the account closing.
Application and security logs: 30 days.
Support and feedback records: 90 days, or longer where needed to resolve an issue.
Sales and marketing data: 1 year from your last engagement with us, or until you ask us to stop, whichever is sooner.

Where data is no longer needed, we delete it or irreversibly anonymise it.

Your rights

Under UK data protection law you have the right to be informed, to access your data, to have it corrected or erased, to restrict or object to processing, to data portability, and to withdraw consent at any time where we rely on it. We do not make decisions about you that produce legal or similarly significant effects solely by automated means.

To exercise any right, contact support@origamiplatform.io. We will respond within one month, and will tell you if we need longer for a complex request. You can also complain to the Information Commissioner’s Office (ICO), ico.org.uk, 0303 123 1113, although we would welcome the chance to resolve your concern first.

Cookies

We use cookies and similar technologies as described in the Cookie Policy section below.

Changes to this policy

We may update this policy from time to time. We will post the updated version here and, where changes are significant, tell you directly.

Cookie Policy

This explains how the Origami Platform website and application use cookies and similar technologies. A cookie is a small file stored on your device. We group the cookies we use into those that are strictly necessary (always on, because the service cannot work without them) and those that are not strictly necessary (set only with your consent, which you give through our cookie banner and can change at any time).

Strictly necessary cookies

These keep you signed in, keep your session secure, and remember your cookie choices. They do not require consent.

Cookie	Purpose	Type	Duration
`wos-session`	Keeps you securely signed in to the application (set by our identity provider, WorkOS)	First-party, essential	Session / sign-in period
Cookie-consent preference	Remembers your cookie choices	First-party, essential	Up to 12 months

Analytics and marketing cookies (consent required)

We use HubSpot, Google Analytics and Microsoft Clarity on our marketing website to understand how visitors use the site and to support our sales and marketing. These cookies are set only after you accept them in our cookie banner.

Cookie	Purpose	Type	Duration
`__hstc`	Main HubSpot analytics cookie (visitor, session and engagement tracking)	Third-party (HubSpot)	Up to 6 months
`hubspotutk`	Identifies a visitor across sessions, used with HubSpot forms	Third-party (HubSpot)	Up to 6 months
`__hssc`	Tracks the current session	Third-party (HubSpot)	30 minutes
`__hssrc`	Detects whether the visitor has restarted their browser	Third-party (HubSpot)	Session
`messagesUtk`	Links a visitor to conversations in the HubSpot chat/forms	Third-party (HubSpot)	Up to 6 months
`_ga`, `_ga_*`	Google Analytics: distinguishes visitors and sessions to measure how the site is used	Third-party (Google Analytics)	Up to 2 years
`_clck`, `_clsk`	Microsoft Clarity: links a visitor and session to heatmap and session-recording data of our website	Third-party (Microsoft Clarity)	Up to 12 months

We do not use advertising cookies.

Managing your choices

When you first visit our website, our banner lets you Accept or Reject non-essential cookies, with equal prominence, and choose by category. You can reopen the banner and change your choice at any time using the Cookie settings link in the website footer. You can also block or delete cookies through your browser settings, although the site and the application may not work correctly without the strictly necessary ones.

Terms of Use

These Terms of Use (“Terms”) are a contract between Mission Digital Limited (“Origami”, “we”, “us”) and the organisation that subscribes to or uses the Origami Platform (“Customer”, “you”).

The Origami Platform is a business service. By creating an account, clicking to accept, or using the platform, you confirm you are acting for a business and have authority to bind your organisation, and you agree to these Terms. If you do not agree, do not use the platform. These Terms govern self-serve use of the platform. Where you and Origami sign a separate written agreement, that agreement prevails over these Terms to the extent of any conflict, and may add agreed terms specific to you.

The service

Origami provides a post-production and VFX workflow platform that moves production metadata and assets through the pipeline, as described in our documentation and order form. We may improve, change or add to the platform from time to time, and will not materially reduce its core functionality during a paid term without notice.

Accounts and access

You are responsible for your account, your authorised users, and keeping credentials secure. We require multi-factor authentication and unique credentials for each user. You must tell us promptly of any unauthorised access. We may set reasonable usage limits.

Acceptable use

Your use of the platform must comply with our Acceptable Use Policy, which forms part of these Terms.

Your content

You and your licensors own all content, media, and metadata you upload to or generate in the platform (“Customer Content”). We claim no ownership of it. You grant us a non-exclusive, worldwide licence to host, store, process, transmit and display Customer Content only as needed to provide and secure the platform, and as instructed by you. We do not use Customer Content for any other purpose. Where Customer Content contains personal data, we process it as your processor under the Data Processing Agreement. You are responsible for having the rights needed to upload Customer Content and for its lawful use.

Our intellectual property

We and our licensors own the platform, its software, and all related intellectual property. We grant you a non-exclusive, non-transferable right to use the platform during your subscription, subject to these Terms. You may not copy, reverse-engineer, resell or create derivative works from the platform except as the law allows. If you give us feedback, you grant us a perpetual, royalty-free licence to use it to improve the service. We will not identify you as the source without your agreement.

Fees

Fees, billing and payment terms are set out in your order form. All fees are exclusive of VAT and other applicable taxes.

Confidentiality

Each party will protect the other’s confidential information with reasonable care and use it only for the purposes of these Terms. This does not apply to information that is public through no fault of the recipient, independently developed, or required to be disclosed by law.

Security

We maintain a security programme designed to protect the platform and your data, including encryption in transit (TLS) and server-side encryption at rest (AES-256), multi-factor authentication, unique per-user credentials, role-based least-privilege access, logging and monitoring, and a documented incident-response process. Our security programme is aligned with the MPA Content Security Best Practices (v5.3.1).

Warranties

We warrant that the platform will perform materially in accordance with our documentation during your subscription. Except as expressly stated, and to the fullest extent the law allows, the platform is provided “as is” and we exclude all implied warranties, including fitness for a particular purpose. Free trials, beta and preview features are provided “as is” with no warranty.

Liability

Nothing in these Terms limits or excludes either party’s liability for death or personal injury caused by negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot be limited or excluded under English law. Subject to that, and to the fullest extent permitted by law:

Neither party is liable for indirect or consequential loss, or for loss of profit, revenue, anticipated savings, goodwill, or business interruption.
Each party’s total aggregate liability arising out of or in connection with these Terms is limited to the total fees paid or payable by the Customer in the 6 months before the event giving rise to the claim.

Where you and Origami sign a separate agreement, the liability provisions of that agreement apply in place of this clause.

Indemnity

You will indemnify us against claims arising from your Customer Content or your use of the platform in breach of these Terms or the law.

Suspension and termination

We may suspend or terminate access if you materially breach these Terms or the Acceptable Use Policy, fail to pay, or create a security risk, giving notice and an opportunity to cure where reasonable. Either party may terminate as set out in the order form. On termination, your right to use the platform ends. We will make Customer Content available for export for 30 days and then delete it in line with the Data Processing Agreement, unless the law requires us to keep it.

Changes to these Terms

We may update these Terms. We will post the updated version and, for material changes during a paid term, give reasonable notice. Continued use after changes take effect means you accept them.

General

These Terms are the entire agreement on their subject matter and supersede prior discussions, subject to any separate signed agreement, which prevails. Neither party may assign without the other’s consent, except to a group company or buyer of the business. If a clause is unenforceable, the rest stands. Failure to enforce a right is not a waiver.

Governing law

These Terms are governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

Acceptable Use Policy

This Acceptable Use Policy (“AUP”) governs how you and your authorised users may use the Origami Platform. It forms part of the Terms of Use. By using the platform, you agree to it and are responsible for your users’ compliance. This policy defines what is and is not authorised. Accessing or using the platform outside this authorisation may also be a criminal offence under the Computer Misuse Act 1990.

You must not

Security and access

Access any account, data, or part of the platform you are not authorised to access, or circumvent any access control, authentication, or usage limit.
Probe, scan, or test the vulnerability of the platform, or conduct any penetration testing, without our prior written consent (see Responsible disclosure below).
Introduce malware, or any code or material intended to harm, disrupt, or gain unauthorised access to the platform or its data.
Interfere with or place an unreasonable load on the platform, including through abusive automated traffic or misuse of the API.

Content and conduct

Upload or process content you do not have the rights to use, or that infringes intellectual property, breaches confidentiality, or is unlawful, defamatory, obscene, or otherwise prohibited (including under the Online Safety Act 2023).
Use the platform in any way that would breach your own content-security obligations, including obligations you owe to studios or rights-holders under the MPA Content Security Best Practices, the Trusted Partner Network, or a studio’s own requirements, or that would compromise the security of pre-release production media.
Use the platform to send spam or unlawful marketing, or to harass any person.
Breach any applicable law, including data protection, sanctions, and export-control law.

Responsible disclosure

We welcome reports of security issues. If you believe you have found a vulnerability, please contact support@origamiplatform.io and give us a reasonable opportunity to investigate and fix it before any public disclosure. Good-faith testing carried out under, and within the scope of, our prior written authorisation will not be treated as a breach of this policy.

Enforcement

If we reasonably believe this policy has been breached, we may investigate, remove or disable content, and suspend or terminate access, as set out in the Terms of Use. Where a breach creates a security or legal risk, or affects pre-release content, we may act immediately and will tell you as soon as we reasonably can. We will cooperate with law enforcement where appropriate. To report misuse, contact support@origamiplatform.io.

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Use or other agreement (the “Agreement”) between Mission Digital Limited (“Processor”, “Origami”) and the customer organisation (“Controller”, “you”). It governs Origami’s processing of personal data contained in Customer Content on your behalf and on your instructions. Where there is a conflict on data-protection matters, this DPA prevails over the rest of the Agreement.

Origami acts as your processor for this data. Origami’s processing of personal data as a controller (for example account, analytics and marketing data) is described in the Privacy Policy section above and is not covered by this DPA. Origami does not use Customer Content for any purpose other than providing the service to you.

Definitions

“UK Data Protection Law” means the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, each as amended (including by the Data (Use and Access) Act 2025). “Controller”, “processor”, “personal data”, “processing”, “data subject”, and “personal data breach” have the meanings given in UK Data Protection Law. “Sub-processor” means a third party engaged by Origami to process personal data under this DPA.

Roles and instructions

You are the controller and Origami is the processor of the personal data described in the Details of processing below. Origami will process that personal data only on your documented instructions, which include the Agreement, this DPA, and the instructions you give through your configuration and use of the platform, including any automated processing actions that the platform performs to deliver your jobs. Origami will not process the personal data for its own purposes. It will act otherwise only if required by law, in which case it will tell you first unless the law forbids it. Origami will tell you if, in its opinion, an instruction infringes UK Data Protection Law. You warrant that your instructions and the personal data you provide comply with UK Data Protection Law, and that you have a lawful basis for the processing.

Confidentiality

Origami ensures that everyone authorised to process the personal data is bound by a confidentiality obligation (including a signed non-disclosure agreement) and receives security-awareness training.

Security

Origami will implement and maintain the technical and organisational measures set out below, taking account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks to data subjects.

Sub-processors

You give Origami general authorisation to engage sub-processors to process the personal data, provided Origami imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable to you for each sub-processor’s performance. Origami’s current sub-processors are listed in the Sub-processors section below. Origami will give you at least 30 days notice before adding or replacing a sub-processor that processes the personal data, by updating that list and notifying you. If you reasonably object on data-protection grounds within that period, the parties will work in good faith to resolve it, and if they cannot, you may terminate the affected part of the service.

Assisting you

Taking account of the nature of the processing, Origami will assist you by appropriate technical and organisational measures, insofar as possible, to respond to data-subject requests. If Origami receives a request directly, it will not respond (except to direct the individual to you) and will forward it to you without undue delay. Origami will assist you in complying with your obligations on security, breach notification, data protection impact assessments, and prior consultation, taking account of the nature of processing and the information available to Origami.

Personal data breaches

Origami will notify you without undue delay after becoming aware of a personal data breach affecting the personal data, and in any event within 72 hours. The notice will include the information then available to help you meet your own notification obligations, with further information provided in phases as it becomes known. Origami does not notify the ICO or data subjects on your behalf unless you instruct it to.

Return and deletion

On termination or expiry, or on your earlier request, Origami will, at your choice, delete or return the personal data and delete existing copies, unless the law requires it to be kept. Customer Content is available for export for 30 days after termination, matching the Terms of Use.

Audits and information

Origami will make available to you the information reasonably necessary to demonstrate compliance with Article 28 of the UK GDPR, and will allow for and contribute to audits, including inspections, by you or your appointed auditor. The parties will agree reasonable scope, timing, and confidentiality, and Origami may satisfy this obligation by providing a recognised third-party audit report or security documentation under a non-disclosure agreement where available.

International transfers

The personal data is hosted in the United Kingdom (AWS London region). Origami will not transfer the personal data outside the UK without an appropriate safeguard under UK Data Protection Law (an adequacy decision, the UK-US Data Bridge where applicable, or the UK International Data Transfer Agreement or UK Addendum to the EU SCCs). This DPA and its Annexes are intended to satisfy Article 28(3) of the UK GDPR. Where the UK IDTA or the UK Addendum applies to a transfer, those clauses prevail over this DPA to the extent of any conflict in respect of that transfer.

Details of processing

Subject matter: provision of the Origami post-production workflow platform to the Controller.
Duration: for the term of the Agreement and any wind-down, return-or-delete period.
Nature and purpose: hosting, organising, transmitting, transforming and displaying production assets and metadata so that production metadata travels through the Controller’s pipeline. This includes automated processing actions the platform performs to deliver the Controller’s jobs. Customer files are held only transiently (cached for up to 24 hours while a job is processed); production assets otherwise remain in the storage the Controller connects under its own account.
Types of personal data: personal data incidentally contained in production metadata and assets, for example names and work contact details of crew, vendors or contacts, and delivery-destination account identifiers.
Categories of data subjects: the Controller’s personnel, freelancers, vendors, and contacts whose details appear in the production data.
Special-category data: none intended. The platform is not designed to process special-category data.

Technical and organisational measures

Access control: multi-factor authentication (TOTP), unique per-user credentials, and role-based least-privilege access enforced at the application layer.
Encryption: TLS for data in transit, and AES-256 server-side encryption for data at rest.
Logging and monitoring: application and security logging with automated redaction of identifiers before storage, and a log archive retained for 30 days.
Tenant separation: logical separation of customer data and project-level access controls.
Incident response: a documented incident-response and breach-notification process.
Personnel: confidentiality obligations (signed non-disclosure agreements) and security-awareness training for staff with access.
Sub-processor management: due diligence and flow-down of obligations.
Resilience and deletion: backup, transient handling of Customer Content (cached for up to 24 hours), and secure deletion of data on termination.

This DPA is governed by the laws of England and Wales. Liability under this DPA is subject to the limitations set out in the Agreement. These measures reflect Origami’s alignment with the MPA Content Security Best Practices (v5.3.1).

Sub-processors

This lists the third parties that Mission Digital Limited engages to help provide the Origami Platform. We keep it current and give notice of changes as described in the Data Processing Agreement above. We distinguish two groups, because they map to our two roles under data protection law.

Sub-processors of customer production data

These process personal data that may be contained in Customer Content, where we act as your processor.

Provider	Purpose	Processing location
Amazon Web Services	Cloud hosting, and temporary storage of your files (cached for up to 24 hours) while a job is processed, with AES-256 server-side encryption	United Kingdom (London, eu-west-2)

We do not retain Customer Content in our own systems beyond the time needed to process your jobs (up to 24 hours of transient caching). Your production assets otherwise remain in the storage you connect.

Services you connect under your own account

Some transfer and storage services are used through your own account, not ours, so they are not our sub-processors. We integrate with them at your direction: IBM Aspera and Signiant MediaShuttle for high-speed file transfer, using your own account; and storage you connect (for example AWS, Wasabi, Backblaze, Storj or Lyvecloud), which remains under your own account and control.

Our own service providers

These support our own operations and process our controller data, described in the Privacy Policy above, rather than Customer Content.

Provider	Purpose	Location
WorkOS	Authentication and identity management	United States
PostHog	Product analytics and session replay (our interface only, inputs masked)	EU-hosted
HubSpot	Customer relationship management and marketing	EU-hosted
Sanity	Marketing-website content management	United States
Vercel	Marketing-website hosting	United States
DigitalOcean	Website front end and a supporting database (holds no Customer Content)	United Kingdom

We also use internal tools (for example for team messaging, meeting notes, and source control) that do not process Customer Content.

We carry out due diligence before engaging a sub-processor, bind each by contract to data-protection obligations no less protective than ours, and remain responsible to you for their performance. We give at least 30 days notice before adding or replacing a sub-processor that processes customer production data, so you can raise any reasonable objection. To be notified of changes, contact support@origamiplatform.io.