Data Processing Addendum
Last updated: [EFFECTIVE DATE]
This Addendum applies where you (the “Customer”) use PostPost to process personal data of your own customers, contacts, or audiences. In that case you are the controller and PostPost is your processor. This Addendum forms part of, and is governed by, our Terms of Service.
This Data Processing Addendum (“DPA”) is entered into between the Customer and [COMPANY LEGAL NAME] (“PostPost”) and reflects the parties’ agreement on the processing of personal data in connection with the Service, in accordance with the GDPR, the UK GDPR, and other applicable data-protection laws (“Data Protection Laws”).
1. Roles and scope
For personal data the Customer submits to or processes through the Service (“Customer Personal Data”), the Customer is the controller and PostPost is the processor. PostPost acts as a controller for limited data it processes for its own purposes (such as account administration, billing, security, and Service improvement), which is governed by our Privacy Policy.
2. Processing instructions
PostPost will process Customer Personal Data only (a) to provide the Service, (b) in accordance with the Customer’s documented instructions (including as set out in the Terms and this DPA), and (c) as required by applicable law, in which case PostPost will inform the Customer unless prohibited. PostPost will notify the Customer if, in its opinion, an instruction infringes Data Protection Laws.
3. Confidentiality
PostPost ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as instructed.
4. Security
PostPost implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. A summary of these measures is set out in Annex II.
5. Sub-processors
The Customer authorizes PostPost to engage the sub-processors listed below to process Customer Personal Data to provide the Service. PostPost imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for their performance. PostPost will give the Customer reasonable notice of any intended addition or replacement of a sub-processor (for example, by updating this list and/or by email), allowing the Customer to object on reasonable data-protection grounds. If the Customer objects and PostPost cannot, within a reasonable time, offer an alternative or a commercially reasonable change that avoids processing by the objected-to sub-processor, the Customer may, as its sole and exclusive remedy, terminate the affected part of the Service by written notice.
Current sub-processors
This list is current as of [EFFECTIVE DATE] and may be updated from time to time.
| Sub-processor | Purpose | Location / region |
|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure / hosting | Germany (EU) |
| Amazon Web Services (S3) | File and asset storage | [REGION] |
| Stripe | Payment processing and billing | USA / global |
| OpenAI | AI text and image generation | USA |
| Anthropic | AI text generation | USA |
| KIE | AI image generation | [REGION] |
| OpenRouter | AI model routing / aggregation | USA |
| Bugsnag (SmartBear) | Error monitoring | USA |
| Sign-in, advertising & measurement | USA / global | |
| Meta Platforms | Advertising & measurement | USA / global |
| [EMAIL PROVIDER] | Transactional & marketing email | [REGION] |
Connected social platforms that the Customer chooses to connect (for example, X, LinkedIn, Meta, TikTok) receive content and instructions at the Customer’s direction; they act as independent controllers for the data they receive under their own terms and are not sub-processors of PostPost.
6. International transfers
Where PostPost transfers Customer Personal Data outside the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is made under appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and, for UK transfers, the UK International Data Transfer Addendum, which are incorporated by reference.
7. Assistance to the Customer
Taking into account the nature of the processing, PostPost will provide reasonable assistance to the Customer through appropriate technical and organizational measures to help the Customer (a) respond to requests from data subjects exercising their rights, and (b) ensure compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation.
8. Personal data breaches
PostPost will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to assist the Customer in meeting its breach-notification obligations.
9. Deletion and return
Upon termination or expiry of the Service, and at the Customer’s choice, PostPost will delete or return Customer Personal Data, and delete existing copies, unless retention is required by applicable law. Residual copies may persist in routine backups for a limited period before being overwritten.
10. Audits
PostPost will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality, scheduling, and scope limitations.
Annex I — Description of processing
- Subject matter: provision of the PostPost social media management service.
- Duration: for the term of the Customer’s subscription and as otherwise set out in this DPA.
- Nature and purpose: hosting, storage, generation, scheduling, publishing, and analysis of social media content and related data on the Customer’s behalf.
- Categories of data subjects: the Customer’s personnel and team members; the Customer’s own clients, contacts, and social media audiences referenced in the content.
- Categories of personal data: names, contact details, account identifiers and handles, content (including images that may contain personal data), and engagement/analytics data. The Service is not intended for special-category data (Article 9 GDPR) or personal data relating to criminal convictions and offences; the Customer must not submit such data through the Service and is responsible for any such data it chooses to submit.
Annex II — Technical and organizational measures
- Encryption of data in transit (TLS) and encryption/secure storage of credentials and access tokens.
- Role-based access controls and the principle of least privilege.
- Network and infrastructure security at the hosting provider.
- Logging, monitoring, and error tracking to detect and respond to incidents.
- Regular backups and a defined retention/deletion process.
- Vetting and contractual data-protection commitments with sub-processors.
- [Add any further measures you implement, e.g. MFA, pen-testing cadence, employee training.]
Contact
For DPA requests (including signing a counter-signed copy or exercising audit rights), contact support@postpost.app.