This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Customer”, “Controller”) and PostSyncly, Inc. (“PostSyncly”, “Processor”) for the use of the Service. It applies whenever PostSyncly processes Personal Data on Customer’s behalf and is incorporated by reference into the Terms of Service or Master Subscription Agreement. Counter-signed copies are available for Enterprise customers — contact us.
1. Definitions
Capitalized terms not defined here have the meanings set out in the GDPR or UK GDPR. “Personal Data” means personal data Processed by PostSyncly under the agreement. “Processing”, “Controller”, “Processor”, “Sub-processor” and “Data Subject” have their meanings under the GDPR.
2. Scope and roles
Customer is the Controller and PostSyncly is the Processor of Personal Data Processed under the agreement. Each party will comply with its respective obligations under applicable data-protection laws.
3. Subject matter and duration
- Subject matter: Provision of the PostSyncly platform.
- Duration: The term of the underlying agreement, plus the deletion period in Section 11.
- Nature and purpose: Hosting, processing, transmitting and securing Personal Data so Customer can publish, schedule, moderate and reply to social and community content.
- Categories of Data Subjects: Customer’s employees, contractors, end-customers, social-media followers and contacts.
- Categories of Personal Data: Identifiers (name, email, handle), profile photos, message content, OAuth tokens, IP addresses, and any other Personal Data Customer chooses to process.
4. Customer instructions
PostSyncly will Process Personal Data only on documented instructions from Customer — including the Service’s configuration, the agreement and this DPA — and as required by applicable law. PostSyncly will inform Customer if it believes an instruction violates data-protection law (without obligation to monitor for compliance).
5. Confidentiality
Personnel authorized to Process Personal Data are bound by confidentiality obligations and trained on data-protection responsibilities.
6. Security
PostSyncly will implement and maintain the technical and organizational measures described in our Security overview, which form part of this DPA by reference. Material changes will not reduce the overall level of security.
7. Sub-processors
Customer authorizes PostSyncly to engage sub-processors to deliver the Service. PostSyncly maintains a list of current sub-processors and will notify Customer at least 30 days before adding a new one. Customer may object on reasonable data-protection grounds; if the parties cannot agree on a resolution, Customer may terminate the affected service for convenience without penalty.
PostSyncly remains liable for sub-processor acts and omissions to the same extent it is liable for its own.
8. International transfers
Where Personal Data is transferred outside the EEA, UK or Switzerland to a country without an adequacy decision, the parties will rely on the EU Standard Contractual Clauses (Module Two — Controller to Processor, with Module Three for sub-processor onward transfers), as supplemented by the UK IDTA where applicable. EU-pinned tenants keep primary storage in the EU; transfers, where they occur, are limited to incidental support and observability data.
9. Data subject requests
Taking into account the nature of the Processing, PostSyncly will provide reasonable assistance to enable Customer to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) within statutory deadlines. Most rights can be exercised directly through the Service.
10. Personal data breach
PostSyncly will notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data breach affecting Customer’s data. The notification will include, to the extent known, the nature of the breach, likely consequences, measures taken or proposed, and a contact point.
11. Return and deletion
On termination of the agreement, Customer has 30 days to export Personal Data through the Service. PostSyncly will then delete Personal Data from active systems within 60 days, and from encrypted backups within 12 months on the standard rotation, except where retention is required by law.
12. Audits
PostSyncly will make available documentation of the technical and organizational measures described in our Security overview and the current sub-processor list at /legal/subprocessors. Where Customer requires additional audit rights to comply with data-protection law, the parties will agree on reasonable scope, timing and frequency in good faith, typically once per twelve-month period and at Customer’s expense. Third-party attestations (such as SOC 2 Type II) are on our roadmap; once issued, the most recent report will be made available to Customers under NDA on request.
13. Order of precedence
In case of conflict between this DPA, the Standard Contractual Clauses and the underlying agreement, the Clauses prevail, then this DPA, then the agreement.
14. Contact
Privacy / DPA questions: support@postsyncly.com.