Data Processing Agreement (DPA)

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller" or "Customer") and Schedulala ("Data Processor" or "we/us/our") and governs the processing of personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This DPA applies when Schedulala processes personal data on behalf of customers in the course of providing our social media scheduling services.

2. Definitions

For the purposes of this DPA:

• "Controller": The natural or legal person who determines the purposes and means of processing personal data
• "Processor": The natural or legal person who processes personal data on behalf of the Controller
• "Personal Data": Any information relating to an identified or identifiable natural person
• "Processing": Any operation performed on personal data, including collection, storage, use, or disclosure
• "Data Subject": The individual whose personal data is being processed
• "GDPR": The General Data Protection Regulation (EU) 2016/679
• "Sub-processor": Any processor engaged by Schedulala to assist in processing personal data

3. Processing Details

3.1 Nature and Purpose of Processing

Schedulala processes personal data to provide social media scheduling services, including:

• Account management and authentication
• Content scheduling and posting to social media platforms
• Analytics and performance reporting
• Customer support and technical assistance
• Service improvement and development

3.2 Categories of Data Subjects

• Service users and account holders
• Authorized representatives of business customers
• End users of social media content
• Customer support contacts

3.3 Types of Personal Data

• Identity Data: Name, username, profile information
• Contact Data: Email addresses, communication preferences
• Account Data: Social media account identifiers, connection tokens
• Content Data: Posts, images, videos, captions created through our service
• Usage Data: Service interaction logs, feature usage statistics
• Technical Data: IP addresses, device information, browser data
• Payment Data: Billing information (processed by Stripe as sub-processor)

3.4 Duration of Processing

Personal data will be processed for the duration of the service agreement and retained according to our data retention policies outlined in our Privacy Policy, unless otherwise required by law or agreed upon in writing.

4. Data Controller and Processor Obligations

4.1 Controller Obligations

As the Data Controller, you warrant and undertake that:

• You have the legal right to transfer personal data to Schedulala for processing
• You have obtained all necessary consents and have a valid legal basis for processing
• You will comply with all applicable data protection laws
• You will provide clear privacy notices to your data subjects
• You will promptly notify us of any data subject requests or complaints
• You will not instruct us to process data in a manner that violates applicable laws

4.2 Processor Obligations

As the Data Processor, Schedulala undertakes that:

• We will only process personal data in accordance with your documented instructions
• We will ensure confidentiality of personal data and restrict access to authorized personnel
• We will implement appropriate technical and organizational security measures
• We will assist you in responding to data subject requests
• We will notify you of any personal data breaches without undue delay
• We will delete or return personal data upon termination of services
• We will maintain records of processing activities

5. Technical and Organizational Security Measures

5.1 Security Measures

Schedulala implements the following security measures:

5.2 Security Standards

Our security measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

6. Sub-processors

6.1 Authorized Sub-processors

Schedulala engages the following sub-processors to assist in providing our services:

6.2 Sub-processor Safeguards

All sub-processors are bound by data processing agreements that include:

• Equivalent data protection obligations to those in this DPA
• Appropriate technical and organizational security measures
• Confidentiality commitments
• Compliance with applicable data protection laws

6.3 Changes to Sub-processors

We will provide 30 days' notice of any changes to our sub-processors. If you object to a new sub-processor, you may terminate the service agreement with 30 days' written notice.

7. International Data Transfers

7.1 Transfer Safeguards

When personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards through:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Certification schemes and codes of conduct
• Binding corporate rules where applicable

7.2 Transfer Impact Assessment

We conduct transfer impact assessments to ensure that transferred data receives an adequate level of protection, taking into account the laws and practices of the destination country.

8. Data Subject Rights

8.1 Rights Support

Schedulala will assist you in fulfilling data subject rights requests, including:

• Right of Access: Providing copies of personal data
• Right to Rectification: Correcting inaccurate personal data
• Right to Erasure: Deleting personal data when required
• Right to Restrict Processing: Limiting processing activities
• Right to Data Portability: Providing data in a structured format
• Right to Object: Stopping certain types of processing

8.2 Response Timeframes

We will respond to data subject rights requests within 30 days, or inform you if additional time is needed due to the complexity or number of requests.

9. Data Breach Notification

9.1 Notification Requirements

In the event of a personal data breach, Schedulala will:

• Notify you without undue delay, and in any case within 72 hours of becoming aware
• Provide all available information about the breach
• Take immediate steps to contain and mitigate the breach
• Assist in any required notifications to supervisory authorities
• Cooperate in investigations and remediation efforts

9.2 Breach Information

Breach notifications will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact information for further inquiries

10. Data Protection Impact Assessment

Where required, Schedulala will assist you in conducting Data Protection Impact Assessments (DPIAs) by providing:

• Information about our processing activities
• Details of security measures implemented
• Risk assessments related to our processing
• Cooperation in risk mitigation strategies

11. Audits and Records

11.1 Records of Processing

Schedulala maintains detailed records of all processing activities carried out on behalf of customers, including:

• Categories of processing activities
• Categories of personal data processed
• Categories of data subjects
• Security measures implemented
• International transfer details

11.2 Audit Rights

Upon reasonable notice and subject to confidentiality obligations, you may audit our compliance with this DPA through:

• Review of our security certifications and audit reports
• Written questionnaires about our processing activities
• On-site inspections (at your cost and with mutual agreement)

12. Data Return and Deletion

12.1 Service Termination

Upon termination of our service agreement, Schedulala will:

• Return all personal data to you in a commonly used electronic format
• Securely delete all personal data from our systems
• Ensure sub-processors also delete personal data
• Provide certification of deletion upon request

12.2 Legal Retention

We may retain personal data to the extent required by law, provided that we ensure the confidentiality of such personal data and only process it for the purposes specified by law.

13. Liability and Indemnification

13.1 Limitation of Liability

Each party's liability under this DPA is subject to the limitation and exclusion of liability provisions in the main service agreement.

13.2 Data Protection Violations

If either party's processing of personal data results in a claim by a data subject or regulatory authority, the party responsible for the violation will indemnify the other party for reasonable costs and damages.

14. Changes and Updates

We may update this DPA from time to time to reflect changes in law, our processing activities, or business practices. We will notify you of material changes 30 days in advance, and continued use of our services constitutes acceptance of the updated DPA.

15. Contact Information

For questions or concerns about this DPA or our data processing practices, please contact our Data Protection Officer:

16. Governing Law

This DPA is governed by the same laws as the main service agreement. Where the GDPR applies, its provisions shall take precedence over any conflicting terms in this DPA.