Data Processing Agreement

1. Definitions

• Personal Data means any information relating to an identified or identifiable natural person that you process through OpenPost.
• Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
• Sub-processor means a third-party entity engaged by OpenPost to process Personal Data on your behalf.
• Data Subject means the individual to whom Personal Data relates.

2. Roles and Scope

You are the data controller. You decide what content to create, which platforms to publish to, and what data to store in OpenPost. We are the data processor. We process your data solely to provide the OpenPost service as described in our Terms of Service.

The categories of Personal Data processed may include: names, email addresses, social media usernames and profile information, content authored by you, media files you upload, and analytics data from connected platforms.

Data subjects may include: your employees, team members, contractors, and the audiences of your social media accounts (to the extent that engagement data contains identifiable information).

3. Our Obligations

As your data processor, OpenPost will:

• Process Personal Data only on your documented instructions, including with respect to transfers of data outside the EEA, unless required to do so by applicable law.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organizational security measures as described on our Security page.
• Assist you in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
• Assist you with data protection impact assessments and prior consultations with supervisory authorities, where required.
• Delete or return all Personal Data upon termination of the service, at your choice, and delete existing copies unless retention is required by law.
• Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

4. Sub-processors

We use the following sub-processors to deliver the OpenPost service:

We will notify you before adding or replacing a sub-processor, giving you the opportunity to object. Each sub-processor is bound by data protection obligations no less protective than those in this DPA.

5. Data Breach Notification

If we become aware of a personal data breach that affects data we process on your behalf, we will:

• Notify you without undue delay and in any case within 72 hours of becoming aware of the breach.
• Provide you with sufficient detail about the breach to allow you to meet your own notification obligations to supervisory authorities and data subjects.
• Take reasonable steps to contain and remediate the breach.
• Cooperate with you in investigating the breach and communicating with affected parties.

6. International Transfers

Where Personal Data is transferred outside the EEA, we ensure that appropriate safeguards are in place. These may include Standard Contractual Clauses (SCCs) adopted by the European Commission, adequacy decisions, or other transfer mechanisms recognized under GDPR.

7. Duration and Termination

This DPA remains in effect for the duration of your OpenPost subscription. Upon termination, we will delete your Personal Data in accordance with the timelines described in our Privacy Policy (within 30 days, with backup purges within 90 days).

8. Contact

For questions about this DPA or to exercise rights under it, contact:

• Privacy: privacy@openpost.so
• Legal: legal@openpost.so