Overview
This Data Processing Addendum ("DPA") forms part of the agreement between supapost (the "Processor") and the Customer (the "Controller") for the use of the supapost content generation API and dashboard. It applies whenever supapost processes Personal Data on behalf of the Customer in connection with the Service.
1. Definitions
Capitalised terms not defined here have the meanings given in the Terms of Service or, where applicable, the GDPR.
2. Roles and scope
The Customer is the Data Controller for content it submits to the Service (post topics, brand context, comments to reply to, uploaded brand assets). supapost is the Data Processor and processes that data only on the Customer's documented instructions, namely to generate, store, and serve back the requested content.
3. Processing details
- Subject matter: AI content generation and storage.
- Duration: For the lifetime of the Customer account plus 30 days post-cancellation.
- Nature and purpose: Generation, storage, and retrieval of social posts, smart replies, blog posts, newsletters, and brand assets.
- Categories of data subjects: Customer end users (e.g. the Customer's social media audience appearing in comment data submitted for reply generation) and Customer's own personnel.
- Categories of personal data: Names, email addresses, social media handles, free-text content submitted by the Customer.
4. Security measures
supapost maintains industry-standard technical and organisational measures including encryption at rest and in transit (TLS 1.2+), role-based access controls, audit logging on admin actions, least-privilege access to production data, regular dependency updates, and an incident response plan. Details available on request.
5. Sub-processors
supapost engages third-party sub-processors to operate the Service. The current list is published at /sub-processors. Customers are notified of any new sub-processor at least 14 days before they begin processing Personal Data.
6. International transfers
Where sub-processors are located outside the EEA/UK, transfers rely on the European Commission's Standard Contractual Clauses or an applicable adequacy decision. The Customer authorises these transfers by entering into this DPA.
7. Data subject rights
supapost provides API endpoints and dashboard tooling for the Customer to fulfil access, rectification, deletion, and export requests from its data subjects. See GET /api/me/export for a full account export. The Customer remains responsible for handling data subject requests directly.
8. Breach notification
supapost will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting the Customer's data, with all information reasonably available to assist the Customer in meeting its own notification obligations.
9. Audits
On reasonable request, supapost will make available the information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
10. Deletion or return
On termination or expiry of the Service contract, supapost will (at the Customer's choice) delete or return all Personal Data processed on the Customer's behalf within 30 days, unless retention is required by law.
11. Contacting us
To request this DPA in a counter-signable form, escalate a privacy matter, or contact our Data Protection lead, email privacy@supapost.ai.
This DPA is a template. Larger customers requiring a signed instrument or bespoke clauses should contact sales@supapost.ai.