Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between SocialCRM, initiative of Social Protocol Labs LLC ("SocialCRM," "Processor," "we," "us," or "our") and the entity agreeing to these terms ("Customer," "Controller," "you," or "your") for the provision of the SocialCRM platform and services (the "Services").

This DPA applies to the processing of Personal Data by SocialCRM on behalf of Customer in connection with the Services and reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

Table of Contents

1. Definitions
2. Scope and Application
3. Roles and Responsibilities
4. Processing Instructions
5. Security Measures
6. Subprocessors
7. International Data Transfers
8. Data Subject Rights
9. Data Breach Notification
10. Audit Rights
11. Data Deletion and Return
12. Liability
13. Term and Termination
14. Standard Contractual Clauses

1. Definitions

For purposes of this DPA:

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
• "Data Protection Laws" means all applicable laws relating to data protection, privacy, and the processing of Personal Data, including GDPR, UK GDPR, and CCPA.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Processor" means an entity that processes Personal Data on behalf of a Controller.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Subprocessor" means any third party engaged by SocialCRM to process Personal Data on behalf of Customer.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.

2. Scope and Application

2.1 Application

This DPA applies where and only to the extent that SocialCRM processes Personal Data on behalf of Customer as a Processor in the course of providing the Services.

2.2 Duration

This DPA shall remain in effect for the duration of SocialCRM's processing of Personal Data on behalf of Customer.

2.3 Subject Matter and Nature of Processing

SocialCRM provides an AI brand monitoring and optimization platform. The nature of processing includes:

• Collection and storage of account information
• Processing of brand monitoring data
• Analytics and reporting on AI platform mentions
• Communication and support services

2.4 Categories of Personal Data

The categories of Personal Data processed include:

• Contact information (name, email, phone number)
• Account credentials (hashed passwords)
• Business information (company name, job title)
• Usage data (IP addresses, device information, activity logs)
• Payment information (processed by Stripe)
• Communications (support tickets, feedback)

2.5 Categories of Data Subjects

Data subjects include:

• Customer's employees and authorized users
• Customer's business contacts
• Individuals whose data may be included in Customer's brand content

3. Roles and Responsibilities

3.1 Customer as Controller

Customer shall:

• Determine the purposes and means of processing Personal Data
• Ensure a lawful basis exists for each processing activity
• Provide necessary notices to Data Subjects
• Ensure the accuracy of Personal Data
• Respond to Data Subject requests
• Comply with all applicable Data Protection Laws

3.2 SocialCRM as Processor

SocialCRM shall:

• Process Personal Data only on documented instructions from Customer
• Ensure persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Engage Subprocessors only with Customer's authorization
• Assist Customer in responding to Data Subject requests
• Assist Customer in ensuring compliance with security, breach notification, and impact assessment obligations
• Delete or return Personal Data at the end of the service relationship
• Make available information necessary to demonstrate compliance

4. Processing Instructions

4.1 Documented Instructions

SocialCRM shall process Personal Data only in accordance with Customer's documented instructions, including with regard to transfers of Personal Data to a third country or international organization, unless required by law to do otherwise.

4.2 Scope of Instructions

Customer instructs SocialCRM to process Personal Data for the following purposes:

• Providing and maintaining the Services
• Responding to support requests
• Ensuring security and preventing fraud
• Complying with legal obligations
• Any other purposes specified in the Agreement

4.3 Additional Instructions

Customer may provide additional processing instructions in writing. SocialCRM shall comply with such instructions unless they violate applicable law or require changes to the Services, in which case SocialCRM will notify Customer.

4.4 Notification of Unlawful Instructions

SocialCRM shall immediately inform Customer if, in its opinion, an instruction infringes Data Protection Laws. SocialCRM may suspend performance of the relevant instruction until Customer confirms or modifies it.

5. Security Measures

5.1 Security Obligations

Taking into account the state of the art, costs of implementation, nature, scope, context, purposes of processing, and risks to Data Subjects, SocialCRM shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

5.2 Technical Measures

SocialCRM implements the following technical measures:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control and multi-factor authentication
• Database Security: Row-level security (RLS) for tenant isolation
• Password Security: bcrypt hashing with appropriate work factors
• Session Management: Secure JWT tokens with expiration
• Network Security: Firewall, DDoS protection, intrusion detection
• Backup: Regular encrypted backups with point-in-time recovery

5.3 Organizational Measures

SocialCRM implements the following organizational measures:

• Security policies and procedures
• Employee security training
• Access management and review processes
• Incident response procedures
• Vendor security assessments
• Regular security audits and penetration testing

5.4 Confidentiality

SocialCRM ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Subprocessors

6.1 Authorization

Customer provides general authorization for SocialCRM to engage Subprocessors for the processing of Personal Data. The current list of Subprocessors is available at /security#subprocessors.

6.2 Subprocessor Obligations

When engaging a Subprocessor, SocialCRM shall:

• Enter into a written agreement imposing data protection obligations equivalent to those in this DPA
• Conduct appropriate due diligence on the Subprocessor's security practices
• Remain liable for the Subprocessor's performance

6.3 Changes to Subprocessors

SocialCRM shall notify Customer of any intended changes to Subprocessors, giving Customer the opportunity to object to such changes. Notification will be provided at least 30 days before the new Subprocessor begins processing Personal Data.

6.4 Objection to Subprocessors

If Customer objects to a new Subprocessor on reasonable data protection grounds, the parties shall discuss the matter in good faith. If no resolution is reached, Customer may terminate the affected Services without penalty.

7. International Data Transfers

7.1 Transfer Mechanisms

SocialCRM may transfer Personal Data outside the European Economic Area (EEA) or United Kingdom only when appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other lawful transfer mechanisms under applicable Data Protection Laws

7.2 Standard Contractual Clauses

Where transfers rely on Standard Contractual Clauses, the parties agree that the SCCs are incorporated into this DPA by reference. For transfers from the EEA, the EU SCCs (Commission Decision 2021/914) apply. For transfers from the UK, the UK Addendum to the EU SCCs applies.

7.3 Transfer Impact Assessment

SocialCRM has conducted a transfer impact assessment and determined that the legal framework in the destination country provides adequate protection for Personal Data, or that supplementary measures are in place to ensure adequate protection.

8. Data Subject Rights

8.1 Assistance with Requests

SocialCRM shall assist Customer by appropriate technical and organizational measures to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

8.2 Direct Requests

If SocialCRM receives a request directly from a Data Subject, SocialCRM shall promptly notify Customer unless prohibited by law. SocialCRM shall not respond to such requests except to confirm that the request relates to Customer.

8.3 Response Timeline

SocialCRM shall respond to Customer's requests for assistance within a reasonable timeframe and in any event within the timeframes required by applicable Data Protection Laws.

9. Data Breach Notification

9.1 Notification Obligation

SocialCRM shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Such notification shall be made within 48 hours of becoming aware of the breach.

9.2 Notification Contents

The notification shall include, to the extent available:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

9.3 Assistance

SocialCRM shall cooperate with Customer and take reasonable steps to assist in investigating, mitigating, and remediating the breach.

9.4 Documentation

SocialCRM shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

10. Audit Rights

10.1 Information and Audit

SocialCRM shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or a mandated auditor.

10.2 Audit Procedures

Audits shall be subject to the following conditions:

• Reasonable advance notice (at least 30 days, except for urgent matters)
• Conducted during normal business hours
• No more than one audit per year (unless required by a supervisory authority)
• Auditor bound by confidentiality obligations
• Audit scope limited to SocialCRM's processing of Customer's Personal Data

10.3 Third-Party Certifications

SocialCRM may satisfy audit requests by providing copies of relevant third-party certifications, audit reports (e.g., SOC 2), or evidence of compliance with applicable security standards.

11. Data Deletion and Return

11.1 Upon Termination

Upon termination of the Services, SocialCRM shall, at Customer's choice:

• Return all Personal Data to Customer in a commonly used format; or
• Delete all Personal Data

11.2 Retention Period

Customer shall have 30 days following termination to request return of Personal Data. After this period, SocialCRM shall delete all Personal Data unless retention is required by law.

11.3 Backup Deletion

Personal Data in backup systems shall be deleted in accordance with SocialCRM's standard backup rotation schedule, not to exceed 90 days following the deletion of production data.

11.4 Certification

Upon request, SocialCRM shall provide written certification of deletion of Personal Data.

12. Liability

12.1 Liability Cap

The liability of each party under this DPA shall be subject to the limitations of liability set forth in the Agreement.

12.2 Indemnification

Each party shall indemnify the other for any costs, claims, damages, or expenses arising from a breach of this DPA or applicable Data Protection Laws by the indemnifying party.

13. Term and Termination

13.1 Term

This DPA shall remain in effect for as long as SocialCRM processes Personal Data on behalf of Customer.

13.2 Survival

Provisions of this DPA that by their nature should survive termination shall survive, including confidentiality, data deletion, and liability provisions.

14. Standard Contractual Clauses

14.1 Incorporation

The Standard Contractual Clauses (EU SCCs) adopted by the European Commission in Decision 2021/914 are incorporated into this DPA by reference. For purposes of the SCCs:

• Module Two (Controller to Processor) applies
• Clause 7 (Docking Clause): Not applicable
• Clause 9 (Subprocessors): Option 2 (general authorization) applies
• Clause 11 (Redress): Optional language does not apply
• Clause 17 (Governing Law): Laws of Ireland
• Clause 18 (Choice of Forum): Courts of Ireland

14.2 UK Addendum

For transfers from the United Kingdom, the UK Addendum to the EU SCCs (as approved by the UK Information Commissioner) is incorporated and applies.

14.3 Swiss Addendum

For transfers from Switzerland, the EU SCCs apply with the modifications necessary to comply with Swiss data protection law.