Data Processing Agreement

Last updated: 2025-08-17

Transparency Commitment

This document provides complete transparency about how Postinow processes your data, ensuring compliance with GDPR, CCPA, and social media platform data requirements.

1. Data Processing Overview

This Data Processing Agreement ("DPA") outlines how Postinow processes personal data in compliance with applicable data protection laws and social media platform requirements.

2. Data Categories and Processing Purposes

2.1 Account Data

Data TypeProcessing PurposeLegal BasisRetention Period
Email AddressAccount creation, authentication, communicationContract performanceUntil account deletion + 30 days
Password HashAccount security and authenticationContract performanceUntil account deletion
Billing InformationPayment processing, tax complianceContract performance, legal obligation7 years (tax compliance)

2.2 Social Media Platform Data

PlatformData AccessedProcessing PurposeAPI Compliance
TikTokAccount info, upload permissionsVideo upload and managementTikTok Business API Terms
InstagramProfile, media permissionsPhoto/video upload and storiesMeta Platform Policy
FacebookPage info, post permissionsContent posting and managementMeta Platform Policy
X (Twitter)Profile, tweet permissionsContent posting and schedulingX Developer Agreement
LinkedInProfile, company page permissionsProfessional content sharingLinkedIn API Terms

3. Data Processing Activities

3.1 Content Processing

  • Collection: Files uploaded via web interface
  • Storage: Temporary storage in encrypted cloud storage (AWS S3/Backblaze)
  • Processing: Format validation, metadata extraction, virus scanning
  • Transfer: Secure upload to destination social media platforms
  • Deletion: Automatic deletion from temporary storage within 24 hours

3.2 OAuth Token Management

  • Collection: OAuth tokens from platform authorization flows
  • Encryption: AES-256 encryption at rest
  • Usage: API calls to connected platforms for content publishing
  • Refresh: Automatic token refresh when available
  • Revocation: Immediate deletion when user disconnects platform

4. Data Security Measures

4.1 Technical Safeguards

  • TLS 1.3 encryption for data in transit
  • AES-256 encryption for data at rest
  • Multi-factor authentication for admin access
  • Regular security audits and penetration testing
  • Automated backup and disaster recovery procedures

4.2 Organizational Measures

  • Role-based access controls and least privilege principles
  • Regular staff security training and awareness programs
  • Incident response procedures and breach notification protocols
  • Data protection impact assessments for new features
  • Third-party vendor security assessments

5. Data Subject Rights

5.1 Access Rights

You have the right to:

  • Access your personal data and processing information
  • Receive a copy of your data in machine-readable format
  • Request data portability to another service provider

5.2 Control Rights

You can:

  • Rectify inaccurate or incomplete personal data
  • Restrict processing for specific purposes
  • Object to processing based on legitimate interests
  • Withdraw consent for consent-based processing

5.3 Deletion Rights

You can request deletion of your data when:

  • Personal data is no longer necessary for original purposes
  • You withdraw consent and no other legal basis exists
  • Personal data has been unlawfully processed
  • Deletion is required for legal compliance

6. Data Transfers and Processors

6.1 International Transfers

Data may be transferred to and processed in the United States and other countries. We ensure adequate protection through:

  • EU Standard Contractual Clauses
  • Privacy Shield successor frameworks
  • Adequacy decisions where applicable
  • Additional safeguards for non-adequate countries

6.2 Third-Party Processors

ProcessorPurposeLocationSafeguards
AWSCloud hosting and storageUSA, EUDPA, SCCs, Certifications
StripePayment processingUSA, EUPCI DSS, DPA, SCCs
SupabaseDatabase hostingUSA, EUDPA, SCCs, SOC 2

7. Compliance Framework

7.1 Regulatory Compliance

  • GDPR: Full compliance with EU General Data Protection Regulation
  • CCPA: California Consumer Privacy Act compliance
  • COPPA: Children's Online Privacy Protection Act (service not for children)
  • SOX: Financial data handling compliance

7.2 Platform API Compliance

  • TikTok: Business API Terms and Privacy Policy compliance
  • Meta: Platform Policy compliance for Instagram and Facebook integration
  • X (Twitter): Developer Agreement and Policy compliance
  • LinkedIn: API Terms of Use and Professional Data Guidelines compliance

8. Data Breach Procedures

8.1 Incident Response

  • Immediate containment and assessment within 1 hour of detection
  • Risk evaluation and impact analysis within 6 hours
  • Notification to supervisory authorities within 72 hours if required
  • User notification without undue delay if high risk to rights and freedoms

8.2 Communication Protocol

  • Clear, transparent communication about breach nature and scope
  • Specific actions taken to address the breach
  • Measures to mitigate potential adverse effects
  • Contact information for further inquiries

9. Data Retention Schedule

Data CategoryRetention PeriodDeletion Process
Account DataAccount lifetime + 30 daysAutomated deletion after grace period
OAuth TokensUntil disconnectionImmediate secure deletion
Uploaded Files24 hours maximumAutomatic deletion after processing
Logs90 daysRolling deletion schedule

10. Contact Information

For data processing inquiries, please contact:

  • Data Protection Officer: dpo@postinow.com
  • Privacy Team: privacy@postinow.com
  • Legal Team: legal@postinow.com
  • Emergency Contact: +1 (555) 123-4567

Request Data Processing Actions

You can request any of the following data processing actions:

Data Export

Download all your data in JSON format

Data Deletion

Request complete account and data deletion

Processing Restriction

Limit how we process your data

Data Correction

Update incorrect personal information