Effective Date: February 16, 2026
Processor: SocialConductor.AI
Controller: The User (Licensee) as identified in the Terms of Service.
The User is the Controller and SocialConductor.AI is the Processor for all Personal Data processed under this DPA. Processor shall process Personal Data solely on documented instructions from the Controller (as constituted by the Terms of Service and this DPA), unless required to do so by applicable law.
EEA Transfers: For transfers of Personal Data from the EEA to the United States, the parties incorporate by reference the Standard Contractual Clauses (Module 2: Controller to Processor) approved by European Commission Decision 2021/914, including Annexes I and II set out below.
UK Transfers: For transfers of Personal Data from the United Kingdom, the parties incorporate the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B.1.0) issued by the UK Information Commissioner's Office (ICO), which supplements and adapts the EU SCCs for UK law.
Switzerland: Swiss-originating transfers are governed by the applicable guidance of the Swiss Federal Data Protection and Information Commissioner (FDPIC).
Security Measures: Processor shall implement and maintain the technical and organizational measures described in Annex II below. Processor shall ensure that all persons authorized to process Personal Data are subject to an appropriate duty of confidentiality.
Breach Notification: In the event of a Personal Data Breach affecting Controller's data, Processor shall:
Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, and shall allow for, and contribute to, audits and inspections conducted by Controller or an auditor mandated by Controller, upon 30 days' prior written notice. Audits shall be conducted during normal business hours in a manner that minimizes disruption to Processor's operations. Processor may satisfy this obligation by providing up-to-date third-party audit reports (e.g., SOC 2) in lieu of a direct inspection, at its discretion.
Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a data subject exercising their rights under the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). Processor shall not respond to such requests directly on Controller's behalf, but shall provide reasonable assistance to Controller in fulfilling its obligations under Chapter III of the GDPR within the timeframes required by applicable law.
Controller hereby grants general written authorization for Processor to engage the following approved subprocessors. Processor will inform Controller of any intended changes (additions or replacements) with 14 days' advance notice, giving Controller the opportunity to object on reasonable data protection grounds.
Processor shall impose data protection obligations on all subprocessors equivalent to those in this DPA, and shall remain liable to Controller for the acts and omissions of its subprocessors to the same extent as if performing the services directly.
Upon termination or expiry of the Terms of Service, Processor shall, at Controller's written election, either delete or return all Personal Data within 30 days and delete all existing copies, unless applicable law requires continued storage. Processor shall certify such deletion in writing upon request. Anonymized and aggregated data derived from User Data may be retained for up to 24 months for model improvement purposes, as permitted under the Terms of Service.
Required by EU Commission Decision 2021/914.
| Categories of Data Subjects | The Controller's customers, followers, and members of the public who post public comments on the Controller's Facebook Page(s). |
|---|---|
| Categories of Personal Data Transferred | Public Facebook display name; content of public comments and replies; post timestamps; Facebook User ID (public); interaction history with the Page. |
| Sensitive Data | None intentionally collected. Controller is responsible for ensuring no special-category data (Art. 9 GDPR) is present in public comments processed by the Service. |
| Nature & Purpose of Processing | Automated reading and contextual analysis of incoming public Facebook comments; generation of AI-drafted reply text using the Gemini API; posting of approved replies via the Facebook Graph API on Controller's behalf. |
| Duration of Processing | For the duration of the active Terms of Service Agreement. Following termination, Personal Data is deleted within 30 days (see Section 7). Anonymized aggregated data may be retained for up to 24 months. |
| Frequency of Transfer | Continuous / real-time during the active service period as comments are received on the connected Facebook Page. |
| Competent Supervisory Authority | The supervisory authority of the EU Member State where the Controller is established; or the UK Information Commissioner's Office (ICO) for UK-based Controllers. |
Required by EU Commission Decision 2021/914 and GDPR Article 32. Describes measures implemented by SocialConductor.AI as Processor.
| Measure | Implementation |
|---|---|
| Encryption in Transit | All data transmitted between end-users, the Service, and subprocessors is encrypted using TLS 1.2 or higher. Unencrypted HTTP is disabled in production environments. |
| Encryption at Rest | Database volumes and backup files are encrypted at rest using AES-256 via DigitalOcean managed database encryption. |
| Access Controls | Access to production systems is restricted to authorized SocialConductor.AI personnel on a strict need-to-know basis. All production access requires multi-factor authentication (MFA). Database credentials are managed via environment variables and never stored in source code. |
| Pseudonymization | Where feasible, Personal Data used for model training and analytics is pseudonymized or aggregated prior to processing, removing direct identifiers such as display names and user IDs. |
| Data Minimization | Only data necessary for the provision of the Service (public comment text, display name, user ID, timestamp) is collected and processed. No private messages or non-public profile data is accessed. |
| Availability & Resilience | The Service is hosted on DigitalOcean infrastructure with automated daily database backups and point-in-time recovery. Critical service failures trigger alerts to on-call personnel within 15 minutes. |
| Incident Response | A documented incident response procedure is maintained. Confirmed Personal Data Breaches trigger Controller notification within 72 hours per Section 3 of this DPA. |
| Subprocessor Oversight | All subprocessors (Google, DigitalOcean, PayPal) operate under contractual data protection obligations. Their compliance posture is reviewed at least annually. |
| Personnel Training | All SocialConductor.AI personnel with access to Personal Data receive data protection awareness training at onboarding and at least annually thereafter. |