Data Processing Addendum

Terms not defined here have the meanings given in GDPR and the PostRoute Terms of Service.

Subject matter: Processor's provision of the Service. Duration: the term of the subscription, plus the post-termination retention windows in the Privacy policy. Nature and purpose: enabling Customer to compose, schedule, publish, analyse, and respond to social-media content across connected platforms.

Customer's end users, customers, audience members, and team members whose personal data Customer chooses to process through the Service.

Determined by Customer's use of the Service. Typically:

• Identifiers — names, usernames, email addresses, profile URLs.
• Communications — direct messages, mentions, comments ingested from connected platforms.
• Engagement metadata — likes, follows, impressions, click counts.
• Workspace member identifiers — Customer's collaborators, their roles, and audit trail of their actions.

Sensitive categories (Article 9 GDPR — health, ethnicity, sexuality, religion, biometric, etc.) are NOT designed to be processed through the Service. Customer represents that it will not transmit sensitive data through PostRoute without first agreeing additional safeguards in writing with us.

PostRoute processes Customer Personal Data only on Customer's documented instructions, including with regard to international transfers. This DPA, Customer's configuration choices in the Service (channels connected, members invited, posts scheduled), and any explicit written instructions are the Customer's instructions. PostRoute will inform Customer if an instruction infringes GDPR or other data-protection law and may decline to act on it.

Customer authorises PostRoute to engage the sub-processors listed in the Privacy policy. PostRoute will give Customer at least 30 days notice of any new or replacement sub-processor by email to the workspace owner. Customer may object on reasonable data-protection grounds; if the parties cannot agree on a remediation, Customer may terminate the affected portion of the Service with prorated refund of any prepaid unused period.

PostRoute imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable to Customer for any sub-processor's acts or omissions in respect of Customer Personal Data.

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a third country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) by reference. The UK International Data Transfer Addendum is incorporated where UK data is transferred. Switzerland: references in the SCCs to "GDPR" are read as references to the Swiss Federal Act on Data Protection.

PostRoute personnel with access to Customer Personal Data are bound by written confidentiality obligations and trained on data-protection responsibilities. Access is limited to staff who require it for delivery of the Service or compliance with this DPA. Departing personnel lose access immediately on termination.

PostRoute implements the technical and organisational measures described in Annex II below, which are designed to provide a level of security appropriate to the risk. Customer is responsible for configuring the Service per its own risk assessment (e.g. enforcing 2FA on its team accounts when available, choosing appropriate role assignments, following the Acceptable Use restrictions).

PostRoute notifies Customer without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. PostRoute will assist Customer with any onward notifications to supervisory authorities and data subjects.

PostRoute will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures (insofar as possible) in fulfilling Customer's obligation to respond to Data Subject Requests. The dashboard's data export, deletion, and rectification controls are the primary self-service path. For requests beyond these controls, contact [email protected].

On reasonable request, PostRoute will assist Customer with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to PostRoute.

Customer may request information necessary to demonstrate PostRoute's compliance with this DPA. PostRoute will respond to reasonable requests with available certifications, audit reports (SOC 2 Type II when complete), and the technical and organisational measures documentation. On-site audits may be conducted no more than once per 12-month period, on at least 30 days written notice, by Customer or a mutually agreed independent auditor, subject to confidentiality obligations and at Customer's cost.

On termination of the subscription, Customer may export its data via the dashboard (or via [email protected] if technical issues prevent self-service) for 30 days. After the 30-day grace window, PostRoute deletes Customer Personal Data from production systems within a further 30 days; backup copies are deleted on the rolling backup retention schedule (max 30 days additional) unless retention is required by mandatory law.

Each party's liability under this DPA is subject to the limitation of liability provisions in the underlying Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law.

In the event of conflict between the documents governing the relationship: (1) the SCCs (where applicable), (2) this DPA, (3) the Terms of Service. Each prevails over the next in the list.

Subject matter, duration, nature, purpose, data subjects, and personal data categories are as described in the Sections above. Frequency: continuous, for the duration of the subscription.

See the Security policy for the full list. Highlights:

• Pseudonymisation and encryption — TLS 1.3 in transit, AES-256-GCM at rest for OAuth tokens, Argon2id for passwords.
• Confidentiality, integrity, availability, resilience — tenant isolation at the query-filter layer, daily encrypted backups, RPO ≤ 24h, RTO ≤ 4h.
• Restoration of access — backup restoration tested quarterly.
• Regular testing and evaluation — dependency scanning per PR, annual external pen-test, continuous static analysis.
• Access management — role-based access, audit log of every administrative action, refresh-token reuse detection.
• Personnel — written confidentiality undertakings, data-protection training on hire, immediate access revocation on departure.

See the table in the Privacy policy. PostRoute will keep an up-to-date list at /privacy and notify the workspace owner email at least 30 days before any addition.