Data Processing Agreement

Last Updated: November 27, 2025

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between JustPost AI B.V. ("Processor") and you ("Controller") for the provision of our AI-powered social media content creation services.

1. Definitions

• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation)
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, etc.)
• "Data Subject" means an identified or identifiable natural person
• "Sub-processor" means any third party engaged by the Processor to process Personal Data
• "Controller" means you, the party determining the purposes and means of processing
• "Processor" means JustPost AI B.V., processing Personal Data on behalf of the Controller

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor provides AI-powered social media content creation, scheduling, and publishing services as described in the Terms and Conditions.

2.2 Duration

Processing shall continue for the duration of the service agreement, plus any retention period required by law or as specified in our Privacy Policy.

2.3 Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

• Providing AI-generated social media content based on website analysis
• Scheduling and publishing content to connected social media platforms
• Managing user accounts and authentication
• Processing payments and maintaining billing records
• Providing customer support and communications
• Analytics and service improvement (anonymized where possible)

2.4 Categories of Personal Data

• Account information (name, email, password hash)
• Business information (company name, website URL, brand details)
• Social media profile data (from connected accounts)
• Payment information (processed by Stripe)
• Content created through the service
• Usage data and technical information

2.5 Categories of Data Subjects

• Users of the Controller's JustPost.AI account
• Individuals mentioned in content created through the service
• Social media followers/audiences (limited to publicly available data)

3. Obligations of the Processor

3.1 Processing Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Inform the Controller if any instruction infringes GDPR or other applicable law
• Not process Personal Data for any purpose other than providing the services

3.2 Confidentiality

The Processor shall ensure that:

• All personnel authorized to process Personal Data are bound by confidentiality obligations
• Access to Personal Data is limited to personnel who require access to perform services

3.3 Security Measures

The Processor implements appropriate technical and organizational measures, including:

• Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
• Measures to ensure ongoing confidentiality, integrity, and availability
• Regular testing and evaluation of security measures
• Access controls and authentication mechanisms
• Incident response and data breach procedures

A detailed description of security measures is available upon request.

3.4 Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors, subject to:

• The Processor maintaining an up-to-date list of sub-processors at /legal/sub-processors
• Notification of any intended changes to sub-processors at least 30 days in advance
• The Controller's right to object to new sub-processors on reasonable grounds
• All sub-processors being bound by data protection obligations no less protective than this DPA

3.5 Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests, including:

• Access requests (GDPR Art. 15)
• Rectification requests (GDPR Art. 16)
• Erasure requests (GDPR Art. 17)
• Restriction requests (GDPR Art. 18)
• Data portability requests (GDPR Art. 20)
• Objection requests (GDPR Art. 21)

3.6 Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay after becoming aware of the breach
• Provide sufficient information to enable the Controller to meet GDPR notification requirements
• Take reasonable steps to mitigate the effects of the breach
• Document all breaches, including facts, effects, and remedial actions

3.7 Data Protection Impact Assessments

The Processor shall assist the Controller with Data Protection Impact Assessments (DPIAs) where required, providing necessary information about processing operations.

3.8 Audit Rights

The Processor shall:

• Make available information necessary to demonstrate compliance with GDPR
• Allow for and contribute to audits conducted by the Controller or an authorized auditor
• Provide evidence of compliance through certifications, audit reports, or other documentation

4. Obligations of the Controller

The Controller warrants that:

• It has a lawful basis to process Personal Data and to instruct the Processor to process it
• It has provided necessary notices and obtained necessary consents from Data Subjects
• Any instructions given to the Processor comply with applicable data protection law
• It will cooperate with the Processor in ensuring compliance with GDPR

5. International Data Transfers

5.1 Transfer Mechanisms

The Processor may transfer Personal Data outside the EEA. Such transfers are protected by:

• EU-US Data Privacy Framework (for certified US organizations)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions (for countries deemed adequate by the European Commission)
• Supplementary measures where required (encryption, pseudonymization)

5.2 Standard Contractual Clauses

By signing this DPA, the parties agree to the EU Standard Contractual Clauses (Module Two: Controller to Processor) as approved by European Commission Decision 2021/914, which are incorporated by reference.

6. Data Retention and Deletion

6.1 Retention Period

Personal Data is retained as specified in our Privacy Policy.

6.2 Deletion and Return

Upon termination of services, the Processor shall:

• Return or delete all Personal Data at the Controller's choice
• Delete existing copies unless required by law to retain
• Provide certification of deletion upon request

7. Liability

Liability under this DPA is governed by the limitations and exclusions set forth in the Terms and Conditions, subject to mandatory provisions of applicable law.

8. Term and Termination

This DPA shall:

• Come into effect upon acceptance of the Terms and Conditions
• Remain in effect for the duration of the service relationship
• Survive termination to the extent necessary for post-termination data handling

9. Amendments

This DPA may be updated from time to time to reflect changes in law or processing activities. Material changes will be notified in accordance with the Terms and Conditions.

10. Contact and Execution

Annex A: Security Measures

The Processor implements the following security measures:

Technical Measures

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Control: Role-based access, MFA for staff
• Network Security: Firewalls, DDoS protection, intrusion detection
• Monitoring: Continuous logging, alerting, and audit trails
• Backup: Regular encrypted backups with tested recovery

Organizational Measures

• Personnel: Background checks, confidentiality agreements, training
• Policies: Written security policies, incident response procedures
• Vendor Management: Due diligence on sub-processors, contractual obligations
• Physical Security: Cloud providers with SOC 2 Type II certification

Annex B: Sub-processor List

The current list of sub-processors is maintained at: /legal/sub-processors

Contact Information