data processing agreement
effective date: april 1, 2026
1. purpose
This Data Processing Agreement (“DPA”) governs the processing of personal data by PostAI SAS (“PostAI”, “Processor”) on behalf of the Customer (“Controller”) in connection with the PostAI Service. This DPA supplements and is incorporated by reference into the PostAI Terms of Service. In the event of a conflict between this DPA and the Terms of Service on matters relating to data processing, this DPA takes precedence.
2. definitions
The following terms have the meanings given in GDPR (EU) 2016/679:
- Data Controller: the Customer, who determines the purposes and means of processing personal data.
- Data Processor: PostAI SAS, which processes personal data on behalf of the Controller.
- Personal Data: any information relating to an identified or identifiable natural person.
- Processing: any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
3. subject matter & duration
PostAI processes personal data to provide the Service for the term of the Customer's subscription. This DPA remains in force for as long as PostAI processes personal data on behalf of the Customer and terminates automatically upon deletion of all such data following the end of the subscription.
4. nature & purpose of processing
PostAI processes personal data for the following purposes on behalf of the Customer:
- Scheduling and publishing social media posts to connected platform accounts.
- AI-powered content generation and caption suggestions based on Customer instructions.
- Aggregating and displaying engagement analytics from connected platforms.
- Storing and managing Customer content (media, drafts, published posts) within Workspaces.
5. types of personal data
The categories of personal data processed under this DPA include: social media account credentials and profile data (names, handles, profile images); content created or uploaded by the Customer (text, images, video); engagement metrics and audience data received from social platforms (likes, comments, follower counts); and any personal data contained within content the Customer chooses to schedule or publish.
6. data subjects
Data subjects include the Customer's authorised users who access the PostAI platform, and third-party individuals whose data may appear in content or engagement metrics sourced from connected social media platforms (e.g. social media audiences, followers, or commenters).
7. customer obligations
The Customer agrees to: ensure there is a lawful basis for any personal data provided to or processed via PostAI; provide accurate and up-to-date information when requested; notify PostAI without undue delay of any changes that may affect the lawfulness of processing; and comply with all applicable data protection laws in relation to the personal data it controls.
8. postai obligations
PostAI agrees to:
- Process personal data only on documented instructions from the Customer, unless required by law.
- Ensure that persons authorised to process the data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures in accordance with GDPR Article 32.
- Assist the Customer in fulfilling data subject rights requests where technically feasible.
- Notify the Customer without undue delay upon becoming aware of a personal data breach affecting Customer data.
- Manage sub-processors in accordance with Section 10 of this DPA.
- On termination, delete or return all personal data and delete existing copies unless retention is required by law.
9. security measures
PostAI implements the following technical and organisational security measures:
- Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+).
- Role-based access controls limiting access to personal data to authorised personnel only.
- Audit logs for access to production systems containing personal data.
- Regular security testing and vulnerability assessments.
- Incident response procedures aligned with GDPR breach notification requirements.
10. sub-processors
The Customer consents to PostAI engaging the following sub-processors. PostAI will inform the Customer of any intended changes to this list (additions or replacements) with at least 14 days notice, giving the Customer the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | EU (Frankfurt) |
| Stripe | Payment processing and billing | EU (Ireland) |
| Trigger.dev | Background job execution and task scheduling | EU |
| Resend | Transactional email delivery | EU |
| Vercel | Application hosting and edge delivery | EU (primary region) |
| PostHog | Product analytics and session recording | EU cloud (Frankfurt) |
11. audit rights
The Customer may, upon providing at least 30 days written notice, conduct or commission an audit of PostAI's data processing practices to verify compliance with this DPA. Audits are limited to once per calendar year and must be conducted during normal business hours without unreasonable disruption to PostAI's operations. PostAI may satisfy this obligation by providing relevant third-party audit reports (e.g. SOC 2) in lieu of a direct audit.
12. governing law
This DPA is governed by French law. Any dispute arising out of or relating to this DPA shall be subject to the exclusive jurisdiction of the courts of Paris, France.
13. execution
This DPA is incorporated by reference into the PostAI Terms of Service. By accepting the Terms of Service, the Customer also accepts this DPA. No separate signature is required. The DPA takes effect on the date the Customer first accepts the Terms of Service or, for existing customers, on the effective date stated above.
For questions regarding this DPA, contact legal@postai.app.