Data Processing Agreement
Standard DPA for customers processing personal data of EU/UK residents through SuperPost.
Last updated
⟩ Scope
This DPA applies when SuperPost (the processor) processes personal data on behalf of the customer (the controller) under the GDPR, UK GDPR, or equivalent data-protection law.
⟩ Duration and subject-matter
Processing lasts for the duration of the customer's subscription. The subject-matter is the operation of the SuperPost service: content generation, cross-platform publishing from connected repositories, and post-publish outcome measurement that feeds an automated per-workspace learning loop.
⟩ Outcome collection (Layer 2)
After SuperPost publishes a post on the controller's behalf, the processor collects public engagement metrics from each platform's API at fixed intervals (T+1h, T+6h, T+24h, T+7d), and where the controller has connected a public GitHub repository, hourly snapshots of the repository's public star count. These outcomes are stored per workspace, retained per the Retention and deletion section of this DPA and the Retention section of our Privacy Policy (superpost.io/legal/privacy#retention), and used solely to operate the service for that workspace. They are not shared between controllers, sold, or used to train third-party models. The processor maintains an aggregated, fully de-identified cross-workspace prior used to bootstrap new workspaces; the prior cannot be reversed to identify any individual controller.
⟩ Subprocessors
SuperPost engages the subprocessors listed at superpost.io/legal/subprocessors. We will give the customer 30 days' notice before adding or replacing a subprocessor. The customer may object in writing during this period.
⟩ International transfers
Personal data may be transferred outside the EEA/UK to subprocessors located in the United States and other regions. Transfers are governed by the EU Standard Contractual Clauses (Module 2: controller-to-processor) and the UK International Data Transfer Addendum.
⟩ Security
SuperPost implements technical and organisational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, audit logging, and vulnerability scanning, with an annual third-party penetration test scheduled to begin post-launch. A SOC 2 Type II audit is planned; the audit window has not yet opened, so no report exists yet. We will make the report available under NDA once it is issued.
⟩ Retention and deletion
On termination of the Agreement, SuperPost provides a 30-day export window and then purges the customer's personal data within 60 days, except where retention is required by law. Backups containing that data are rotated out within 35 days. These terms mirror the signed DPA (§4) and the Retention section of our Privacy Policy.
⟩ Incident notification
SuperPost will notify the customer without undue delay, and in any case within 48 hours, of becoming aware of a personal-data breach affecting the customer's data.