Legal
The boring but important bits.
Last updated: 1 April 2026 · Version 1.0
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and PostVito Ltd ("Processor") and governs the processing of personal data by PostVito on your behalf.
This DPA applies where you use PostVito to process personal data of third parties (for example, social media audience data, collaborator data, or customer data stored in your Workspace).
1. Definitions
"Controller" means the entity that determines the purposes and means of processing personal data — i.e. you, the PostVito customer.
"Processor" means PostVito Ltd, which processes personal data on behalf of the Controller.
"Data Subject" means any identified or identifiable natural person whose personal data is processed.
"Personal Data", "Processing", "Sub-processor", and "Supervisory Authority" have the meanings given in UK GDPR and EU GDPR.
2. Scope and Roles
PostVito processes personal data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA). The subject matter, nature, purpose, and duration of processing are described in Schedule 1.
3. Controller Obligations
The Controller warrants that:
- It has a lawful basis for processing the personal data it submits to PostVito
- It has provided all required notices and obtained all required consents from Data Subjects
- Its instructions to PostVito comply with applicable data protection law
4. Processor Obligations
PostVito shall:
- Process personal data only on the Controller's documented instructions, unless required to do so by law
- Ensure that personnel authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures as described in Schedule 2
- Not engage any Sub-processor without prior written authorisation, or general authorisation as described in section 5
- Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests
- Delete or return all personal data upon termination of the agreement, at the Controller's choice
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits
5. Sub-processors
The Controller grants general authorisation for PostVito to engage the Sub-processors listed in Schedule 3. PostVito will notify the Controller of any intended addition or replacement of Sub-processors at least 30 days in advance via email or in-app notification, providing the Controller opportunity to object.
6. International Transfers
PostVito will not transfer personal data outside the UK or EEA without ensuring appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions). Sub-processor transfers are governed by Schedule 3.
7. Security Measures
PostVito maintains the technical and organisational measures described in Schedule 2. PostVito may update these measures provided the overall level of protection is not diminished.
8. Data Subject Rights
PostVito will promptly notify the Controller upon receiving a Data Subject request and will provide reasonable assistance to enable the Controller to respond. The Controller is responsible for responding to Data Subjects.
9. Data Breach Notification
PostVito will notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting Controller data. PostVito will provide sufficient information to allow the Controller to meet its own notification obligations.
10. Audit Rights
The Controller may audit PostVito's processing activities relevant to this DPA on 30 days' written notice, no more than once per year, at the Controller's own cost. PostVito may satisfy audit requests by providing up-to-date third-party certifications (SOC 2, ISO 27001) where available.
11. Termination
This DPA remains in force for the duration of the Terms of Service. Upon termination, PostVito will delete or return all personal data within 90 days unless retention is required by law.
Schedule 1 — Details of Processing
| Item | Detail | |---|---| | Subject matter | Social media content, audience analytics, inbox messages, and any other data stored in the Controller's Workspace | | Nature of processing | Storage, display, AI processing, scheduling, publication, analytics aggregation | | Purpose | Provision of the PostVito Service as described in the Terms of Service | | Categories of personal data | Names, usernames, email addresses, social media profile data, engagement data, message content | | Categories of Data Subjects | The Controller's social media audiences, team members, inbox correspondents | | Duration | For the term of the Terms of Service |
Schedule 2 — Technical and Organisational Measures
- Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+)
- Row-level security ensuring workspace data isolation
- Role-based access control with principle of least privilege
- Multi-factor authentication for production infrastructure access
- Regular automated backups with point-in-time recovery
- Vulnerability scanning and dependency updates on a regular basis
- Incident response plan with defined escalation procedures
Schedule 3 — Approved Sub-processors
| Sub-processor | Location | Purpose | |---|---|---| | Supabase Inc | USA (EU-hosted option available) | Database and authentication | | Vercel Inc | USA / Global edge | Application hosting and CDN | | Stripe Inc | USA | Payment processing | | Resend Inc | USA | Transactional email delivery | | SendGrid (Twilio Inc) | USA | Transactional email delivery (fallback) | | OpenAI Inc | USA | AI text and image generation | | Stability AI Ltd | UK | AI image generation | | Kling AI (Kuaishou) | China | AI video generation | | fal.ai (Features & Labels Inc) | USA | AI image and video generation proxy | | Phyllo Inc | USA | Social platform OAuth and publishing | | PostHog Inc | USA / EU | Product analytics (privacy-first, cookieless) | | Plausible Analytics Ltd | EU (Estonia) | Web analytics (cookieless, GDPR-native) |
Contact
For DPA enquiries: legal@postvito.com
For data protection matters: dpo@postvito.com