Legal
Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between LittlePoster Lda. (“Processor”) and the customer (“Controller”) and applies to the processing of personal data on the Controller’s behalf in connection with the LittlePoster.ai service.
1. Definitions
Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given to them in the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR.
2. Roles
The Controller determines the purposes and means of processing Personal Data submitted to the service. The Processor processes that Personal Data on the Controller's behalf and only in accordance with the Controller's documented instructions, which include the Terms of Service, this DPA, and the configuration options in the service.
3. Subject matter and duration
The Processor processes Personal Data as needed to provide the LittlePoster.ai service, for the duration of the parties' agreement and any period required by law thereafter.
4. Categories of data and Data Subjects
- Data subjects:the Controller's workspace members, end users on connected social networks, and any individuals identifiable from content the Controller schedules through the service.
- Categories of data: identifiers and contact details, profile and account metadata, OAuth tokens for connected networks, content of posts and replies, media files, analytics, and usage and log data.
5. Processor obligations
- process Personal Data only on the Controller's documented instructions, including regarding international transfers;
- ensure personnel authorized to process Personal Data are under appropriate confidentiality obligations;
- implement the technical and organizational measures described in the Security page and in Annex II below;
- assist the Controller in fulfilling Data Subject requests and obligations under Articles 32–36 GDPR;
- notify the Controller without undue delay after becoming aware of a Personal Data breach.
6. Subprocessors
The Controller authorizes the Processor to engage the subprocessors listed in our Privacy Policy. The Processor will notify the Controller of intended changes to its list of subprocessors at least 30 days in advance. The Controller may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the service.
7. International transfers
Where Personal Data is transferred outside the EEA or UK to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2, controller-to-processor) and, for UK transfers, the UK International Data Transfer Addendum, as if set out in full in this DPA.
8. Audits
The Processor will make available to the Controller, on reasonable request, the information necessary to demonstrate compliance with this DPA. For Controllers on Enterprise plans, the Processor will support up to one audit per year, subject to reasonable confidentiality and scoping requirements.
9. Return or deletion
On termination of the service, the Processor will, at the Controller's choice, delete or return all Personal Data processed on its behalf, except where retention is required by law. In the absence of an instruction within 30 days of termination, the Processor will delete the Personal Data.
10. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
Annex I — Processing details
- Purpose: providing the LittlePoster.ai service to the Controller as described in the Terms of Service.
- Nature of processing: collection, storage, organization, transmission, analysis, and deletion of Personal Data.
- Duration: the term of the agreement plus any retention period required by law.
Annex II — Technical and organizational measures
See the Securitypage for a current description of the Processor's technical and organizational measures, including encryption, access control, monitoring, and incident response. The Processor may update these measures over time provided that the overall level of security is not materially diminished.
Execution
Controllers that require a counter-signed copy of this DPA should email legal@littleposter.ai with their workspace name and signing contact. By using the service, the Controller is deemed to have accepted this DPA on behalf of itself and any authorized affiliates.