Data Processing Agreement
Last updated: November 2024
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Commentsell ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.
1. Scope
This DPA applies to all processing of personal data that the Processor carries out on behalf of the Controller in connection with the provision of the Service. This DPA supplements the Terms of Service.
2. Definitions
Terms used in this DPA have the meanings given to them in the EU General Data Protection Regulation (GDPR). "Controller" means the entity that determines the purposes and means of the processing. "Processor" means the entity that processes personal data on behalf of the Controller. "Sub-processor" means a third party engaged by the Processor to process personal data.
3. Processing Details
The Processor processes personal data on behalf of the Controller for the purpose of providing the Service as described in the Terms of Service. The Controller instructs the Processor to process personal data by using the Service.
Categories of personal data processed:
- Names and contact information (email, phone number)
- Social media identifiers (Facebook/Instagram user IDs, profile names)
- Reservation and transaction data
- Messages and comments related to the Service
Personal data is processed for the duration of the Controller's use of the Service. Upon termination, the Processor will delete all personal data within 90 days. If a data subject requests deletion of their data, the Processor will comply promptly.
4. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law
- Ensure that persons authorized to process the personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability)
- Notify the Controller of a personal data breach without undue delay after becoming aware of it
- Delete or return all personal data upon termination of the Service, unless retention is required by law
5. Sub-processors
The Controller provides general authorization for the Processor to engage sub-processors. The Processor remains fully liable for the performance of its sub-processors. The current list of sub-processors is maintained below. The Processor will update this list when sub-processors change. Continued use of the Service after a sub-processor change constitutes acceptance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Infrastructure, database, authentication, AI features | EU (Frankfurt) |
| Meta Platforms | Social media integration (Facebook/Instagram API) | US/EU |
| Stripe | Payment processing | US/EU |
| Algolia | Search functionality | EU |
| Typesense Cloud | Search functionality | EU |
| Vercel | Website hosting | US/EU |
6. International Data Transfers
Where personal data is transferred outside the EU/EEA, the Processor ensures that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or the sub-processor's own data transfer mechanisms, in accordance with GDPR Chapter V.
7. Audit and Compliance
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Such audits shall be conducted no more than once per year, upon at least 30 days' prior written notice, during normal business hours, and at the Controller's expense.
8. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
9. Contact
For questions about this DPA or to exercise data protection rights, contact us at:
Email: [email protected]