postkeet / dpa
v1.2 · 2026
data processing agreement · for business customers

The contract behind
the contract, without the jargon.

If you're a business with GDPR obligations, your legal team needs this. We wrote it the same way we wrote the privacy policy — plain English first, legal terms where they earn their keep. Version 2.1, last updated April 18, 2026.

1. What a DPA is, and who needs it.

A Data Processing Agreement is a contract between a company that decides what happens to personal data (you — the controller) and a company that handles it on your behalf (us — the processor). GDPR Art. 28 requires one. So do the UK GDPR, Swiss FADP, and a growing list of US state laws.

You need a DPA with Postkeet if you're based in the EU, UK, or Switzerland, if you serve customers there, or if your own enterprise buyers require one in their vendor reviews. If you're a solo creator posting your own stuff, you almost certainly don't need one — our Privacy Policy already covers you.

Plain terms: this document explains what we do with the personal data that your customers and team members trust you with. It's a legal companion to our Privacy Policy and Security page, not a replacement for them.

2. The parties.

This DPA is entered into between:

  • You (the "Controller") — the legal entity that signed up for a paid Postkeet workspace and decides what personal data goes into it.
  • Postkeet Studio, Inc. (the "Processor") — a Delaware corporation, with EU operations via Postkeet Studio Ltd. (Portugal), acting on your instructions.

Where you act as a processor yourself (e.g. an agency managing social for your own clients), Postkeet acts as a sub-processor. The terms below apply the same way, one layer down.

3. Subject matter and duration.

Subject matter: Postkeet's processing of personal data on your behalf, strictly to provide the Postkeet platform — scheduling, publishing, AI generation, analytics, brand voice, team collaboration — and related support.

Duration: from your first day on a paid plan, for as long as you have an active subscription, plus the 30-day deletion grace period that follows termination. After that, everything is cryptographically erased (see retention).

4. Processing purpose and nature.

We process personal data only to:

  • Run the Postkeet service you subscribed to.
  • Publish content to the social platforms you authorize.
  • Generate captions, images, and suggestions through our AI inference pipeline.
  • Deliver analytics, notifications, and team features.
  • Keep the service secure and debug issues you report.
  • Comply with binding legal obligations (tax, subpoenas we can't lawfully refuse).

The nature of processing is storage, transmission, transformation, and deletion — no profiling of data subjects, no automated decisions with legal effect, no advertising.

5. Categories of personal data.

CategoryTypical fields
User account dataEmail, name, avatar, password hash, role, MFA state, session metadata
Brand dataBrand name, logo, voice samples, style guidelines, connected social handles, OAuth tokens
ContentDrafts, scheduled posts, captions, images, videos, chat threads, approval history
AnalyticsPost-level engagement metrics, follower counts, click events, A/B outcomes
Usage telemetryFeature events, truncated IP, browser type, crash reports (PII scrubbed)

We do not process special categories of data (Art. 9 GDPR) and ask you not to feed any in. If your content routinely includes health, political, biometric, or similar data, contact us first — some features will need to be restricted.

6. Categories of data subjects.

  • Your team members — admins, editors, approvers, and viewers inside your Postkeet workspace.
  • Your end users and followers — individuals whose public profile data, comments, or mentions flow through our analytics and inbox features.
  • Talent and collaborators — anyone whose name, likeness, or content you upload into a brand (e.g. creators on your roster).

7. Security measures.

We apply technical and organizational measures appropriate to the risk, in line with GDPR Art. 32:

  • Encryption at rest: AES-256 on all databases, object storage, and backups.
  • Encryption in transit: TLS 1.3 everywhere, HSTS preload, no mixed content.
  • Authentication: password + MFA, OAuth 2.0 for social platforms, SSO (SAML / OIDC) on Studio and Enterprise plans.
  • Access controls: role-based access, least-privilege service accounts, all production access logged and reviewed monthly.
  • Secrets management: hardware-backed KMS, short-lived tokens, automated rotation.
  • Network: private VPCs, no direct database access from the public internet, WAF and rate-limiting at the edge.
  • Operational: mandatory peer review on code changes, SAST / dependency scanning in CI, quarterly penetration tests, annual tabletop incident drills.
  • Certifications: SOC 2 Type II in progress (Type I achieved Feb 2026), ISO 27001 scoped for 2027.

The complete measures are described on our Security page and in Annex II of the signed DPA.

8. Approved sub-processors.

We engage a small set of sub-processors, each under a signed DPA with equivalent protections. You authorize these on signup, and we'll give you 30 days' notice before adding a new one (object in writing and you can terminate without penalty).

Sub-processorPurposeLocation
SupabasePrimary database, auth, object storageEU (Frankfurt) or US (N. Virginia), per workspace
AnthropicAI inference (captions, brand voice, chat) under zero-retention APIUS
StripePayment processing, subscription billing, taxUS, EU (Ireland)
CloudflareCDN, WAF, DDoS protection, image optimizationGlobal edge (data at rest in EU / US)
ResendTransactional email delivery (receipts, alerts, invites)US, EU

Up-to-date list, with contract links where public, on the Security page.

9. International data transfers.

EU / UK / Swiss workspaces default to eu-central (Frankfurt) residency — your production data stays in the EU. Some sub-processors (Anthropic, Stripe, Resend) may process data in the US.

Those transfers rely on, in this order: adequacy decisions where available (e.g. the EU-US Data Privacy Framework for certified recipients), Standard Contractual Clauses (2021/914) with the UK Addendum and Swiss supplement, and additional safeguards — pseudonymization, encryption, contractual commitments to challenge overbroad government requests.

10. Audit rights.

Once per year (more if a supervisory authority requires it), you can audit our compliance with this DPA. In practice, the default is:

  • Our latest SOC 2 report, penetration test summary, and security questionnaire — shared under NDA within 10 business days.
  • A live walkthrough call with our security lead on request.
  • On-site or independent third-party audit available at your cost, with 30 days' notice, subject to reasonable security and confidentiality constraints.

11. Incident notification.

If we suffer a personal data breach affecting your data, we notify you without undue delay and in any case within 72 hours of becoming aware, with what we know so far: the nature of the incident, categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed.

Follow-up updates go out as the investigation develops. We help you meet your own notification duties to supervisory authorities and data subjects where applicable.

12. Your obligations as controller.

  • You have a lawful basis for every piece of personal data you put into Postkeet.
  • You give data subjects the notices they're owed (privacy policy, consent, cookie info on your own site).
  • You handle data-subject requests first; we assist under Art. 28(3)(e).
  • You configure access, roles, and MFA appropriately for your team.
  • You don't upload special-category or children's data unless we've agreed in writing.
  • You instruct us only through the product, signed orders, or written support requests — not via ad-hoc Slack messages we might miss.

13. Term and termination.

This DPA is in force for the duration of your Postkeet subscription. On termination, we stop processing, return or delete your personal data at your choice within 30 days, and confirm deletion in writing if you ask. Backups roll off on the next cycle (max 35 days). Anything we're legally required to retain (tax records, fraud logs) stays isolated until its retention clock runs out.

14. How to request a signed DPA.

Most customers don't need to sign anything — our online DPA (this page + the SCC module below) is pre-accepted when you accept the Terms. If your procurement team needs a countersigned PDF:

  • Email dpa@postkeet.com with your legal entity name, address, and workspace ID.
  • We return a signed PDF within 2 business days, using DocuSign.
  • Redlines are allowed on business terms; the GDPR-mandated clauses and SCC modules stay as-is.

Enterprise customers on our Studio plan get a dedicated legal contact and can route requests through the contact page.

15. Standard Contractual Clauses.

Where this DPA governs a restricted transfer, the parties incorporate the EU Commission's Standard Contractual Clauses (2021/914) by reference:

  • Module 2 (controller-to-processor) for direct EU / EEA customers.
  • Module 3 (processor-to-processor) where you are a processor for your own clients.
  • UK Addendum (ICO, March 2022) for transfers out of the UK.
  • Swiss supplement (FDPIC) for Swiss data subjects.

The applicable clauses apply in full, with Annex I (parties, data, transfers), Annex II (security measures), and Annex III (sub-processors) populated from the sections above. The supervisory authority is the Portuguese CNPD. Governing law and jurisdiction follow Clause 17/18 of the SCCs, with Portuguese courts as the agreed forum.

v2.1 · effective apr 18, 2026 · previous: v2.0 (jan 2026), v1.2 (aug 2025), v1.0 (mar 2025). Change log on request. Questions: dpa@postkeet.com. See also Privacy, Security, GDPR, Contact.