Draft

This document is a starter template. Lawyer review required before SocialRouter accepts payments or launches publicly. Generated for engineering placeholder; not yet legal advice or a binding agreement.

Data Processing Addendum

Last updated: April 25, 2026

This Data Processing Addendum ("DPA") is incorporated into the SocialRouter Terms of Service and applies when SocialRouter processes personal data on your behalf in connection with the Service.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in GDPR Article 4 or in the Terms. "Customer" refers to you. "SocialRouter" refers to SocialRouter Inc.

2. Processing roles

For personal data processed through the API on behalf of Customer, Customer is the Data Controller and SocialRouter is the Data Processor.

3. Subject matter and duration

SocialRouter processes data only for the purpose of providing the Service, for the duration of Customer's account.

4. Categories of data

  • End-user identifiers from social platforms (usernames, post IDs, public profile data)
  • Aggregated engagement metrics (counts, timestamps)
  • API request metadata (no message bodies stored)

5. Sub-processors

SocialRouter uses the following sub-processors:

  • Supabase Inc. — database and authentication (US)
  • Stripe Inc. — payment processing (US)
  • Vercel Inc. — hosting and edge delivery (US)
  • Plausible Insights OÜ — analytics (EU)

We will provide 30 days notice before adding a new sub-processor by updating this list and emailing customers on Enterprise plans.

6. Security measures

SocialRouter implements appropriate technical and organizational measures as described in our Security page, including encryption in transit and at rest, access controls, audit logging, and incident response.

7. Data subject rights

SocialRouter will, taking into account the nature of the processing, assist Customer in fulfilling its obligations to respond to data subject requests under Articles 15–22 GDPR. Standard tooling is provided in the dashboard for export and deletion.

8. International transfers

For transfers of personal data from the EEA, UK, or Switzerland to the United States, SocialRouter relies on the EU Standard Contractual Clauses (SCCs) module 2 (Controller-to-Processor), incorporated by reference.

9. Audits

Once SocialRouter completes a SOC 2 Type 2 audit (estimated Q1 2027), we will share the report under NDA. Until then, customers on Enterprise plans may request a security questionnaire response.

10. Breach notification

SocialRouter will notify Customer without undue delay (and within 72 hours of becoming aware) of any personal data breach affecting Customer's data.

11. Deletion / return

Upon termination, SocialRouter will delete all Customer personal data within 30 days, except where retention is required by law (e.g., financial records).

12. Contact

Data Protection contact: privacy@socialrouter.ai