DPA — Data Processing Agreement
What a DPA is and when it is needed
If you use Publineo for commercial purposes and, as part of this cooperation, your company provides us with personal data (e.g. of employees, customers, or followers of your pages), Article 28 GDPR requires a data processing agreement (Data Processing Agreement, DPA) to be concluded.
The DPA defines who is the Controller (your company) and who is the Processor (ITAMA as the operator of Publineo), what our obligations are, where the data goes, how long we keep it, and what we do in the event of an incident.
How do you obtain a signed copy of the DPA? Write to support@publineo.com with the subject "DPA" and provide your company details (name, tax ID, address, representative). We send back a signed PDF within 5 business days — at no additional cost.
Parties to the agreement
Data Controller (Client)
Your company — the full details are completed in the version for signature based on the information you provide by email (name, address, tax ID, representative).
Data Processor (ITAMA)
- Name: F. H. U. ITAMA Dariusz Niemczak
- Address: ul. Starowiejska 16/2, 81-356 Gdynia
- NIP: 9581479203
- REGON: 222025985
- Represented by: Dariusz Niemczak
- support@publineo.com
§1 Subject matter and duration of processing
- The Controller entrusts the Processor with personal data for processing solely for the purpose of providing the Publineo platform services in accordance with the main agreement (terms and conditions + subscription).
- The DPA remains in force for the entire term of the main agreement.
§2 Nature, purpose, and scope of processing
Purpose: generating and publishing marketing content on social media on behalf of the Controller.
Nature of operations: storage, organization, transfer to third parties (social channels indicated by the Controller), and generation of derivatives (AI content).
Categories of data subjects:
- employees / associates of the Controller who have accounts in Publineo,
- followers / customers of the Controller to the extent that their data appears in content published by the Controller.
Categories of data:
- identification data (first name, last name, email, password — in the form of a cryptographic hash),
- employee contact details,
- access tokens for external channels (Facebook, Instagram, WordPress, LinkedIn) granted by the Controller,
- post content entered or approved by the Controller,
- technical logs (IP, action time).
§3 Processor obligations
- The Processor processes data only on documented instructions from the Controller (the main agreement and the DPA constitute such instructions). The Controller informs the Processor in writing of any extensions to the instructions (email is sufficient).
- The Processor ensures that persons authorized to process the data have committed themselves to confidentiality.
- The Processor implements appropriate technical and organizational measures (see §6).
- The Processor assists the Controller in fulfilling the rights of data subjects (access, rectification, erasure, portability). Standard response time: 5 business days.
- The Processor assists the Controller with obligations under Articles 32–36 GDPR (security, impact assessment, breach notification).
- After termination of the main agreement, at the Controller’s choice, the Processor deletes or returns all personal data and deletes existing copies, unless the law requires further storage (e.g. invoices — 5 years).
- The Processor provides the Controller with all information necessary to demonstrate compliance with Article 28 GDPR and allows audits in accordance with §7.
§4 Sub-processors
- The Controller gives general authorization to use the sub-processors listed in Appendix A (list below).
- The Processor informs the Controller by email of the intention to add or change a sub-processor with 14 days’ notice. The Controller may raise a justified objection — in that case, the parties have 30 days to resolve the dispute, after which the DPA terminates with appropriate notice.
- The Processor enters into a data processing agreement with each sub-processor on standards no lower than those of this DPA. The Processor is liable to the Controller for the actions of sub-processors as for its own actions.
§5 Data transfers outside the EEA
- Some sub-processors are located in the USA (including OpenAI, Cloudflare, Resend). Transfers take place on the basis of Standard Contractual Clauses (SCCs) approved by Commission Implementing Decision (EU) 2021/914.
- The Processor implements additional safeguards (encryption in transit and at rest, access control, pseudonymization where justified).
§6 Security measures
We use, among other measures:
- Encryption: TLS in transit, AES-256 at rest (database data), external tokens encrypted at application level.
- Access control: RLS (Row-Level Security) in the database, segregation of system roles (Admin / Editor / User), audit logs.
- Authentication: TOTP MFA required for administrative accounts, anti-bot protection on login endpoints (Cloudflare Turnstile), rate limits.
- Network: Cloudflare WAF, geo-blocking on the administration panel, domain isolation (separate origin for the panel).
- Backups: daily database backups with 30-day retention.
- Monitoring: audit logs of administrative actions, 12-month retention.
- Incident response: breach notification procedure within 24 hours of detection.
§7 Audit
- The Controller (or an independent auditor appointed by the Controller) has the right to audit the Processor, no more than once per year, with 30 days’ prior notice.
- The audit must not disrupt the Processor’s normal operations or compromise the confidentiality of other clients’ data. In practice, the audit includes a review of security documentation, test results, and answers to questions.
§8 Personal data breaches
The Processor notifies the Controller of a personal data breach without undue delay, no later than 24 hours after becoming aware of it. The notification includes:
- the nature of the breach (categories of data, number of persons),
- likely consequences,
- measures taken or planned,
- contact details for further coordination.
§9 Liability
The Processor’s liability arising from the DPA is limited to the liability limits set out in the main agreement. This exclusion does not apply in cases of gross negligence or willful misconduct.
§10 Final provisions
- The DPA constitutes an appendix to the main agreement and is an integral part thereof.
- In the event of a conflict with the main agreement, the DPA prevails in the area of data protection.
- Amendments to the DPA require written form (an email accepted by both parties is sufficient).
- Governing law: Polish law. Competent court: as provided in the main agreement.
Appendix A — List of sub-processors
- Supabase Inc. — database hosting, authorization, storage. Location: EU (Frankfurt) with infrastructure managed from the USA. Transfer basis: SCCs.
- Cloudflare Inc. — frontend hosting, WAF, anti-bot, CDN. Location: EU/USA (global network). Basis: SCCs.
- OpenAI L.L.C. — content and image generation (API). Location: USA. Basis: SCCs + additional non-training policy for the API.
- Resend Inc. — sending transactional emails. Location: EU/USA. Basis: SCCs.
- Meta Platforms Ireland Ltd. — publication of posts on Facebook and Instagram (based on the Controller’s tokens). Location: EU.
- Automattic Inc. / the Client’s WordPress installation — publication of posts (based on the Controller’s tokens). Location: according to the installation location.
- LinkedIn Corporation — publication of posts (based on the Controller’s tokens). Location: USA. Basis: SCCs.
PDF version for signature — this page is a public informational version. A binding DPA requires a signed copy with your company details completed. Write to support@publineo.com with the subject "DPA" — we send back a PDF ready for signature within 5 business days.