Data Processing Agreement (DPA)

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller to provide the Shinra Metrics SaaS platform and agreed services. Processing begins when the Controller enables the relevant workspace, campaign, trial, demo or paid plan and continues until the end of the service relationship, unless earlier deletion or return is required.

2. Nature, purpose and categories

Nature: Hosting, storage, retrieval, analysis, transcription, AI-assisted evaluation, display, export and transfer of personal data connected to social-media accounts, campaigns, links and livestreams.

Purpose: Delivery of dashboards, analytics, sharing, link tracking, livestream clipping, reports, exports and related features selected by the Controller.

Categories of data subjects:The Controller's users, team members, connected account holders, creators, campaign participants and audience members whose metrics or interactions are processed.

Categories of personal data: Account identifiers, profile information, engagement metrics, content metadata, comments, link-click data, campaign review data, clips, thumbnails, transcripts, technical and usage data, billing references and, where AI or Visual Intelligence is enabled, visual content and derived tags.

3. Obligations of the Controller

• Ensure it has a valid legal basis and all required notices, permissions and creator authorizations for personal data it uploads, connects or instructs the Processor to process.
• Use the service only in compliance with applicable data protection, platform and campaign laws.
• Provide documented instructions through the agreement, product settings, support requests or other written instructions.

4. Obligations of the Processor

• Process personal data only on documented instructions from the Controller, unless required by EU or Member State law.
• Ensure persons authorized to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures in accordance with Article 32 GDPR.
• Assist the Controller in responding to data-subject requests and in meeting obligations under Articles 32-36 GDPR.
• Notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data.
• At the Controller's choice, delete or return all personal data after the end of the provision of services and delete existing copies unless storage is required by law.
• Make available information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits.
• Inform the Controller without undue delay if, in the Processor's opinion, an instruction infringes GDPR or other EU or Member State data protection law.

5. Sub-processors

The Controller grants general authorization for the Processor to engage sub-processors listed at shinra-metrics.com/subprocessors. The Processor will notify the Controller of intended changes at least 15 days in advance and give the Controller the opportunity to object on reasonable data-protection grounds. The Processor remains fully liable for the performance of true sub-processors. Connected social platforms listed for transparency may act as independent controllers or separate platform providers depending on the feature and authorization flow.

6. International data transfers

Where personal data is transferred outside the EEA, the Processor uses appropriate safeguards under Article 46 GDPR, typically the European Commission's 2021 Standard Contractual Clauses, the UK International Data Transfer Addendum where applicable and the EU-US Data Privacy Framework where applicable.

7. Technical and organizational measures

• Encryption of personal data in transit and at rest.
• Role-based access control, least-privilege principle and revocable API access tokens.
• Logging and monitoring of access to production systems.
• Regular backups and restore procedures.
• Security awareness for staff with production access.
• Segregated development, staging and production environments.
• Data minimization and pseudonymization where technically feasible.

8. Audit rights

The Controller may, upon 30 days’ written notice and no more than once per calendar year, request an audit of the Processor's compliance with this DPA. Audits must be conducted during normal business hours, not unreasonably interfere with operations and respect the confidentiality of other customers' data. In lieu of an on-site audit, the Processor may provide existing audit reports, security summaries, vendor documentation or written answers where those materials reasonably demonstrate compliance.

9. Liability

Each party's liability under this DPA is subject to the liability provisions in the underlying Terms of Service, without limiting mandatory liability under GDPR.

10. Signing this DPA

By entering into the underlying Terms of Service and processing personal data of third parties through Shinra Metrics, the Controller accepts this DPA without the need for further signature. A counter-signed PDF version is available on request by emailing info@ciberdime.com with your company details.

11. Contact