Data Processing Addendum
Last updated: December 2024
This Data Processing Addendum ("DPA") forms part of the Terms of Service between GetAmbassadors ("Processor") and you ("Controller") for the processing of personal data.
1. Definitions
- "Personal Data": Any information relating to an identified or identifiable natural person
- "Processing": Any operation performed on Personal Data
- "Data Subject": An individual whose Personal Data is processed
- "Sub-processor": A third party engaged by Processor to process Personal Data
- "GDPR": The EU General Data Protection Regulation (2016/679)
2. Scope and Roles
2.1 Controller Responsibilities
As the Controller, you:
- Determine the purposes and means of processing
- Ensure lawful basis for processing
- Respond to Data Subject requests
- Maintain records of processing activities
2.2 Processor Responsibilities
As the Processor, GetAmbassadors:
- Processes Personal Data only on documented instructions
- Ensures personnel are bound by confidentiality
- Implements appropriate security measures
- Assists with Data Subject requests
- Deletes or returns data upon termination
3. Categories of Data Processed
| Category | Data Types | Data Subjects |
|---|---|---|
| Account Data | Name, email, password hash | Users |
| Profile Data | Bio, location, niche, social handles | Creators |
| Business Data | Company name, industry, website | Brands |
| Payment Data | Bank details, transaction history | Users |
| Communication Data | Messages, collaboration notes | Users |
| Usage Data | IP address, browser, activity logs | Users |
4. Sub-processors
We use the following sub-processors. You consent to their engagement by accepting this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway (PostgreSQL) | Database hosting | EU |
| Vercel | Application hosting, analytics | EU/US |
| Stripe | Payment processing | EU/US |
| Upstash (Redis) | Caching, rate limiting | EU |
| Resend | Transactional email | US |
| AWS S3 | File storage | EU (Frankfurt) |
We will notify you of any changes to sub-processors at least 30 days in advance.
5. Data Security
GetAmbassadors implements the following security measures:
5.1 Technical Measures
- Encryption in transit (TLS 1.3)
- Encryption at rest for sensitive data
- Secure password hashing (bcrypt)
- Regular security updates and patching
- Firewall and network security
- Intrusion detection systems
5.2 Organizational Measures
- Role-based access control
- Security awareness training
- Incident response procedures
- Regular security audits
- Background checks for personnel
6. Data Subject Rights
We assist Controllers in responding to Data Subject requests:
- Access: Export functionality in Settings → Privacy
- Rectification: Profile editing capabilities
- Erasure: Account deletion in Settings
- Portability: JSON/CSV export of all data
We will notify you of any Data Subject requests within 48 hours.
7. Data Breach Notification
In the event of a Personal Data breach, GetAmbassadors will:
- Notify you within 72 hours of becoming aware
- Provide details of the nature of the breach
- Describe likely consequences
- Outline measures taken or proposed
- Cooperate with any investigation
8. International Transfers
Where Personal Data is transferred outside the EEA, we ensure:
- Standard Contractual Clauses (SCCs) are in place
- Adequate supplementary measures where required
- Transfer Impact Assessments are conducted
9. Data Retention and Deletion
- Personal Data deleted within 30 days of account closure
- Transaction records retained for 7 years (legal requirement)
- Audit logs retained for 90 days
- Backups purged within 90 days of deletion
10. Audits
Controllers may audit our compliance with this DPA by:
- Reviewing our security documentation
- Requesting third-party audit reports
- Conducting on-site audits (with 30 days notice, at Controller's expense)
11. Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service.
12. Term and Termination
This DPA remains in effect while we process Personal Data on your behalf. Upon termination:
- We will delete or return all Personal Data
- We will certify deletion upon request
- Retention obligations under law will be respected
13. Contact
For DPA-related inquiries:
- Data Protection Officer: [email protected]
- Legal Team: [email protected]
14. Governing Law
This DPA is governed by EU law and GDPR. Any disputes shall be resolved in accordance with the Terms of Service.