Optimate – Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement (“Agreement” or “DPA”) is entered into between:

Controller and Processor are individually a “Party” and collectively the “Parties”.

2. Purpose & Scope

2.1 This DPA governs the processing of personal data by Processor on behalf of Controller in connection with the provision of the Optimate Service under the main service agreement or terms of service between the Parties (“Main Agreement”).

2.2 The subject matter, nature, purpose, type of personal data and categories of data subjects are set out in Annex 1 to this DPA.

3. Roles of the Parties

3.1 Controller acts as the Data Controller for personal data it enters into or generates within the Optimate platform in relation to its own customers, staff or other data subjects.

3.2 Processor acts as the Data Processor, processing such personal data only on behalf of Controller and in accordance with Controller’s documented instructions and this DPA, except where otherwise required by applicable law.

4. Processor Obligations

Processor shall:

• Process personal data only on documented instructions from Controller, including with regard to transfers to a third country, unless required to do so by law;
• Ensure persons authorised to process personal data are bound by confidentiality obligations;
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
• Assist Controller in fulfilling its obligations to respond to data subject requests, where reasonably possible and subject to reimbursement of reasonable costs;
• Assist Controller in meeting GDPR obligations relating to security, breach notifications, data protection impact assessments and consultations with supervisory authorities, taking into account the nature of processing and available information;
• Make available information necessary to demonstrate compliance with this DPA and applicable data protection laws and allow for audits as described in Section 9;
• Promptly notify Controller if, in Processor’s opinion, an instruction infringes applicable data protection law.

5. Controller Obligations

Controller shall:

• Ensure that it has a lawful basis for processing personal data and using the Optimate Service;
• Provide Processor with processing instructions that comply with applicable data protection law;
• Be responsible for the accuracy, quality and legality of personal data provided to Processor;
• Notify Processor without undue delay of any changes to the nature of processing or categories of data that could impact compliance.

6. Subprocessors

6.1 Controller authorises Processor to engage third-party subprocessors for the provision of the Service. A current list of key subprocessors is included in Annex 2.

6.2 Processor will impose data protection obligations on Subprocessors that are substantially similar to those set out in this DPA.

6.3 Processor shall remain responsible for the performance of its Subprocessors.

7. International Transfers

7.1 Processor may transfer personal data outside the UK/EEA where necessary for providing the Service, subject to implementing appropriate safeguards, such as Standard Contractual Clauses or other recognised transfer mechanisms.

7.2 Processor will provide information about such safeguards upon reasonable request.

8. Security & Breach Notification

8.1 Processor shall implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

8.2 In the event of a personal data breach affecting personal data processed on behalf of Controller, Processor shall:

• Notify Controller without undue delay after becoming aware of the breach; and
• Provide information reasonably required by Controller to comply with its breach notification obligations.

9. Audits

9.1 Controller or its appointed auditor may, at its own cost and with reasonable notice, conduct audits (including inspections) to verify Processor’s compliance with this DPA, subject to:

• Reasonable advance written notice;
• Audits being conducted during normal business hours;
• Measures to safeguard the confidentiality and security of other customers’ data and Processor’s systems.

9.2 Processor may satisfy audit obligations by providing third-party certifications, reports or summaries that adequately demonstrate compliance (e.g. SOC 2, ISO 27001), where available.

10. Data Subject Requests

10.1 If Processor receives a request from a data subject relating to personal data processed on behalf of Controller, Processor will, where reasonably possible, forward the request to Controller without undue delay.

10.2 Controller is responsible for responding to such requests, and Processor will provide reasonable assistance where required, subject to reimbursement of reasonable costs.

11. Duration & Termination

11.1 This DPA shall remain in effect for as long as Processor processes personal data on behalf of Controller under the Main Agreement.

11.2 Upon termination of the Main Agreement, Processor shall, at Controller’s choice and subject to applicable law:

• Delete or anonymise personal data processed on behalf of Controller; or
• Return personal data to Controller.

11.3 Processor may retain certain data where required by law or for legitimate business purposes (e.g. billing records) in line with its retention policies.

12. Liability

12.1 The liability of each Party under this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement, except where prohibited by applicable law.

13. Miscellaneous

13.1 In the event of a conflict between this DPA and the Main Agreement concerning the processing of personal data, the terms of this DPA shall prevail.

13.2 This DPA is governed by the law specified in the Main Agreement, unless applicable data protection law requires otherwise.

Annex 1 – Details of Processing

Subject Matter

Processing of personal data entered into, generated by or derived from Controller’s use of the Optimate platform, including data relating to social media performance, team members and end customers where applicable.

Nature & Purpose

• Hosting and storage of customer account data;
• Analytics and reporting on social media performance;
• AI-powered content generation, recommendations and analysis;
• Provision of customer support and service improvements.

Types of Personal Data

• Identification data (e.g. name, email, usernames);
• Business contact details;
• Social media account identifiers and analytics data;
• Usage data relating to interaction with the Service;
• Other personal data entered into or generated within Optimate by Controller.

Categories of Data Subjects

• Controller’s employees, contractors or team members;
• Controller’s customers, clients or followers (to the extent analytics data relates to identifiable individuals);
• Other individuals whose data may be processed through Controller’s use of Optimate.

Duration of Processing

For the duration of the Main Agreement and until deletion or return of personal data in accordance with this DPA.

Annex 2 – Subprocessors

As of the effective date of this DPA, Processor uses the following key Subprocessors (non-exhaustive):

• Supabase – managed database, authentication and storage;
• Stripe – payment processing and billing management;
• OpenAI (and/or similar AI providers) – AI model inference for content and analytics;
• Hosting provider(s) (e.g. Vercel) – infrastructure and delivery of the web application;
• Analytics & monitoring tools – service performance and error tracking.

Processor may update this list from time to time. Controller may subscribe to notifications or request updates regarding changes to Subprocessors, where this is made available.

Signatures