Data Processing Agreement (DPA)

This Data Processing Agreement (hereafter "DPA") governs the processing of personal data by Reverdin Studio (hereafter "Processor") on behalf of customers subscribed to Uniflo Pro or Agency plans (hereafter "Controller").

The DPA constitutes an integral part of the Terms of Service and complies with Article 28 of the GDPR (Regulation 2016/679) and equivalent regulations in other jurisdictions. Where this DPA conflicts with the Terms of Service, the more protective provision shall apply.

• Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• Processing: Any operation performed on personal data, as defined in Article 4(2) GDPR.
• Controller: The customer who determines the purposes and means of processing (the data controller under GDPR Article 4(7)).
• Processor: Reverdin Studio, acting on the Controller's instructions, as defined in GDPR Article 4(8).
• Sub-processor: Any entity contracted by the Processor to process personal data on the Processor's behalf (GDPR Article 28(2)).

Subject matter: The Processor processes personal data for the purpose of delivering the Uniflo service, including but not limited to authentication, workspace management, content scheduling, channel connectivity, and AI-generated content assistance.

Duration: This DPA remains in effect for the duration of the service agreement and extends for the period required to fulfill data retention obligations post-termination.

Nature and purpose: Personal data processed includes email addresses, user names, IP addresses, session data, workspace contents, and channel credentials (encrypted). Processing occurs exclusively to deliver the contracted service.

The Controller shall:

• Ensure a lawful basis exists for all processing under GDPR Articles 6 and 9.
• Provide clear, documented instructions to the Processor regarding the scope and nature of processing.
• Obtain appropriate consent or rely on legitimate legal bases (e.g., contract execution, legal obligation).
• Inform data subjects about processing via a privacy policy or equivalent (see Controller's separate Privacy Policy).
• Respond to data subject rights requests within required timeframes; the Processor will provide assistance as required.
• Immediately notify the Processor of any data breach, unlawful processing, or violation discovered by the Controller.

The Processor shall:

• Process personal data only upon documented instructions from the Controller.
• Ensure that persons authorized to process personal data have committed to confidentiality or are under professional obligation of secrecy.
• Implement technical and organizational measures per Article 32 GDPR (see Section 7 below).
• Not process personal data for its own purposes or transfer it without prior authorization. The Processor may not combine personal data from multiple Controllers or from non-service related activities.
• Comply with data subject rights requests (Articles 15–22 GDPR) by assisting the Controller in responding within statutory timeframes.
• Assist the Controller in fulfilling its Data Protection Impact Assessment (DPIA) obligations under Article 35 GDPR.
• Assist the Controller in demonstrating compliance with GDPR obligations (Article 32(3)).
• Upon termination, return or securely delete all personal data unless EU or Member State law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance and allow for audits and inspections.

The Processor may engage Sub-processors to fulfill service delivery. All Sub-processors are bound by the same confidentiality and security obligations as the Processor. The Controller is informed of and consents to the following Sub-processors:

Notification of Sub-processor Changes: The Processor will notify the Controller at least 15 calendar days before adding or replacing a Sub-processor. The Controller may object to the addition of a new Sub-processor by written notice; if an objection is made, the Processor and Controller will negotiate in good faith. If no agreement is reached, the Controller may terminate the service for the affected component without penalty.

The Processor implements the following technical and organizational security measures, commensurate with the risk profile of the personal data processed:

• Encryption in transit: All data transfers use TLS 1.2+ encryption.
• Encryption at rest: Sensitive data (passwords, API credentials, payment information) is encrypted using AES-256.
• Access control: Role-based access controls (RBAC) and principle of least privilege restrict access to personal data to authorized personnel only.
• Pseudonymization: User identifiers are salted and hashed where applicable; direct identifiers are encrypted where possible.
• Authentication: Multi-factor authentication (MFA) is available for user accounts; API access is controlled via token-based authentication with expiration.
• Logging and monitoring: All access to personal data is logged and monitored for suspicious activity. Logs are retained for 12 months.
• Data segmentation: Personal data is logically isolated per Controller (workspace).
• Regular security testing: The Processor conducts periodic penetration testing and vulnerability assessments.
• Incident response: A documented incident response plan is maintained and tested regularly.
• Backup and recovery: Daily backups are performed with encrypted, geographically distributed storage. Recovery time objective (RTO) is 4 hours; recovery point objective (RPO) is 24 hours.
• Personnel security: All personnel undergo confidentiality training and background checks. Staff access is revoked immediately upon termination.

Personal data may be transferred to Sub-processors located outside the European Economic Area (EEA). All such transfers are safeguarded by:

• Standard Contractual Clauses (SCCs): Data transfers to Sub-processors in the United States and other jurisdictions lacking an adequacy decision are protected by the EU Commission's standard contractual clauses (as updated in 2021).
• Supplementary Measures: Where necessary (e.g., transfers to the United States post-Schrems II), the Processor implements supplementary technical measures including end-to-end encryption at the application level where feasible.
• Transparency: The Controller is informed of all jurisdictions where personal data is processed (see Section 6, Sub-processors list).

The Processor shall assist the Controller in responding to data subject requests under Articles 15–22 GDPR, including:

• Right of access (Article 15): The Processor provides personal data copies or extracts upon request within 10 business days.
• Right to rectification (Article 16): The Processor corrects inaccurate personal data or allows correction by the data subject via the service interface.
• Right to erasure (Article 17): The Processor deletes personal data within 30 days unless legal obligations require retention.
• Right to restrict processing (Article 18): The Processor can mark records as restricted; processing resumes only per the Controller's instruction.
• Right to data portability (Article 20): The Processor provides personal data in a structured, machine-readable format (CSV, JSON) within 15 business days.
• Rights related to automated decision-making (Article 22): The Processor does not use personal data for fully automated decisions with legal effect without express consent.

All requests from data subjects should be directed to the Controller. The Controller may forward requests to the Processor; the Processor will respond within 10 business days.

The Processor shall notify the Controller without undue delay, and in no case later than 72 hours after becoming aware of a confirmed personal data breach, unless the Processor determines the breach is unlikely to result in risk to data subjects' rights and freedoms.

Breach notifications shall include:

• Nature of the breach and data involved.
• Likely consequences for data subjects.
• Measures taken or proposed to address the breach and mitigate harm.
• Contact point for further information.

The Controller is responsible for notifying affected data subjects and the relevant supervisory authority within the timeframes required by GDPR Article 33.

The Processor shall make available to the Controller, upon reasonable notice (minimum 10 business days), all information necessary to demonstrate compliance with GDPR and this DPA. This includes:

• Documented security policies and procedures.
• Evidence of security assessments and penetration testing results (with commercially sensitive information redacted).
• Personnel training records and confidentiality agreements.
• Incident response documentation and breach notifications.
• Sub-processor agreements and audit reports (where available).

The Controller may conduct an on-site audit, at its own expense, no more than once per 12-month period, provided the Controller demonstrates a legitimate business reason (e.g., regulatory obligation, reasonable suspicion of non-compliance). The Processor may reasonably limit disclosure of trade secrets and confidential information.

The Processor shall cooperate with supervisory authorities and provide information and assistance required by regulators investigating the Controller's compliance.

Data Retention: Personal data is retained only as long as necessary to provide the service. Specific retention periods are:

• Active workspace data: Retained for the duration of the service subscription.
• Workspace contents (posts, schedules, drafts): Deleted within 30 days of account termination or upon explicit Controller instruction.
• Authentication logs: Retained for 12 months.
• Billing and transaction data: Retained for 10 years (tax/accounting compliance).
• Backup copies: Retained for 90 days for disaster recovery; thereafter deleted or anonymized.

Deletion upon Termination: Upon service termination, the Processor shall, at the Controller's option, delete or return all personal data within 30 days, except where EU or national law requires storage.

AI Processing: When the Controller uses AI-assisted features (content generation, recommendations), personal data may be transmitted to Sub-processors listed in Section 6. The Controller is responsible for obtaining appropriate consent from data subjects and complying with jurisdictional restrictions on AI processing. See the Controller's Privacy Policy for details on AI processing.

Third-Party Channels: When the Controller connects social media, email, or other third-party platforms via Uniflo, credentials and content are encrypted and stored by the Processor but may be transmitted to those third parties' servers as necessary to publish content. The Controller is responsible for compliance with those platforms' terms of service and privacy policies.

Limitation of Liability: Each party's total liability under this DPA is limited to the fees paid by the Controller in the 12 months preceding the claim, except for:

• Data breaches caused by the Processor's gross negligence or willful misconduct.
• Violations of data protection obligations (Articles 28, 32, 33, 34 GDPR).
• Unauthorized processing of personal data.

In those cases, liability is not limited and either party may claim actual damages as permitted by applicable law.

This DPA enters into force on the date the Controller signs up for a Pro or Agency plan and continues for the duration of the service agreement.

Upon termination of the service agreement:

• Processing ceases immediately.
• The Processor returns or deletes all personal data within 30 days (or upon reasonable request).
• Obligations regarding confidentiality, security, and audit rights survive termination for 2 years or as required by law.

The Processor may amend this DPA to comply with new or revised legal requirements. Material amendments will be notified to the Controller at least 30 days in advance via email. If the Controller does not agree with an amendment, the Controller may terminate the service without penalty within the notification period.

This DPA is governed by the laws of the European Union and Italy (where applicable), without regard to conflicts of law principles. Both parties agree to cooperate in good faith to resolve disputes. Disputes not resolved within 30 days may be escalated to the competent court of Rome or through arbitration as mutually agreed.

For questions regarding this DPA, data processing, or to exercise data subject rights, contact:

Reverdin Studio
Data Protection Officer / Legal Inquiries
contact@uniflo.eu