Data Processing Agreement
Last Updated: December 2024
GDPR Compliance
This Data Processing Agreement (DPA) governs the processing of personal data by NextGen Marketing and Automation LLC, operating under the brand name CommentKeyword, on behalf of our customers in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Definitions
For the purposes of this DPA, the following definitions apply:
- "Controller": The customer using CommentKeyword's services who determines the purposes and means of processing personal data
- "Processor": CommentKeyword, which processes personal data on behalf of the Controller
- "Personal Data": Any information relating to Instagram users whose data is processed through CommentKeyword
- "Processing": Any operation performed on personal data, including collection, recording, storage, retrieval, or deletion
- "Data Subject": Instagram users whose personal data is processed through CommentKeyword
- "Sub-processor": Third-party processors engaged by CommentKeyword to assist in data processing
2. Relationship of the Parties
The parties acknowledge and agree that with regard to the processing of personal data:
- The Customer acts as the Controller
- CommentKeyword acts as the Processor
- The Customer shall comply with its obligations as a Controller under applicable data protection laws
- CommentKeyword shall process personal data only on behalf of and in accordance with the Customer's documented instructions
3. Processing Details
3.1 Subject Matter and Nature of Processing
CommentKeyword processes personal data to provide Instagram automation services, including:
- Monitoring Instagram comments for specified keywords
- Sending automated direct messages to Instagram users
- Managing conversation flows and AI-powered responses
- Providing analytics and reporting on engagement metrics
3.2 Categories of Personal Data
- Identity Data: Instagram usernames, display names, profile information
- Contact Data: Direct message content, comment text
- Behavioral Data: Engagement patterns, response times, interaction history
- Technical Data: Instagram user IDs, post IDs, timestamp data
3.3 Categories of Data Subjects
- Instagram users who comment on the Customer's posts
- Instagram users who receive automated direct messages
- Instagram users who engage with the Customer's content
3.4 Retention Period
Personal data will be retained for the duration necessary to provide the services, typically:
- Active Conversations: Retained while the conversation is ongoing
- Completed Conversations: Retained for 90 days for analytics purposes
- Historical Analytics: Aggregated, anonymized data retained for 2 years
- Account Termination: All personal data deleted within 30 days of account closure
4. Customer Obligations
The Customer warrants and undertakes that:
- It has the legal right to process all personal data provided to CommentKeyword
- It has obtained all necessary consents from data subjects where required
- It complies with Instagram's Terms of Service and privacy requirements
- It will inform CommentKeyword promptly of any data subject requests or regulatory inquiries
- It will not instruct CommentKeyword to process data in violation of applicable laws
5. CommentKeyword Obligations
5.1 Processing Instructions
- Process personal data only in accordance with the Customer's documented instructions
- Immediately inform the Customer if instructions appear to violate applicable data protection laws
- Not process personal data for any other purposes than providing the contracted services
5.2 Confidentiality and Security
- Ensure that personnel authorized to process personal data are subject to confidentiality obligations
- Implement appropriate technical and organizational measures to secure personal data
- Ensure encryption of data in transit and at rest
- Maintain access controls and audit logs
5.3 Data Subject Rights
CommentKeyword will assist the Customer in responding to data subject requests, including:
- Access Rights: Providing copies of personal data when requested
- Rectification: Correcting inaccurate personal data
- Erasure: Deleting personal data when legally required
- Portability: Providing data in machine-readable format
- Restriction: Limiting processing when requested
6. Sub-processors
6.1 Authorized Sub-processors
The Customer consents to CommentKeyword's use of the following sub-processors:
| Service Provider | Service | Data Location |
|---|---|---|
| Railway | Cloud hosting and infrastructure | United States |
| Supabase | Database services | United States |
| OpenRouter/OpenAI | AI processing (anonymized data only) | United States |
| Mailgun | Email delivery services | United States |
6.2 Sub-processor Changes
- CommentKeyword will provide 30 days' notice of any changes to sub-processors
- Customers may object to new sub-processors on reasonable data protection grounds
- If objections cannot be resolved, either party may terminate the agreement
7. Data Transfers
For transfers of personal data outside the European Economic Area (EEA):
- CommentKeyword implements appropriate safeguards as required by applicable law
- Standard Contractual Clauses (SCCs) are incorporated where necessary
- Additional technical and organizational measures are implemented for US transfers
- Customers will be notified of any changes to transfer mechanisms
8. Data Breach Notification
8.1 Incident Response
In the event of a personal data breach, CommentKeyword will:
- Notify the Customer without undue delay and within 72 hours of becoming aware
- Provide detailed information about the nature and scope of the breach
- Describe measures taken to address the breach and mitigate harm
- Assist the Customer in notifying relevant supervisory authorities if required
8.2 Breach Information
Breach notifications will include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9. Data Protection Impact Assessment
CommentKeyword will provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) where required by law, including:
- Technical and organizational measures implemented
- Security certifications and audit reports
- Information about data processing activities
- Risk mitigation strategies
10. Return and Deletion of Data
Upon termination of the agreement or upon Customer request:
- CommentKeyword will delete or return all personal data as instructed by the Customer
- Deletion will be completed within 30 days unless longer retention is required by law
- CommentKeyword will provide written confirmation of data deletion
- Backup copies will be securely deleted according to standard retention schedules
11. Audits and Compliance
11.1 Audit Rights
- Customers may conduct audits of CommentKeyword's compliance with this DPA
- Audits may be conducted directly or through independent third parties
- Reasonable advance notice (30 days) must be provided
- Audits must not unreasonably interfere with CommentKeyword's business operations
11.2 Compliance Documentation
CommentKeyword will make available information necessary to demonstrate compliance, including:
- Security certifications and attestations
- Third-party audit reports
- Documentation of technical and organizational measures
- Evidence of staff training on data protection
12. Liability and Indemnification
- Each party's liability is limited as set forth in the main service agreement
- CommentKeyword will indemnify the Customer for breaches of this DPA attributable to CommentKeyword
- The Customer will indemnify CommentKeyword for breaches attributable to the Customer's instructions
- Both parties will cooperate in defending against regulatory investigations or claims
13. Term and Termination
- This DPA remains in effect for the duration of the main service agreement
- Either party may terminate this DPA with 30 days' written notice
- Termination does not affect obligations that arose before termination
- Data return and deletion obligations survive termination
14. Amendments and Updates
This DPA may be updated to reflect:
- Changes in applicable data protection laws
- Regulatory guidance or supervisory authority requirements
- Changes in CommentKeyword's data processing practices
- Updates to sub-processor arrangements
Material changes will be communicated with 30 days' advance notice.
15. Governing Law and Jurisdiction
This DPA is governed by the same law as the main service agreement. Disputes will be resolved in accordance with the dispute resolution procedures set forth in the main agreement.
16. Contact Information
For questions about this DPA or data protection matters, contact:
- Data Protection Officer: [email protected]
- Legal Team: [email protected]
- Privacy Team: [email protected]