SMMapprove Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the SMMapprove Terms of Service between the Manager ("Controller", "you") and the SMMapprove operator ("Processor", "we"). It governs our processing of personal data relating to your Clients and the recipients of your approval requests, on your behalf. It is designed to satisfy Article 28 GDPR and UK GDPR. If there is a conflict on data-protection matters, this DPA prevails over the rest of the Terms.
1. Roles of the Parties
- For data you upload about your Clients and the recipients of approval requests (the "Client Personal Data"), you are the Controller and we are the Processor. Under US state privacy laws, you are the "business" or "controller" and we act as your "service provider" or "processor".
- For your own account data (your email and hashed password), we act as an independent controller as described in the Privacy Policy; that is outside the scope of this DPA.
- You confirm you have a lawful basis and any required consents or notices for the Client Personal Data, and that your instructions to us comply with applicable law.
2. Scope and Purpose; Instructions
- We process Client Personal Data only to provide the Service (hosting content for review, delivering approval requests and reminders, generating approval certificates and content hashes, security, and support) and only on your documented instructions, including those given through the Service's features and the Terms.
- We will inform you if, in our opinion, an instruction infringes the GDPR, UK GDPR, or other applicable data-protection law.
- We will not process Client Personal Data for our own purposes, and we will not sell it or share it for cross-context behavioural advertising.
- If we are required by law to process beyond your instructions, we will inform you first unless legally prohibited.
3. US Service-Provider / Processor Terms (CCPA/CPRA and other state laws)
To the extent US state privacy laws apply, we act as your service provider or processor, and we certify that we will: (a) not sell or share Client Personal Data; (b) not retain, use, or disclose Client Personal Data for any purpose other than the specific purpose of providing the Service under this DPA, or as otherwise permitted by law; (c) not retain, use, or disclose Client Personal Data outside the direct business relationship between you and us; and (d) not combine Client Personal Data with personal information we receive from, or on behalf of, other persons, except as permitted by the CCPA/CPRA. We will notify you if we determine we can no longer meet these obligations, and you may take reasonable steps to stop and remediate any unauthorised use.
4. Categories of Data and Data Subjects
- Data subjects: your Clients and other recipients of approval requests.
- Categories of personal data: contact details (email and/or phone number); content you upload (which may incidentally contain personal data, including images of individuals); and approval metadata — UTC timestamp, salted-hashed IP address (raw IP never stored), user-agent string, and SHA-256 content hash.
- Special categories: not intended; you must not upload special-category data unless you have ensured a valid Article 9 condition.
- Duration: for the term of the Terms; media and Client contact data deleted on the 7-day cycle described in the Privacy Policy; certificate, hash, and timestamp retained as an audit record.
5. Confidentiality
We keep Client Personal Data confidential and ensure that any person authorised to process it (including the founder and any contractor) is bound by an appropriate duty of confidentiality and processes the data only as instructed.
6. Security Measures (Article 32)
We implement and maintain appropriate technical and organisational measures, including:
- encryption in transit (TLS) and encryption of media and database backups at rest;
- pseudonymisation and minimisation: storage of salted-hashed IP addresses only (raw IPs never stored);
- signed, time-limited links for media access; access controls and least-privilege administration;
- a single, controlled EU hosting environment (Germany) with EU-capable object storage;
- controls to ensure confidentiality, integrity, availability, and resilience, and to restore availability after an incident;
- regular review of the effectiveness of these measures.
7. Sub-processors
- You provide general authorisation for us to engage the sub-processors listed below, each bound by a written agreement imposing data-protection obligations equivalent to those in this DPA:
- Cloudflare R2 — object storage of media and encrypted backups (EU-capable region);
- Brevo — transactional email delivery (EU/France);
- Hetzner-class VPS — hosting (Germany).
- We will inform you of any intended addition or replacement of a sub-processor with at least 30 days' advance notice, giving you the opportunity to object on reasonable data-protection grounds. If you reasonably object and we cannot offer an alternative, you may terminate the affected Service without penalty.
- We remain liable to you for the performance of our sub-processors' data-protection obligations to the same extent as for our own performance (Art. 28(4)), subject to the limitations of liability in the Terms except where the law does not permit limitation.
8. International Transfers
We store Client Personal Data within the EU/EEA (German VPS; EU-capable Cloudflare R2 region; Brevo in France). Where any transfer outside the EEA/UK to a non-adequate country occurs (for example, to a US-headquartered provider's systems), we rely on the EU-US Data Privacy Framework where the recipient is certified, or otherwise on the EU Standard Contractual Clauses (Module 2 or 3 as applicable) and the UK International Data Transfer Addendum, supplemented by encryption and other technical measures. We will not transfer Client Personal Data to a non-adequate country without such safeguards. You may request copies of the safeguards in place.
9. Assistance to the Controller
Taking into account the nature of processing and the information available to us, we will assist you, by appropriate technical and organisational measures and at your reasonable cost where applicable, to:
- respond to data-subject requests (access, rectification, erasure, restriction, portability, objection) relating to Client Personal Data;
- ensure security of processing (Art. 32);
- fulfil breach-notification obligations (Arts. 33–34); and
- carry out data-protection impact assessments and prior consultations (Arts. 35–36) where required.
10. Personal-Data Breaches
We will notify you without undue delay after becoming aware of a personal-data breach affecting Client Personal Data, and in any event in time to enable you to meet your own 72-hour notification obligation to the competent supervisory authority. Our notice will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. We maintain an internal breach register.
11. Deletion or Return of Data
On expiry or termination of the Terms, or on your written request, we will delete or return all Client Personal Data and delete existing copies, except: (a) media and Client contact data already deleted on the 7-day cycle; (b) the approval certificate, SHA-256 content hash, and timestamp retained as proof of approval and an evidentiary record under legitimate interests; and (c) data we are required by law to retain. Backups are purged in the ordinary rotation cycle.
12. Audits and Records
We will make available to you the information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, on reasonable prior notice, no more than once per year (or following a breach), subject to confidentiality and to protecting other customers' data and our trade secrets. Where available, we may satisfy audit requests by providing relevant third-party certifications or reports for our sub-processors. We maintain records of processing as required by Article 30.
13. Data Portability / Switching and Contact
Consistent with the EU Data Act, on request we will assist you in exporting or migrating your data to a competing provider in a commonly used, machine-readable format, within a reasonable time and without unreasonable cost or obstacles, to the extent the Data Act applies to the Service. For any matter under this DPA, contact support@smapprove.com.