Comment 2 ChatComment 2 Chat
HomeLegal

Data Processing Addendum

This DPA forms part of our Terms of Service and applies whenever we process personal data on your behalf as a data processor under GDPR.

1. Definitions

"Controller", "Processor", "Personal Data", "Processing" have the meanings given in the GDPR (Regulation (EU) 2016/679). You are the Controller; comment2chat.online is the Processor.

2. Scope

We process Personal Data on your behalf for the sole purpose of operating the Instagram automation workflows you configure. Categories of data: Instagram user IDs, comment text, DM content, follower metadata.

3. Sub-processors

  • Vercel Inc. hosting (USA, GDPR SCCs).
  • Supabase Inc. database and auth (USA, GDPR SCCs).
  • Stripe, Inc. payment processing (USA, GDPR SCCs).
  • Meta Platforms, Inc. Instagram Graph API (under your direct authorization).
  • Resend, Inc. transactional email (USA, GDPR SCCs).

We'll give 30 days' notice before adding new sub-processors and let you object.

4. Security

  • TLS 1.2+ for all data in transit.
  • AES-256 at-rest encryption for databases.
  • Per-row encryption for Meta App secrets and Instagram access tokens.
  • Role-based access control, audit logs, MFA for production access.
  • Annual penetration testing by an independent firm.

5. International transfers

Data may be transferred to the USA. We rely on EU Standard Contractual Clauses (SCCs) with all USA-based sub-processors.

6. Data subject rights

We'll assist you in fulfilling data-subject requests (access, correction, deletion, portability) within 5 business days. Forward requests to support@comment2chat.online.

7. Breach notification

If we become aware of a personal data breach, we'll notify you within 72 hours with the nature of the breach, categories and approximate volumes of data affected, and remediation steps.

8. Audit

You may audit our compliance once per year on 30 days' written notice, at your cost. We'll provide reasonable cooperation.

9. Deletion

On termination, we'll delete or return all Personal Data within 30 days, except where law requires retention (e.g. financial records).

10. Acceptance

By using the service, you accept this DPA. To request a counter-signed copy, email support@comment2chat.online.