Data Processing Agreement

Capitalized terms not defined here have the meaning given to them in the EU General Data Protection Regulation (GDPR). "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meaning set out in Article 4 GDPR.

You act as Controller of any Personal Data you submit to or process through the Service. ExportComments acts as Processor and processes that data only on your documented instructions, including those set out in the Terms of Service.

• Subject matter: processing of comment data and account data to provide the Service.
• Duration: for as long as you maintain an active account.
• Nature & purpose: hosting, retrieval, transformation, analytics, and deletion of comment data.
• Categories of data subjects: social platform users whose public comments are exported; your own employees/users with dashboard access.
• Categories of data: usernames, display names, comment text, public engagement metrics, timestamps.

ExportComments will:

• Process Personal Data only on your documented instructions.
• Ensure persons authorized to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational measures (Article 32).
• Assist you with Data Subject requests (Articles 12-23).
• Notify you of a Personal Data breach without undue delay and within 72 hours of discovery.
• Delete or return Personal Data on termination, except where retention is required by law.
• Make available all information necessary to demonstrate compliance and allow for audits on reasonable notice.

You authorize ExportComments to engage the sub-processors listed below. We will provide notice of any new sub-processor and give you a right to object on reasonable grounds.

• Vercel Inc. — application hosting (USA, EU).
• Neon Inc. — database hosting (USA, EU).
• PayPal Inc. — payment processing.
• Resend Inc. — transactional email delivery (USA).
• Google LLC — OAuth sign-in (only when chosen).

Where Personal Data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) and supplementary measures as appropriate.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Hashed passwords (bcrypt, work factor ≥ 12).
• Least-privilege access controls and audit logging.
• Regular dependency scanning and security reviews.
• Backups with documented restoration procedures.
• Incident response plan with 72-hour breach notification.

On reasonable written notice (no more than once per 12 months), you may audit ExportComments' compliance with this DPA. Audits will be conducted during normal business hours, will not unreasonably interfere with operations, and will respect the confidentiality of other customers.

On termination of the Service, ExportComments will delete or return all Personal Data within 30 days, unless retention is required by EU or Member-State law.

For DPA execution, sub-processor notifications, or audit requests, email dpo@exportcomments.xyz.