Legal

Data Processing Agreement

Last updated: February 1, 2026

Effective Date: February 1, 2026

What this is: This Data Processing Agreement ("DPA") governs the relationship between ShadowPhone Inc. ("Processor") and customers ("Controller") where ShadowPhone processes personal data on behalf of customers as part of providing the service. This DPA forms part of and is incorporated into the ShadowPhone Terms of Service. It is required where customers are subject to GDPR and process personal data of EU/EEA data subjects through the ShadowPhone platform (GDPR Article 28).

1. Definitions

"Controller" means the customer who determines the purposes and means of processing personal data using ShadowPhone.

"Processor" means ShadowPhone Inc., which processes personal data on behalf of the Controller.

"Personal Data" has the meaning given in GDPR Article 4(1): any information relating to an identified or identifiable natural person.

"Processing" has the meaning given in GDPR Article 4(2).

"Sub-processor" means any third party appointed by ShadowPhone to process personal data on the Controller's behalf.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

2. Processing Details

Subject matterProvision of the ShadowPhone Instagram automation platform
DurationFor the duration of the customer's subscription, and as required for legal retention obligations
NatureStorage, retrieval, transmission, and deletion of data as part of service delivery
PurposeEnabling the Controller to use ShadowPhone's automation, scheduling, and analytics features
Data typesAccount credentials, scheduling configurations, usage logs, content data
Data subjectsThe Controller's end users and employees who interact with the ShadowPhone platform

3. Processor Obligations

ShadowPhone, as Processor, agrees to:

  • Process personal data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service)
  • Ensure all personnel processing personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures under GDPR Article 32
  • Not engage sub-processors without the Controller's prior authorisation (general authorisation is granted by accepting these terms, subject to the sub-processor list in Section 5)
  • Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection)
  • Delete or return all personal data at the end of the service relationship, at the Controller's election
  • Provide the Controller with all information reasonably necessary to demonstrate compliance with Article 28 obligations
  • Notify the Controller without undue delay (and within 72 hours where feasible) on becoming aware of a personal data breach

4. Controller Obligations

The Controller agrees to:

  • Ensure there is a lawful basis for processing personal data under GDPR before instructing ShadowPhone to process it
  • Provide any necessary privacy notices to data subjects
  • Ensure that personal data provided to ShadowPhone is accurate and up to date
  • Not instruct ShadowPhone to process personal data in a way that violates applicable law

5. Sub-processors

The Controller grants ShadowPhone general authorisation to engage the following sub-processors. ShadowPhone will notify the Controller of any intended change to this list (addition or replacement) with at least 30 days' notice, giving the Controller the opportunity to object.

ProviderCountryPurposeSafeguard
Vercel Inc.United StatesWeb application hosting and edge deliverySCCs (EU 2021/914)
Railway Corp.United StatesCloud brain / orchestration server hostingSCCs (EU 2021/914)
Supabase Inc.United StatesDatabase (PostgreSQL), authentication, storageSCCs (EU 2021/914)
Clerk Inc.United StatesUser authentication and session managementSCCs (EU 2021/914)
Stripe Inc.United StatesPayment processing and subscription billingSCCs (EU 2021/914)
PayPalUnited StatesSupported legacy billing and credit top-up processingPayPal data protection terms
Sentry (Functional Software Inc.)United StatesError monitoring and crash reporting (PII-scrubbed)SCCs (EU 2021/914)

6. International Transfers

Where personal data is transferred from the EEA to a third country (such as the United States), ShadowPhone ensures appropriate safeguards are in place, primarily via EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module 2 Controller-to-Processor or Module 3 Processor-to-Processor as applicable). A copy of the applicable SCCs is available on request at privacy@shadowphone.io.

7. Security Measures

ShadowPhone implements the following technical and organisational measures under GDPR Article 32:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for data at rest
  • Row Level Security (RLS) on all database tables
  • Token-based authentication with short session expiry
  • API key hashing — keys are never stored in plaintext
  • Dependency pinning and regular CVE review
  • Error monitoring with PII scrubbing before log ingestion

For a full description of our security practices, see our Security page.

8. Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, ShadowPhone will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will be sent to the Controller's account email address and will include the nature of the breach, categories of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Audit Rights

The Controller may, upon reasonable notice (not less than 30 days) and no more than once per 12-month period, request an audit of ShadowPhone's data processing activities under this DPA. ShadowPhone will cooperate with such audits and provide documentation of relevant technical and organisational measures. Audit costs are borne by the Controller unless a breach of this DPA is identified.

10. Governing Law and Contact

This DPA is governed by the same law as the Terms of Service. Disputes arising under this DPA are subject to the same dispute resolution mechanism as the Terms of Service.

ShadowPhone Inc.

Data Protection / DPA Enquiries

privacy@shadowphone.io