Data Processing Agreement

• Data Controller means the customer who determines the purposes and means of processing personal data through the PINDEO platform.
• Data Processor means Curble Pty Ltd (operating as PINDEO), which processes personal data on behalf of the Data Controller.
• Personal Data means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws including the GDPR and the Australian Privacy Act 1988.
• Processing means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
• Data Subject means the identified or identifiable natural person to whom the personal data relates.
• Sub-processor means a third party engaged by the Processor to process personal data on behalf of the Controller.
• Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

The Processor processes personal data solely for the purpose of providing the PINDEO social media management platform to the Controller. The categories of personal data processed include:

• Account information (name, email address, profile data)
• Social media data (profile information, posts, comments, engagement metrics, follower data) from connected platforms
• Content data (drafts, published posts, captions, media files, brand voice settings)
• Usage data (feature usage, interaction patterns, analytics)
• Payment information (processed by Stripe; the Processor does not store credit card numbers)

The data subjects include the Controller (as an individual content creator) and any individuals whose personal data appears in the social media content managed through the platform, such as followers, commenters, and audience members.

The duration of processing corresponds to the term of the Controller's use of the PINDEO platform, plus any retention period described in our Privacy Policy.

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required to do so by applicable law.
• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
• Not engage another processor (sub-processor) without prior written authorization from the Controller, except for the sub-processors listed in this DPA.
• Assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws.
• Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultations with supervisory authorities.
• At the Controller's choice, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests. Data subjects may exercise the following rights under applicable data protection laws:

• Right of access to their personal data
• Right to rectification of inaccurate personal data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing based on legitimate interests
• Rights related to automated decision-making and profiling

If the Processor receives a request from a data subject directly, it shall promptly notify the Controller and shall not respond to the request without the Controller's prior written authorization, unless legally required to do so.

The PINDEO platform provides self-service tools for data export and account deletion through the Settings page. Controllers may also contact us at privacy@pindeo.com for assistance with data subject requests.

The Controller authorizes the Processor to engage the following sub-processors for the purposes described below. The Processor shall impose data protection obligations no less protective than those set out in this DPA on each sub-processor.

The Processor shall notify the Controller of any intended changes to the list of sub-processors, giving the Controller an opportunity to object to such changes. If the Controller objects, the parties shall work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the agreement.

The Processor implements the following technical and organizational security measures to protect personal data:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest, including OAuth tokens encrypted with AES-256-GCM
• Row-level security (RLS) policies on all database tables to ensure strict data isolation between users
• Authentication and authorization checks on every API request
• Secure credential storage with no plaintext secrets in code or configuration files
• Regular security reviews of the codebase and infrastructure
• Access controls limiting employee access to personal data on a need-to-know basis
• Webhook signature verification for all incoming third-party webhooks
• Automated monitoring and alerting for suspicious activity

In the event of a data breach affecting personal data processed on behalf of the Controller, the Processor shall:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
• Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform data subjects of the breach under applicable data protection laws.
• Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

The notification shall include, to the extent available: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach.

The Processor is based in Sydney, Australia. Personal data processed through PINDEO may be transferred to and processed in the United States, where our infrastructure providers (Supabase/AWS, Stripe, Anthropic, Vercel, Resend) operate.

For transfers of personal data from the European Economic Area (EEA) or the United Kingdom to countries that have not been deemed to provide an adequate level of data protection, the Processor relies on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers.

The Processor ensures that all sub-processors involved in international data transfers are bound by appropriate safeguards, including SCCs or equivalent mechanisms recognized under applicable data protection laws.

For transfers from Australia, the Processor complies with Australian Privacy Principle 8, ensuring that overseas recipients of personal data are bound by obligations substantially similar to the Australian Privacy Principles.

This DPA shall remain in effect for the duration of the Controller's use of the PINDEO platform. Upon termination of the service agreement:

• The Controller may request the return or deletion of all personal data processed under this DPA.
• The Processor shall delete all personal data within 30 days of the request, unless applicable law requires continued storage.
• The Processor shall provide written confirmation of deletion upon the Controller's request.

The obligations of the Processor under this DPA with respect to personal data shall survive termination of the agreement to the extent necessary to fulfill the purposes described herein.

This DPA shall be governed by and construed in accordance with the laws of New South Wales, Australia, without regard to conflict of law principles. To the extent that the GDPR or UK GDPR applies to the processing of personal data under this DPA, the relevant provisions of those regulations shall take precedence in the event of any conflict with local law.

For any questions or requests related to this Data Processing Agreement, please contact us at: