Data Processing Agreement

In this DPA, the following terms have the meanings set out below. Terms not defined here carry the meanings given in the GDPR.

Subject matter: The Processor provides a content-repurposing SaaS platform delivered via Telegram bot and web application. In doing so, the Processor processes personal data submitted by or on behalf of the Controller's end users.

Duration: This DPA remains in force for the duration of the subscription agreement between the parties and terminates automatically upon expiry or termination of that agreement, subject to Section 11 (Deletion and Return).

Nature and purpose: Processing is carried out to provide, maintain, and improve the Painless Content service, including generating platform-specific content from voice notes and text inputs provided by end users.

The Processor processes the following categories of personal data on behalf of the Controller:

The Processor does not intentionally collect special categories of personal data (Article 9 GDPR). The Controller must not submit special category data through the service without prior written agreement.

The Controller warrants and undertakes that:

1. It has a valid legal basis under GDPR Article 6 (and Article 9 where applicable) for all personal data it submits to the Processor.
2. It has provided all required privacy notices to data subjects and obtained any necessary consents before submitting personal data.
3. It will only instruct the Processor to process personal data in accordance with applicable data protection law.
4. It will promptly notify the Processor of any changes to applicable law that materially affect the processing activities covered by this DPA.
5. It will implement appropriate technical and organisational measures on its own systems and infrastructure.

The Processor shall, in relation to personal data processed on behalf of the Controller:

1. Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by applicable law.
2. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate technical and organisational measures (Article 32 GDPR) to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS 1.2+) and at rest.
4. Not engage any Sub-Processor without prior specific or general written authorisation of the Controller, subject to Section 6.
5. Assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III GDPR.
6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
7. At the choice of the Controller, delete or return all personal data upon termination of the DPA, and delete existing copies unless applicable law requires storage.
8. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits and inspections.
9. Immediately inform the Controller if, in the Processor's opinion, an instruction infringes GDPR or other applicable data protection law.

The Controller grants general authorisation for the Processor to engage the following Sub-Processors. The Processor will notify the Controller of any intended changes (additions or replacements) at least 30 days in advance, giving the Controller the opportunity to object.

The Processor shall impose data protection obligations on each Sub-Processor equivalent to those set out in this DPA. The Processor remains fully liable to the Controller for the performance of Sub-Processors' obligations.

Where personal data is transferred to a country outside the European Economic Area (EEA) or the United Kingdom that does not benefit from an adequacy decision, the Processor shall ensure that appropriate safeguards are in place in accordance with GDPR Article 46, including Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914) and, for UK transfers, the UK International Data Transfer Agreement (IDTA) or Addendum.

The Processor maintains the following technical and organisational security measures:

The Processor shall assist the Controller in responding to data subject rights requests within the timescales required by applicable law. Upon written request, the Processor will:

1. Provide a copy of personal data held for a specific data subject (right of access — Article 15).
2. Correct inaccurate personal data (right to rectification — Article 16).
3. Delete personal data where the Controller confirms the legal basis for deletion (right to erasure — Article 17). The Processor's self-service account deletion feature at /payments satisfies this for direct end users.
4. Restrict processing of personal data at the Controller's instruction (Article 18).
5. Provide personal data in a structured, commonly used, machine-readable format (right to portability — Article 20).

In the event of a personal data breach affecting data processed under this DPA, the Processor shall notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the breach. The notification shall include, to the extent available:

1. A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
2. The name and contact details of the data protection point of contact.
3. A description of the likely consequences of the breach.
4. A description of the measures taken or proposed to address the breach.

The Controller remains responsible for notifying the relevant supervisory authority within 72 hours under Article 33 GDPR and, where required, notifying affected data subjects under Article 34 GDPR.

Upon termination or expiry of the subscription agreement, the Processor shall, at the Controller's election:

1. Delete all personal data processed under this DPA within 30 days of termination, and certify such deletion in writing upon request; or
2. Return all personal data to the Controller in a structured, machine-readable format (JSON) within 30 days of termination.

The Processor may retain personal data beyond this period only to the extent required by applicable law (e.g., financial records retention obligations), and shall inform the Controller of any such retention.

The Controller may, upon reasonable written notice of at least 14 days, conduct an audit or inspection of the Processor's data processing activities covered by this DPA, either directly or through a mutually agreed third-party auditor. The Controller shall bear the costs of any such audit unless the audit reveals a material breach by the Processor.

As an alternative to a direct audit, the Processor may provide relevant third-party audit reports, certifications, or security assessments to satisfy the Controller's audit rights, subject to confidentiality obligations.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Use. Where both parties are responsible for damage caused by processing in breach of GDPR, each party shall be held liable for the damage attributable to its own breach, in accordance with Article 82 GDPR.

This DPA is governed by the laws of England and Wales (for UK/EU customers) or the laws of the State of Delaware, USA (for US customers), consistent with the governing law clause in the Terms of Use. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Terms of Use.

This DPA is incorporated by reference into the Terms of Use. By subscribing to Painless Content and accepting the Terms of Use, the Controller agrees to the terms of this DPA on behalf of the business entity it represents.

For enterprise customers requiring a countersigned DPA or custom amendments, please contact [email protected]. We aim to respond within 5 business days.