Last updated: March 22, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SunshineSlingshot ("Processor", "we") and the customer ("Controller", "you") and governs the processing of personal data in accordance with Article 28 of the EU General Data Protection Regulation (GDPR).
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on personal data. "Data Subject" means the individual to whom personal data relates. "Sub-processor" means a third party engaged by us to process personal data on your behalf.
We process personal data solely to provide the SunshineSlingshot service as described in our Terms of Service. This includes: storing and publishing social media content you create; managing your connected social media accounts via their APIs; monitoring brand mentions and competitor data you configure; generating AI-assisted content using your chosen AI provider; delivering alerts to destinations you specify; processing subscription payments via Square.
We process the following categories of personal data on your behalf: social media account identifiers and display names; content of social media posts (which may contain personal data); social media mentions, comments, and direct messages routed through the inbox feature; email addresses and names of your team members; IP addresses for security and rate limiting purposes.
Data subjects include: your employees and team members who use SunshineSlingshot; individuals who interact with your social media accounts (commenters, messengers); individuals mentioned in social media content you create or monitor.
We shall: process personal data only on your documented instructions, including with respect to transfers of personal data outside the EEA; ensure that persons authorized to process personal data have committed to confidentiality; implement appropriate technical and organizational measures to ensure security of processing (as described in our Privacy Policy); not engage another processor without your prior general authorization (see Sub-processors below); assist you in responding to data subject requests; assist you in ensuring compliance with GDPR Articles 32-36 (security, breach notification, impact assessments); delete or return all personal data upon termination of the Service, subject to our data retention policy; make available to you all information necessary to demonstrate compliance.
We implement the following technical and organizational measures: encryption of personal data at rest (AES-256-GCM) and in transit (TLS 1.2+); access controls with role-based permissions; authentication via bcrypt-hashed passwords and JWT tokens; regular security monitoring and logging; rate limiting and SSRF protection; input validation and sanitization to prevent injection attacks. A full description of security measures is available in our Privacy Policy.
You provide general authorization for us to engage the following categories of sub-processors. We will notify you of any changes to sub-processors with 30 days advance notice.
Current sub-processors: Social media platforms (Twitter/X, Meta, LinkedIn, TikTok, Pinterest, YouTube, Bluesky, Mastodon) — for publishing and retrieving social content via their APIs. AI providers (as configured by you — Anthropic, OpenAI, Google, etc.) — for processing content text to generate suggestions. Square, Inc. — for payment processing. SMTP email provider (as configured) — for transactional email delivery.
Personal data may be transferred outside the EEA when social media platforms or AI providers process data in their own infrastructure. These transfers are governed by the respective platform's data processing terms. Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards approved under GDPR.
In the event of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include: the nature of the breach; categories and approximate number of data subjects affected; likely consequences; measures taken or proposed to address the breach.
We will assist you in fulfilling data subject requests under GDPR Articles 15-22, including: right of access (via the data export feature); right to rectification (via account settings); right to erasure (via account deletion); right to data portability (via JSON data export). Self-service tools are available in your dashboard for most data subject requests.
We retain personal data for as long as your account is active. Upon account deletion, all data is permanently deleted after a 30-day grace period. Payment records are retained for up to 7 years as required by financial regulations. GDPR consent records are retained for compliance auditing purposes.
You may request reasonable information to verify our compliance with this DPA. We will provide relevant documentation upon request. On-site audits may be conducted with 30 days advance notice, during business hours, and at your expense, subject to reasonable confidentiality obligations.
This DPA is effective for the duration of your use of the Service and survives termination to the extent necessary for us to fulfill our data processing obligations (including deletion of data).
For DPA inquiries or to request a signed copy: privacy@sunshineslingshot.com