Data Processing Agreement
Find here all the information about our DPA.
Redsuite.io belongs to Publytics Srl, registered office at Via Val Leventina 3 Int 1, 20148 Milano (MI) VAT number IT13079420967 (hereinafter also referred to as "Processor" or "Provider").
In this act of appointment the user will also be referred to as the "Controller" or "Client".
In this appointment, the processor and the controller may also be referred to as "party" or "parties".
The present appointment constitutes the entire agreement between the parties regarding the processing of personal data by the Processor on behalf of the Controller in relation to the provision of services.
1. Introduction
1.1 These terms (hereinafter also "appointment" or simply "agreement") establish the rights and obligations of the data controller and the data processor in the context of processing operations carried out by the Processor on behalf of the Data Controller.
1.2 Users affected by the processing of their data under this appointment include Reddit users whose publicly available data is processed by the service. For further information on the processing of data and the categories of data that the Processor collects and processes on behalf of the Controller, please refer to the privacy policy.
1.3 The parties have entered into a contract for a Reddit monitoring and management service that allows the Controller to monitor, analyze, and engage with Reddit communities (hereinafter the "Contract"). The performance of the services under the Contract involves the processing of personal data by the Data Processor, for the purposes and with the tools determined by the Controller and indicated in the Contract itself and in this appointment.
1.4 This agreement has been drafted to ensure compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR").
1.5 Within the scope of the services provided under the Contract, the Data Processor shall process personal data on behalf of the Controller in accordance with this appointment.
1.6 The three annexes to this appointment form an integral part of the appointment.
1.7 Annex A contains details on the processing of personal data, including the purposes and types of processing, the nature of the personal data, and the categories of data subjects.
1.8 Annex B contains the conditions for the use by the Data Processor of sub-processors and a list of sub-processors authorized by the Controller.
1.9 Annex C contains the Controller's instructions regarding the processing of personal data and the security measures to be implemented by the Data Processor.
1.10 The clauses and annexes shall be retained by both parties, in electronic or paper form.
1.11 The clauses of this agreement do not exempt the Data Controller from the obligations to which it is subject under the General Data Protection Regulation (GDPR) or other regulations.
2. Rights and obligations of the data controller
2.1 The Data Processor must ensure that the processing of personal data complies with the GDPR (see Article 24 GDPR), the applicable data protection provisions of the EU or the EEA (European Economic Area) Member States, and the clauses set forth herein.
2.2 The Data Controller is responsible for deciding on the purposes and means of the processing of personal data.
2.3 Among other things, the Data Controller must ensure that the processing of personal data assigned to the Processor has a legal basis and that data subjects have been adequately informed where required by law.
2.4 The Controller undertakes to use the service in compliance with Reddit's Terms of Service and Content Policy. The Controller shall not use the service for purposes of spam, harassment, or any other illicit activity. In case of violations due to unauthorized use of the service, the responsibility for the breach of privacy rules shall rest solely with the Controller, who shall also indemnify and hold harmless the Processor from any claims for damages or penalties.
3. Rights and obligations of the data processor
3.1 The Data Processor shall process personal data only following documented instructions from the Data Controller, unless required to process it by a provision of EU law or the law of the Member State in which it is located. Such instructions shall be specified in Annexes A and C. Any further instructions may be issued by the Data Controller and evaluated by the Processor, and must always be documented and retained in writing, including electronically.
3.2 The Data Processor shall promptly inform the Data Controller if the instructions provided by the latter, in the Processor's opinion, violate the GDPR or the applicable data protection provisions of the EU or the Member States.
4. Confidentiality
The Processor shall grant access to the personal data processed on behalf of the Controller only to persons acting under its authority and who are committed to maintaining confidentiality or are required to do so by law, to the extent that they need access to it. The list of persons granted access to personal data shall be subject to periodic review. Based on this review, access to personal data may be revoked if it is no longer necessary.
5. Security measures
5.1 Pursuant to Article 32 of the GDPR, taking into account the state of the art and the costs of implementation, as well as the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate:
a) Pseudonymization and encryption of personal data;
b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
5.2 The Data Processor shall assist the Data Controller in ensuring compliance with the Controller's obligations under Article 32 of the GDPR, providing, among other things, information to the Controller regarding the technical and organizational measures already implemented, along with any other information necessary for the Controller to fulfill its obligations under Article 32 GDPR.
5.3 The parties have assessed the adequacy of the security measures implemented by the Processor to address the risks inherent in the processing required by the provision of the Services as identified in Annex C.
6. Use of sub-processors
6.1 In order to engage another sub-processor for processing activities on behalf of the Controller, the Processor must meet the requirements of Article 28(2) and (4) of the GDPR.
6.2 The Data Processor shall not appoint another data processor (sub-processor) for the performance of the obligations set out in this appointment without the prior general written authorization of the Data Controller, which shall not be refused except for reasons related to the protection of personal data, such as a clear risk to the data protection of data subjects, violation of GDPR principles, or the sub-processor's failure to implement adequate security measures.
6.3 The Data Processor has the general authorization of the Data Controller to use sub-processors.
6.4 The Data Processor shall provide written notice to the data controller at least 15 days in advance if it intends to make changes to the list of sub-processors by adding new ones or replacing them, thereby giving the Controller the opportunity to object to such changes. In the absence of reasoned objection, the appointment shall be deemed automatically accepted. The list of sub-processors authorized by the Data Controller is available in Annex B.
6.5 If the Data Processor engages a sub-processor to perform specific processing activities on behalf of the Controller, data protection obligations equivalent to those set out in these clauses are imposed on such sub-processor through a contract or other legal act under EU law or the laws of the Member States.
6.6 It is the responsibility of the Data Processor to ensure that the sub-processor complies with at least the obligations to which the Data Processor is subject under these clauses and the GDPR.
6.7 A copy of such sub-processor appointment agreement must, upon request of the Controller, be shown to the Controller.
6.8 If the sub-processor fails to fulfill its data protection obligations, the Data Processor remains liable to the Controller for the fulfillment of the sub-processor's obligations.
7. Transfer of data to third countries and international organizations
7.1 Any transfer of personal data to third countries or international organizations by the Data Processor shall be carried out only on the basis of documented instructions from the Controller and always in compliance with Chapter V of the GDPR and Annex C3.
7.2 In case of transfers not authorized by the Controller but required by law under EU law or the law of the Member State in which the Processor is located, the Processor shall inform the Controller of the legal requirement before proceeding with the transfer, unless prohibited by law for important reasons of public interest.
7.3 Without documented instructions from the Controller, the Data Processor shall not transfer personal data to a controller or processor in a third country, nor assign processing to a sub-processor in a third country.
7.4 The clauses of this agreement should not be confused with the standard data protection clauses pursuant to Article 46(2)(c) and (d) of the GDPR.
8. Data Controller Assistance
8.1 Considering the nature of the processing, the Processor assists the Data Controller with appropriate technical and organizational measures, to the extent possible, in fulfilling the obligation of the Data Controller to respond to requests to exercise data subject rights under the GDPR.
8.2 In addition to the obligation to assist the Controller under clause 8.1, the Processor must also, taking into account the nature of the processing and the information available to it, assist the Data Controller in ensuring compliance with Articles 32-36 of the GDPR.
9. Notification in Case of Personal Data Breach
9.1 In the event of a personal data breach, the Processor shall, without undue delay after becoming aware of it, notify the Data Controller.
9.2 The notification by the Processor to the Controller shall, if possible, be made within 48 hours from the moment the Processor becomes aware of it to enable the Controller to meet its own notification obligations.
9.3 As provided for in clause 8.2, the Processor shall assist the Data Controller in the notification to the competent supervisory authority, providing the necessary information as outlined in Article 33(3) of the GDPR.
10. Erasure and Return of Personal Data
Upon completion of the processing operations of personal data, the Processor is obliged to erase all personal data processed on behalf of the Data Controller and certify to the Data Controller that it has done so, unless Union or Member State law requires storage for longer periods. The Controller may choose to delete their account and all associated data at any time. The Processor provides a link for simple and question-free deletion. All data will be permanently and immediately deleted when the Processor receives a data deletion request. Once the data has been permanently deleted, it cannot be recovered.
11. Audit
The Processor provides the Data Controller with all necessary information to demonstrate compliance with the obligations under Article 28 of the GDPR and agrees to a potential annual audit at the Processor's premises, to be notified at least 3 months in advance. The costs of the audits are borne by the Data Controller.
12. Additional Clauses
The parties may agree on additional clauses, provided that they do not contradict the provisions of this appointment agreement nor prejudice the fundamental rights and freedoms of the data subject.
13. Effectiveness and Term of the Appointment Agreement
13.1 This appointment agreement shall enter into force on the date of acceptance by the Data Controller.
13.2 Both parties shall have the right to request renegotiation of the clauses in the event of changes to the applicable law.
13.3 These provisions apply for the duration of the processing activities envisaged under the Contract.
13.4 This appointment agreement may be considered terminated following written notification by one of the parties once all processing activities have ceased and all personal data is deleted or returned.
Annex A: Treatment Information
A.1. Purpose of the Treatment Carried out by the Processor on Behalf of the Controller. The purpose of the personal data processing is to provide the Reddit monitoring, analytics, and management services described in the service documentation, allowing the Controller to track keywords and subreddits, analyze trends, and schedule posts and comments.
A.2. Nature of the Processing Carried out by the Processor on Behalf of the Controller. The nature of the processing involves the collection, recording, organization, structuring, storage, retrieval, consultation, and use of publicly available data from the Reddit platform via its official API, using automated and manual processing tools to provide the service to the Controller.
A.3. Categories of Personal Data Processed. The Processor processes publicly available data from Reddit, including:
Reddit Username
Post Content
Comment Content
Publicly Visible
Profile Information (e.g., Karma score, Cake Day)
The Processor does not access or process private messages or any other non-public user data.
A.4. Duration of the Processing by the Processor. The duration of the processing is equal to that of the Contract, subject to any legal retention obligations or requests for deletion from the Controller. The Controller may choose to delete their account and all associated data at any time.
| Type of personal data processed | Categories of interested parties | Type of processing | Purpose of the processing | Storage times |
|---|---|---|---|---|
| Public Reddit data: Username, Post Content, Comment Content, Public Profile Information. | Reddit users whose public data is relevant to the keywords and subreddits monitored by the Controller. | Analysis, monitoring, and management of public Reddit data. | To provide the Redsuite service to the Controller. | Until the termination of the contract, or until the Controller decides to delete the data or their account, whichever occurs first. |
| Client's Reddit account credentials (via OAuth token). | The Client (Controller). | Secure storage and use of authentication tokens to perform actions (posting, commenting) on behalf of the Client. | To enable the post and comment scheduling features of the service. | Until the termination of the contract or until the Client disconnects their Reddit account from the service. |
Annex B: List of Authorized Sub-Processors
B.1. Pre-approved Sub-Processors List
| Service | Company | Location | Certifications/Purpose |
|---|---|---|---|
| Hosting | Hetzner Online GmbH | Industriestr. 25, 91710 Gunzenhausen, Germany | Hetzner Certifications |
| Hosting | EuroVPS (Euclid Services Ltd.) | 4 Agias Elenis Street, 6th Floor, Office 601, 1060, Nicosia, Cyprus | EuroVPS Certifications |
Annex C - Data Processing Instructions, Security Measures
C.1. The Data Controller's Instructions The Data Controller instructs the Data Processor to process personal data in accordance with the Contract and this Data Processing Agreement. The Processor shall: (1) Process personal data solely on behalf of the Data Controller and in accordance with the Controller's documented instructions. (2) Immediately notify in writing if, in its judgment, an instruction violates the GDPR. (3) Perform the services and process personal data in compliance with the GDPR. (4) Promptly communicate to the Data Controller any non-compliance with this agreement. The Processor shall not collect or analyze personal information of Reddit users for purposes other than providing the service to the Controller (e.g., for selling advertisements to third parties).
C.2. Data Processing Security The Processor has implemented the following technical and organizational security measures:
- Firewall protection
- Private, encrypted networks
- Antivirus and malware protection
- Encryption of data in transit (HTTPS/TLS)
- Capability to restore data availability within 24 hours in case of an incident.
- Confidentiality agreements signed by all personnel authorized to process personal data.
The Processor accesses public Reddit data exclusively through the official Reddit API in accordance with Reddit's terms of service. All data is stored in secure, access-controlled databases. Authentication tokens provided by the Controller for posting are encrypted at rest.
C.3. Instructions on Transfer of Personal Data to Third Countries Data is not transferred outside the European Union. Personal data is stored on servers located in the Netherlands, Italy, Germany, and Finland.