Data Processing Agreement (DPA)
Last Updated: May 11, 2026
Upload-Post is operated by TONVI TECH S.L., a company established in Spain (EU). When a business customer uses the Services to process Personal Data of their own users, employees, or end customers, Upload-Post acts as a Processor (and, where applicable, Sub-processor) within the meaning of Article 4(8) of Regulation (EU) 2016/679 (the "GDPR").
We make a Data Processing Agreement compliant with Article 28 GDPR available to all business customers on request, free of charge. The DPA is also designed to meet the requirements of the UK GDPR and the Swiss Federal Act on Data Protection where applicable.
How to request the DPA: Send an email to [email protected] with the legal name, registered address, and country of your company. We will send the current version of the DPA for review and signature. Once you countersign and return it, we will execute it and provide a final signed copy.
What the DPA Covers
The Upload-Post DPA addresses the requirements of Article 28(3) GDPR and includes:
- Subject matter, duration, nature, purpose and types of Personal Data Processed (Annex I).
- Technical and organisational measures applied to protect Personal Data (Annex II).
- The current list of authorised Sub-processors and their locations (Annex III, also published at our Sub-processors page).
- EU Standard Contractual Clauses (SCCs) for international transfers, incorporated by reference (Annex IV), with Module Two (Controller-to-Processor) and Module Three (Processor-to-Processor) as applicable.
- UK International Data Transfer Addendum and Swiss FADP coverage where relevant.
- Personal Data Breach notification obligations.
- Assistance with Data Subject rights requests and DPIA obligations.
- Audit and information rights, deletion and return of Personal Data at the end of the engagement.
When You Need a DPA
You should sign a DPA with Upload-Post if you are subject to the GDPR (or UK/Swiss equivalent) and you use the Services to process Personal Data on behalf of identifiable individuals — for example, when your business uses the Services to publish content for your own clients (agencies, white-label SaaS, marketing platforms), or when your social media accounts are operated on behalf of a separate legal entity. For sole-trader or strictly individual use of the Services, a DPA is generally not required.
Existing Customers
Where a customer has not signed an individual DPA, the data protection obligations governing our Processing are those set out in our Terms of Use and Privacy Policy, together with applicable law. A signed DPA supplements those terms with the specific contractual safeguards required by Article 28 GDPR.
Custom Terms
If your organisation requires a DPA based on your own template, send it to [email protected] and we will review it. Reasonable modifications to our standard DPA can be accommodated for enterprise and high-volume customers; substantive deviations may take longer to negotiate.
Contact
For DPA requests, sub-processor questions, or any data protection matter, contact [email protected].