Legal

Data Processing Agreement

Last updated: April 17, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Driven Success LLC ("Processor", "we", "us") and the customer ("Controller", "you") who uses the Publish Now platform and API ("Service").

This DPA applies where we process personal data on your behalf in connection with the Service, as required by the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that we process on your behalf through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom the Personal Data relates.
• "Sub-processor" means a third party engaged by us to process Personal Data on your behalf.
• "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Roles

When you use the Service to manage social media accounts or publish content on behalf of your end users or clients:

• You are the Data Controller — you determine the purposes and means of processing.
• We are the Data Processor — we process Personal Data only on your documented instructions.

When we process data for our own purposes (e.g., account management, billing), we act as an independent Data Controller as described in our Privacy Policy.

3. Categories of Data Processed

Category	Data Types	Purpose
Social media account data	Access tokens, refresh tokens, profile IDs, usernames, display names	Authentication and publishing on connected platforms
Content data	Post text, media files, scheduling parameters, metadata	Scheduling and publishing content to platforms
API usage data	Request logs, endpoints called, timestamps, IP addresses	Rate limiting, debugging, usage monitoring

4. Obligations of the Processor

We shall:

1. Process Personal Data only on your documented instructions, unless required by law (in which case, we will inform you before processing unless legally prohibited)
2. Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations
3. Implement appropriate technical and organizational security measures as described in Section 6
4. Not engage a Sub-processor without your prior general authorization, and inform you of any intended changes to Sub-processors
5. Assist you in responding to Data Subject requests (access, rectification, erasure, portability, etc.)
6. Assist you in ensuring compliance with your obligations regarding Data Breach notification, data protection impact assessments, and prior consultations with supervisory authorities
7. Delete or return all Personal Data upon termination of the Service, unless retention is required by law
8. Make available all information necessary to demonstrate compliance with this DPA and allow for audits

5. Obligations of the Controller

You shall:

1. Ensure that your use of the Service and your instructions for processing comply with applicable data protection laws
2. Obtain all necessary consents and provide all required notices to Data Subjects whose data you process through the Service
3. Be responsible for the lawfulness of the Personal Data you submit to the Service
4. Notify us promptly of any Data Subject requests that require our assistance

6. Security Measures

We implement and maintain the following technical and organizational measures to protect Personal Data:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest
• Access control: Role-based access, API key authentication, principle of least privilege
• Token security: Social media access tokens stored with encryption, never exposed in API responses or logs
• Infrastructure: Hosted on Cloudflare Workers with edge-level security, DDoS protection, and Web Application Firewall
• Monitoring: API request logging, anomaly detection, and security monitoring
• Incident response: Documented procedures for identifying, containing, and remediating security incidents

7. Sub-processors

You provide general authorization for us to engage Sub-processors. Our current list of Sub-processors is maintained at /subprocessors.

We will notify you at least 14 days in advance of adding or replacing a Sub-processor by updating the list and, where you have provided your email, by notification. If you object to a new Sub-processor, you may terminate the affected portion of the Service by providing written notice within 14 days of our notification.

We ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

8. Data Breach Notification

In the event of a Data Breach affecting your Personal Data, we will:

1. Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
2. Provide sufficient information to allow you to meet your own notification obligations to supervisory authorities and Data Subjects
3. Take reasonable steps to contain, investigate, and remediate the breach
4. Cooperate with you and provide updates as more information becomes available

9. International Data Transfers

Personal Data may be transferred to and processed in the United States and other countries where our Sub-processors operate (including Cloudflare's global edge network).

For transfers from the EEA, UK, or Switzerland to countries without an adequate level of data protection, we rely on:

• Standard Contractual Clauses (SCCs): As adopted by the European Commission (Module 2: Controller to Processor, Module 3: Processor to Processor) and the UK Addendum where applicable
• EU-U.S. Data Privacy Framework: Where applicable and certified

10. Data Retention and Deletion

We retain Personal Data processed on your behalf only for as long as necessary to provide the Service. Upon termination of your account:

• Social media tokens are deleted immediately upon disconnection or account deletion
• Content data and account data are deleted within 30 days
• API request logs are retained for up to 90 days for debugging purposes, then deleted
• Billing records are retained as required by applicable tax and financial regulations

11. Audits

Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. You may conduct an audit, or appoint a qualified third-party auditor, no more than once per year, with at least 30 days' prior written notice. The audit shall be conducted during regular business hours and shall not unreasonably interfere with our operations.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

13. Term and Termination

This DPA takes effect when you begin using the Service and remains in effect as long as we process Personal Data on your behalf. It terminates automatically when the Terms of Service terminate, subject to our obligations regarding data deletion and return.

14. Contact

For questions about this DPA or to exercise your rights, contact us at:

• Email: yo@publishnow.app
• Address: Driven Success LLC, 160 Greentree Drive, Suite 101, Dover, Delaware 19904, United States