Data Processing Addendum (DPA)

Effective Date: February 16, 2026
Processor: SocialConductor.AI
Controller: The User / YouTube Channel Owner

Scope & Applicability: This DPA applies where SocialConductor processes "Personal Data" (as defined by GDPR) on behalf of the User in the course of providing AI-automated engagement services for YouTube. This includes data originating from the EEA, UK, and Switzerland.

1. Roles of the Parties

The parties acknowledge that for the purposes of the Data Protection Laws, the User is the Controller and SocialConductor is the Processor. SocialConductor shall process Personal Data only on the User’s documented instructions, including those set out in the Terms of Service.

2. International Data Transfers

SocialConductor utilizes infrastructure located in the United States. To ensure adequate protection for EEA and UK data subjects, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2) and the UK International Data Transfer Addendum.

3. Security & Breach Notification

SocialConductor shall implement technical and organizational measures to ensure a level of security appropriate to the risk. In the event of a confirmed Data Breach, SocialConductor will notify the User without undue delay and within 72 hours of discovery.

4. Subprocessors

User provides general authorization for the use of the following subprocessors:

Google LLC (USA): Cloud Infrastructure, YouTube API, and Gemini AI Inference.
DigitalOcean LLC (USA): Database and Web Application Hosting.
PayPal / Stripe (USA): Payment Processing and Subscription Management.

Annex I: Description of Processing / Transfer

Categories of Data Subjects	YouTube channel subscribers, viewers, and members of the public who interact with the Controller’s YouTube content.
Categories of Personal Data	Public YouTube display names, profile image URLs, comment text, video IDs, timestamps, and Channel IDs.
Sensitive Data	None. The service is not intended to process special categories of data (Art. 9 GDPR).
Nature of Processing	Automated ingestion via YouTube Data API, analysis via Large Language Models (LLM), and automated response generation.
Purpose of Processing	Facilitating community engagement, sentiment analysis, and AI-driven channel management.
Duration of Processing	The duration of the active subscription plus 30 days for data purge/deletion.
Supervisory Authority	The authority in the Member State of the Controller, or the UK Information Commissioner’s Office (ICO).

Annex II: Technical & Organizational Security Measures

Measure	Implementation Detail
Confidentiality	All employees and contractors are subject to strict written confidentiality agreements.
Data Encryption	Encryption of data in transit (TLS 1.2+) and at rest (AES-256) across all production databases.
Access Control	Strict "Least Privilege" access model. Multi-Factor Authentication (MFA) required for all administrative access.
Resilience	Daily automated backups with point-in-time recovery and geographically redundant hosting via DigitalOcean.
Data Minimization	System requests only the minimum YouTube API scopes required to read/reply to comments.
Disposal	Secure deletion protocols used for data removal upon account termination.

← Return to Terms of Service