Data Processing Agreement
Version 1.0 · Effective 18 June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between BitShore Ltd ("PostTide", "Processor") and the Customer ("Controller") where PostTide processes personal data on behalf of the Customer. Business customers who require a countersigned copy can request one at legal@posttide.com.
1. Subject matter
PostTide processes personal data submitted by the Customer or on the Customer's instructions in order to provide the PostTide service, including scheduling, publishing, analytics, team collaboration, and AI-assisted features.
2. Duration
Processing continues for the term of the Customer's subscription and the 90-day data-retention window that follows cancellation, unless a longer period is required by law.
3. Nature and purpose
PostTide processes personal data solely to provide the contracted service — hosting and rendering content, publishing to connected platforms, sending notifications, producing analytics, moderating messages, and maintaining audit logs. PostTide does not use Customer personal data for its own marketing or to train external AI models.
4. Categories of data subjects and data
Data subjects: the Customer's team members, their designated external reviewers, and the end-users of the Customer's social media presence whose data is reflected in analytics (e.g. reach, engagement counts — aggregate and anonymous where possible). Data categories: identity data, contact data, authentication data, user-generated content, technical logs.
5. Processor obligations
PostTide will: process personal data only on the Customer's documented instructions; ensure personnel are subject to confidentiality; implement appropriate technical and organisational measures (encryption in transit and at rest, access controls, logging, regular review); assist the Customer in responding to data-subject requests; notify the Customer without undue delay of any personal data breach; delete or return personal data on termination as required.
6. Subprocessors
The Customer authorises PostTide to engage subprocessors for hosting, database, email delivery, payments, AI, and authentication. A current list is available on request. PostTide remains liable for the acts and omissions of its subprocessors. PostTide will give the Customer reasonable advance notice of material changes to subprocessor list and the Customer may object on reasonable data-protection grounds.
7. International transfers
Where personal data is transferred from the EEA, the UK, or Switzerland to a country without an adequacy decision, the transfer will be governed by the applicable Standard Contractual Clauses (or equivalent approved mechanism), the text of which is incorporated into this DPA by reference.
8. Audits
The Customer may request reasonable information needed to demonstrate compliance. Where an on-site audit is required by law, the parties will agree in advance on scope, timing, confidentiality, and cost; audits will not unreasonably interfere with normal operations.
9. Security measures
PostTide maintains, at minimum: TLS 1.2+ for data in transit; AES-256 at rest for database and object storage; role-based access control; multi-factor authentication on administrator accounts; quarterly access reviews; structured incident-response procedures; annual security training for personnel.
10. Breach notification
PostTide will notify the Customer without undue delay (and in any case within 72 hours of becoming aware) of any personal data breach affecting the Customer's data. Notifications will include information sufficient for the Customer to comply with its own notification obligations, to the extent known at the time.
11. Return or deletion
On termination, PostTide will, at the Customer's option, delete or return all personal data in its possession, subject to any legal retention requirements (e.g. invoice records). Deletion is automatic after the 90-day post-cancellation retention window unless the Customer requests earlier deletion or later retention where lawful.
12. Liability
Each party's liability under this DPA is subject to the limits set out in the Terms of Service, except for liability that cannot be limited under applicable data-protection law.
13. Governing law
This DPA is governed by the laws of England and Wales and forms part of the Terms of Service.