Data Processing Agreement
This Agreement describes how NaiPost processes personal data as controller and/or processor, including security measures and respective obligations.
Last updated: 2026-06-15
This document follows your site language. When using X, Meta (Facebook/Instagram), LinkedIn, or TikTok features, you must also comply with each platform's applicable terms. If any discrepancy arises, the English version prevails; other languages are for reference only.
1. Parties and Definitions
This Data Processing Agreement ("DPA") supplements our Privacy Policy and Terms of Service and applies to data processing when you use NaiPost.
"Personal data" means information relating to an identified or identifiable natural person.
"Processing" includes collection, storage, use, transmission, deletion, and related operations.
"Processor/We" means NaiPost Operations Team; "You/User" means the individual, business, or authorized representative using the Service.
2. Processing Roles
For account information, credentials, and order data, we typically act as data controller.
For text, links, audio, video, and other content you submit for processing:
- If content relates only to you and is uploaded by you, you are the controller and we act as processor following your instructions;
- If content contains third-party personal data, you must have lawful authorization or another legal basis; we provide technical processing only on your instructions;
- You must not process prohibited or unauthorized sensitive personal data (e.g., biometrics, financial accounts, precise location) unless legally permitted and compliant.
3. Scope and Purpose
We process personal data only within the following scope and purposes:
- AI copy generation, link extraction/rewriting, image generation, voice synthesis, video composition, history retrieval, and authorized publishing to X, Facebook, Instagram, LinkedIn, TikTok, and similar platforms where available;
- Account management, authentication, billing, and customer support;
- Security monitoring, troubleshooting, analytics, and service improvement;
- Compliance with legal and regulatory obligations.
4. Data Categories and Methods
Main data categories and processing methods:
- Identifiers: email, nickname, user ID — stored in databases for account identification;
- Social binding: platform account IDs, OAuth tokens (encrypted), publish job IDs — stored on a need-to-know basis for one-click publishing;
- Content: input text and uploaded media — encrypted in transit, stored on controlled servers/object storage, processed via AI or transcoding services;
- Logs: IP, device info, timestamps — used for security auditing and troubleshooting;
- Transactions: orders and payment status — used for billing and reconciliation; sensitive payment data handled by payment providers.
5. Our Obligations
As processor or controller, we commit to:
- Process data only per this DPA, the Privacy Policy, and your valid instructions;
- Implement industry-standard security measures and restrict employee/system access;
- Require subprocessors to agree to data protection terms and equivalent safeguards;
- Notify and assist with personal data incidents as required by law;
- Assist with data subject requests where technically feasible;
- Delete or anonymize data after termination or account closure, except legally required retention.
6. Your Obligations
You agree to:
- Ensure lawful basis for data you submit and respect third-party rights;
- Before binding social accounts or publishing, confirm you may lawfully use each platform in your region and comply with its developer/commercial policies;
- Not upload malware, illegal content, or unnecessary sensitive personal data;
- Fulfill notice/consent or other legal obligations for third-party personal data;
- Safeguard your account and remain responsible for processing under it;
- Promptly notify us of security vulnerabilities or compliance risks.
7. Subprocessors
We may engage subprocessors for cloud infrastructure, AI models, object storage, CDN, email, payments, authentication, and social publishing APIs including X, Meta (Facebook/Instagram), and LinkedIn.
We contractually bind subprocessors to data protection obligations. Changes will be disclosed via our Privacy Policy or website notices.
Continued use constitutes acceptance of necessary subprocessors; if you disagree, discontinue the relevant features.
8. Technical and Organizational Measures
Key measures include:
- HTTPS encryption in transit;
- Authentication and role-based access control;
- One-way password hashing;
- Network isolation and least privilege in production;
- Operational logging and security monitoring;
- Regular backups and recovery testing;
- Employee confidentiality and security awareness requirements.
9. Incident Notification
If a personal data breach, tampering, or loss occurs, we will activate emergency response, assess impact, and take remedial measures as required by law.
Where the incident may significantly affect your rights, we will notify you of the nature of the incident, potential impact, measures taken, and recommended protective steps.
10. Cross-Border Processing
Where personal data is transferred outside your jurisdiction, we comply with applicable cross-border requirements, including security assessments, standard contractual clauses, certification, or separate consent.
You must ensure necessary notice and consent obligations are met when third-party personal data is transferred cross-border.
11. Audit and Records
We maintain records of processing activities and cooperate with lawful regulatory inspections.
For enterprise compliance audit requests, we provide reasonable information without exposing non-public data that could compromise system security or other users' data.
12. Term and Termination
This DPA takes effect when you use the Service and ends when you close your account or we terminate the Service.
After termination, we delete or anonymize data per the Privacy Policy, except where retention is legally required. You remain liable for pre-termination violations.
13. Liability and Precedence
You are responsible for third-party claims or regulatory penalties arising from your breach of this DPA or applicable law, and shall indemnify us for direct losses to the extent permitted by law.
If this DPA conflicts with the Terms or Privacy Policy on data processing matters, this DPA prevails for processing matters; otherwise the Terms prevail.
14. Contact
Data processing inquiries: privacy@naipost.com
Legal matters: legal@naipost.com
Last updated: 2026-06-15