Data Processing Addendum

Last updated: March 4, 2026

This Data Processing Addendum ("DPA") forms part of the Celavii Terms of Service available at https://celavii.com/terms (the "Agreement") between Celavii, Inc. ("Celavii," "Processor," "we," "us," or "our") and the entity identified as the Customer in the Agreement ("Customer," "Controller," "you," or "your"), collectively referred to as the "Parties" and each individually as a "Party."

This DPA applies to the extent that Celavii processes Personal Data on behalf of Customer in connection with the Services, and such processing is subject to Applicable Data Protection Laws.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. In addition, the following definitions apply:

a. "Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including but not limited to: (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the UK Data Protection Act 2018 and the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019); (iii) the Swiss Federal Act on Data Protection ("FADP"); (iv) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); (v) the Brazilian General Data Protection Law ("LGPD"); and (vi) any other applicable data protection or privacy laws.

b. "Authorized Sub-processor" means a third party authorized by Celavii to process Personal Data in connection with the Services, as listed in Schedule 3 or as updated in accordance with Section 6.

c. "Controller" means the entity that determines the purposes and means of the processing of Personal Data.

d. "Customer Personal Data" means any Personal Data that is processed by Celavii on behalf of Customer in connection with the Services, specifically Personal Data contained within Organization Data (as defined in the Agreement), including notes, tags, email communications, outreach history, CRM records, and other Customer-generated content associated with creator profiles. For the avoidance of doubt, Customer Personal Data does not include Creator Database Data (as defined below), which Celavii processes as an independent data controller.

d-1. "Creator Database Data" means publicly available creator profile information maintained in the Creator Database (as defined in the Agreement), including usernames, display names, biographies, profile pictures, follower and following counts, engagement metrics, and publicly displayed contact information. Celavii is the independent data controller with respect to Creator Database Data. This DPA does not govern Celavii's processing of Creator Database Data in its capacity as controller; such processing is governed by the Privacy Policy.

e. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Celavii or its Sub-processors.

f. "Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates.

g. "EEA" means the European Economic Area.

h. "Personal Data" means any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

i. "Process" or "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

j. "Processor" means the entity that processes Personal Data on behalf of the Controller. For purposes of this DPA, Celavii is the Processor with respect to Customer Personal Data (Organization Data only).

k. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Commission Implementing Decision (EU) 2021/914, and as may be amended, superseded, or replaced from time to time.

l. "Sub-processor" means any third party engaged by Celavii to process Customer Personal Data on behalf of Customer.

m. "Supervisory Authority" means an independent public authority established by an EU or EEA Member State, the UK, or Switzerland, responsible for monitoring the application of data protection laws.

n. "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

2. Scope and Roles

a. Scope of Processing

This DPA applies to the processing of Customer Personal Data by Celavii in connection with the provision of the Services under the Agreement. The details of the processing are described in Schedule 1.

b. Roles of the Parties

The Parties operate in a dual capacity with respect to data processed through the Services:

  • Creator Database Data (Celavii as Independent Controller): Celavii is an independent data controller with respect to Creator Database Data. Celavii determines the purposes and means of collecting, maintaining, and making available publicly available creator profile information through the Creator Database. This DPA does not apply to Celavii's processing of Creator Database Data in its capacity as controller. Such processing is governed by the Privacy Policy available at https://celavii.com/privacy.

  • Organization Data (Customer as Controller, Celavii as Processor): Customer is the Controller with respect to Customer Personal Data contained within Organization Data (notes, tags, CRM records, email communications, outreach history, and other Customer-generated content). Celavii processes such Customer Personal Data on behalf of and in accordance with the documented instructions of Customer, as set forth in this DPA and the Agreement. Celavii does not determine the purposes or means of processing Customer Personal Data, except as expressly permitted by this DPA or the Agreement.

Customer is responsible for ensuring that it has a lawful basis for the processing of Personal Data and for compliance with Applicable Data Protection Laws in its capacity as Controller of Organization Data.

c. Customer Obligations

Customer represents and warrants that:

(i) It has complied, and will continue to comply, with all Applicable Data Protection Laws in respect of its use of the Services and the processing of Customer Personal Data;

(ii) It has obtained, and will continue to obtain, all necessary consents, authorizations, and legal bases required under Applicable Data Protection Laws for the processing of Customer Personal Data by Celavii as contemplated by this DPA and the Agreement;

(iii) It has provided, and will continue to provide, all required notices to Data Subjects in connection with the processing of their Personal Data through the Services;

(iv) It will not instruct Celavii to process Customer Personal Data in violation of Applicable Data Protection Laws; and

(v) It will ensure that its use of the Services, including the collection of Social Media Data, complies with the terms of service and privacy policies of the applicable Social Media Platforms.

3. Processing of Customer Personal Data

a. Documented Instructions

Celavii shall process Customer Personal Data only in accordance with Customer's documented instructions, unless required to do so by applicable law to which Celavii is subject. The Agreement (including this DPA) constitutes Customer's complete and final instructions to Celavii for the processing of Customer Personal Data. Any additional or alternative instructions must be agreed upon separately in writing.

If Celavii believes that an instruction from Customer infringes Applicable Data Protection Laws, Celavii shall promptly inform Customer without delay. Celavii shall not be required to assess whether Customer's instructions comply with Applicable Data Protection Laws, but shall inform Customer if it becomes aware that such instructions may be non-compliant.

b. Purpose Limitation

Celavii shall process Customer Personal Data solely for the following purposes:

(i) Providing, maintaining, and improving the Services as described in the Agreement;

(ii) Complying with Customer's documented instructions as described in this DPA;

(iii) Complying with applicable laws and regulations; and

(iv) As otherwise agreed in writing by the Parties.

c. Confidentiality

Celavii shall ensure that all personnel authorized to process Customer Personal Data:

(i) Have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality; and

(ii) Process Customer Personal Data only on documented instructions from Customer, unless required to do so by applicable law.

d. Duration of Processing

Celavii shall process Customer Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law. Upon termination or expiration of the Agreement, Celavii shall process Customer Personal Data in accordance with Section 10 of this DPA.

4. Data Subject Rights

a. Assistance with Data Subject Requests

Taking into account the nature of the processing, Celavii shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws ("Data Subject Requests"), including but not limited to rights of access, rectification, erasure, restriction, portability, and objection.

b. Notification of Data Subject Requests

If Celavii receives a Data Subject Request directly, Celavii shall promptly (and in any event within five (5) business days) notify Customer and provide Customer with reasonable details of the request. Celavii shall not respond to a Data Subject Request directly unless:

(i) Authorized by Customer to do so; or

(ii) Required by applicable law, in which case Celavii shall, to the extent permitted by law, inform Customer of such legal requirement before responding.

c. Customer's Responsibility

Customer acknowledges that Celavii's obligation to assist with Data Subject Requests is limited to Customer Personal Data that Celavii processes on Customer's behalf. Customer is solely responsible for responding to Data Subject Requests and for determining the appropriate response in accordance with Applicable Data Protection Laws.

d. Costs

To the extent that Customer's Data Subject Request assistance requires Celavii to expend significant resources beyond what is reasonably necessary for the provision of the Services, Celavii may charge Customer a reasonable fee based on Celavii's administrative costs of providing such assistance.

5. Security Measures

a. Technical and Organizational Measures

Celavii shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data against Data Breaches, taking into account:

(i) The state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing;

(ii) The risk of varying likelihood and severity for the rights and freedoms of Data Subjects; and

(iii) The requirements of Applicable Data Protection Laws.

The specific security measures implemented by Celavii are described in Schedule 2.

b. Updates to Security Measures

Celavii may update or modify the security measures from time to time, provided that such updates do not materially decrease the overall level of security of the Services. Celavii shall inform Customer of any material changes to the security measures.

c. Customer's Security Responsibilities

Customer acknowledges that it is responsible for:

(i) Properly configuring and using the Services, including implementing appropriate access controls, authentication mechanisms, and user permissions;

(ii) Ensuring the security of Customer's account credentials and those of its Authorized Users;

(iii) Taking its own steps to maintain appropriate security, protection, and backup of Customer Data; and

(iv) Independently evaluating whether the security measures described in Schedule 2 are sufficient for Customer's specific use case and compliance requirements.

6. Sub-processors

a. Authorization

Customer provides general written authorization for Celavii to engage Sub-processors to process Customer Personal Data in connection with the Services, subject to the requirements of this Section 6.

b. Current Sub-processors

The current list of Authorized Sub-processors is set forth in Schedule 3 of this DPA. Celavii shall also maintain a current list of Sub-processors at https://celavii.com/legal/sub-processors, which shall be updated from time to time.

c. Notification of Changes

Celavii shall notify Customer at least thirty (30) days prior to engaging any new Sub-processor or replacing an existing Sub-processor ("Sub-processor Change Notice"). The notification shall be provided by email to the address associated with Customer's Account or through the Services.

d. Objection to Sub-processor Changes

Customer may object to a new or replacement Sub-processor by notifying Celavii in writing within fifteen (15) days of receiving the Sub-processor Change Notice, provided that such objection is based on reasonable grounds relating to data protection. Celavii shall use commercially reasonable efforts to:

(i) Make available a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid processing of Customer Personal Data by the objected-to Sub-processor; or

(ii) Take other reasonable steps requested by Customer to address Customer's objection.

If Celavii is unable to accommodate Customer's objection within thirty (30) days of receiving the objection, either Party may terminate the affected portion of the Services by providing written notice to the other Party. Celavii shall provide Customer a prorated refund of any prepaid fees for the terminated portion of the Services covering the remainder of the then-current Subscription Period.

e. Sub-processor Obligations

Celavii shall:

(i) Enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set forth in this DPA;

(ii) Remain fully liable to Customer for the acts and omissions of its Sub-processors to the same extent Celavii would be liable if performing the services of each Sub-processor directly under the terms of this DPA; and

(iii) Conduct appropriate due diligence on Sub-processors to ensure they are capable of providing the level of protection for Customer Personal Data required by this DPA and Applicable Data Protection Laws.

7. International Data Transfers

a. General

Customer acknowledges that Celavii is headquartered in the United States and that Customer Personal Data may be transferred to, stored, and processed in the United States and other countries where Celavii or its Sub-processors maintain facilities.

b. Transfers from the EEA, UK, and Switzerland

To the extent that Customer Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the applicable authority, the Parties agree that:

(i) Standard Contractual Clauses (EU): The SCCs (Module Two: Controller to Processor) are hereby incorporated by reference into this DPA and shall apply to such transfers. For the purposes of the SCCs:

  • Clause 7 (Docking clause): The optional docking clause shall apply;
  • Clause 9(a) (Use of sub-processors): Option 2 (General written authorization) shall apply, with the time period for prior notice set at thirty (30) days as specified in Section 6(c);
  • Clause 11 (Redress): The optional language shall not apply;
  • Clause 13(a) (Supervision): The supervisory authority of the EU Member State in which Customer is established, or if Customer is not established in the EU, the supervisory authority of the EU Member State in which Customer's EU representative is established, shall act as the competent supervisory authority. If neither applies, the Irish Data Protection Commission shall act as the competent supervisory authority;
  • Clause 17 (Governing law): Option 1 shall apply, and the SCCs shall be governed by the laws of Ireland;
  • Clause 18(b) (Choice of forum and jurisdiction): Disputes shall be resolved before the courts of Ireland;
  • Annex I: The details set forth in Schedule 1 of this DPA shall constitute Annex I;
  • Annex II: The security measures set forth in Schedule 2 of this DPA shall constitute Annex II; and
  • Annex III: The Sub-processor list set forth in Schedule 3 of this DPA shall constitute Annex III.

(ii) UK Addendum: For transfers of Customer Personal Data from the United Kingdom, the UK Addendum shall apply, and the SCCs shall be deemed modified as specified by the UK Addendum. For the purposes of the UK Addendum:

  • Table 1: The Parties' details shall be as set forth in Schedule 1;
  • Table 2: The version of the Approved EU SCCs referenced is Module Two (Controller to Processor) as described above;
  • Table 3: Annex I, II, and III information is as set forth in Schedules 1, 2, and 3; and
  • Table 4: Neither Party may terminate the UK Addendum in accordance with Section 19 of the UK Addendum.

(iii) Swiss Transfers: For transfers of Customer Personal Data from Switzerland, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner, including that references to "GDPR" shall be read as references to the Swiss FADP, and references to the "EU" or "Member State" shall be read as references to Switzerland.

c. Alternative Transfer Mechanisms

If a transfer mechanism relied upon by the Parties under this Section 7 is invalidated or otherwise rendered ineffective, Celavii shall use commercially reasonable efforts to implement an alternative lawful transfer mechanism. Customer agrees to cooperate with Celavii in implementing such alternative mechanism.

d. Onward Transfers

Celavii shall ensure that any onward transfer of Customer Personal Data to a Sub-processor in a third country is subject to appropriate safeguards in accordance with Applicable Data Protection Laws, including but not limited to the SCCs or an adequacy decision.

8. Data Breach Notification

a. Notification

Celavii shall notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Data Breach affecting Customer Personal Data. The notification shall include, to the extent reasonably available:

(i) A description of the nature of the Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(ii) The name and contact details of Celavii's point of contact from whom more information can be obtained;

(iii) A description of the likely consequences of the Data Breach; and

(iv) A description of the measures taken or proposed to be taken by Celavii to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

b. Cooperation

Celavii shall cooperate with Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach, including:

(i) Providing Customer with timely updates and additional information as it becomes available;

(ii) Preserving and providing evidence and logs relevant to the Data Breach;

(iii) Taking reasonable steps to contain and mitigate the effects of the Data Breach; and

(iv) Assisting Customer in fulfilling its obligations to notify Supervisory Authorities and Data Subjects, as required under Applicable Data Protection Laws.

c. Notification to Third Parties

Celavii shall not notify any third party of a Data Breach without first obtaining Customer's prior written consent, except where required by applicable law, in which case Celavii shall, to the extent permitted by law, inform Customer of such legal requirement before making the notification.

d. No Acknowledgment of Fault

Celavii's notification of or response to a Data Breach under this Section 8 shall not be construed as an acknowledgment by Celavii of any fault or liability with respect to the Data Breach.

9. Data Protection Impact Assessments and Consultations

Taking into account the nature of the processing and the information available to Celavii, Celavii shall provide reasonable assistance to Customer in:

(a) Conducting data protection impact assessments ("DPIAs") in relation to Customer's use of the Services, to the extent required under Applicable Data Protection Laws; and

(b) Consulting with Supervisory Authorities in relation to such DPIAs, to the extent required under Applicable Data Protection Laws.

Celavii may charge Customer a reasonable fee for such assistance based on Celavii's administrative costs.

10. Return and Deletion of Customer Personal Data

a. During the Agreement

During the term of the Agreement, Customer may access, export, and delete Customer Personal Data through the features and functionalities made available via the Services.

b. Upon Termination

Customer is solely responsible for exporting all Customer Personal Data prior to the effective date of termination or expiration of the Agreement. Upon termination or expiration of the Agreement:

(i) Celavii shall delete or anonymize all Customer Personal Data in its possession or control as soon as reasonably practicable, except to the extent that applicable law requires further storage of the Customer Personal Data;

(ii) Celavii shall have no obligation to retain, return, or make available any Customer Personal Data after the effective date of termination or expiration; and

(iii) Upon Customer's written request made prior to deletion, Celavii shall provide written certification of the deletion of Customer Personal Data within thirty (30) days of completing the deletion.

c. Exceptions

Notwithstanding the foregoing, Celavii may retain Customer Personal Data to the extent required by applicable law, provided that Celavii:

(i) Limits such retention to the minimum necessary to comply with the applicable legal requirement;

(ii) Maintains the confidentiality of such data; and

(iii) Processes such data only for the purpose of complying with the applicable legal requirement.

11. Audits and Compliance

a. Information and Records

Celavii shall make available to Customer, upon reasonable written request, all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.

b. Audits

Customer (or a qualified, independent third-party auditor appointed by Customer and approved by Celavii, such approval not to be unreasonably withheld) may conduct an audit of Celavii's processing activities related to this DPA, subject to the following conditions:

(i) Customer shall provide Celavii with at least thirty (30) days' prior written notice of any audit;

(ii) Audits shall be conducted no more than once per twelve (12) month period, unless required by a Supervisory Authority or in response to a Data Breach;

(iii) Audits shall be conducted during normal business hours and shall not unreasonably interfere with Celavii's business operations;

(iv) Customer and its auditors shall comply with Celavii's reasonable security and confidentiality requirements;

(v) Customer shall bear all costs associated with any audit, unless the audit reveals a material breach of this DPA by Celavii, in which case Celavii shall bear the reasonable costs of the audit; and

(vi) Any third-party auditor must execute a confidentiality agreement acceptable to Celavii prior to conducting the audit.

c. Certifications and Reports

In lieu of an audit, Celavii may, at its discretion, provide Customer with:

(i) Relevant certifications or attestations (e.g., SOC 2 Type II, ISO 27001) obtained from a qualified, independent third-party auditor; or

(ii) Summaries of audit reports or compliance assessments conducted by or on behalf of Celavii, subject to Celavii's confidentiality obligations.

Customer agrees that such certifications, attestations, or reports shall satisfy Customer's audit rights under this Section 11 for the period covered by the certification, attestation, or report, unless Customer can demonstrate that the certification, attestation, or report does not adequately address Customer's specific compliance concerns.

12. Liability

Each Party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement (including Section 13 of the Terms of Service). For the avoidance of doubt, Celavii's total aggregate liability for all claims arising out of or related to this DPA, whether in contract, tort, or otherwise, shall not exceed the limitations set forth in the Agreement.

13. General

a. Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Personal Data. In the event of any conflict between this DPA and the SCCs (or UK Addendum), the SCCs (or UK Addendum) shall prevail.

b. Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable.

c. Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, except to the extent that Applicable Data Protection Laws require otherwise.

d. Term

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon the termination or expiration of the Agreement, subject to Section 10 (Return and Deletion of Customer Personal Data) and any surviving obligations under Applicable Data Protection Laws.

e. Entire DPA

This DPA (including its Schedules) constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, negotiations, and discussions, whether oral or written, relating to the processing of Customer Personal Data in connection with the Services.

Schedule 1: Details of Processing

A. List of Parties

Data Exporter (Controller):

  • Name: The Customer identified in the Agreement
  • Address: As specified in Customer's Account registration
  • Contact: As specified in Customer's Account registration
  • Role: Controller

Data Importer (Processor):

  • Name: Celavii, Inc.
  • Address: As specified in the Agreement
  • Contact: privacy@celavii.com
  • Role: Processor

B. Description of Processing

ElementDescription
Categories of Data SubjectsCustomer's employees and Authorized Users; social media creators and influencers whose publicly available data is collected at Customer's direction; Customer's clients and contacts
Categories of Personal DataContact information (names, email addresses, phone numbers); account credentials; social media profile data (usernames, display names, biographies, profile pictures, follower/following counts); content data (posts, captions, hashtags, engagement metrics); audience data (publicly available follower lists, demographic indicators); derived analytics (engagement scores, affinity scores, growth rates, sentiment analysis); communications and outreach data; billing and payment information (processed by Stripe)
Sensitive DataNone intentionally collected. Customer is prohibited from submitting protected health information (HIPAA) or payment cardholder data without prior written approval.
Frequency of TransferContinuous, as part of the ongoing provision of the Services
Nature of ProcessingCollection, storage, organization, structuring, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction of Customer Personal Data in connection with providing the Services
Purpose of ProcessingProviding the Services, including creator discovery, analytics, campaign tracking, CRM tools, AI-powered features, and collaboration tools, as described in the Agreement
Retention PeriodDuration of the Agreement only. Customer Personal Data is deleted upon termination or expiration, except as required by applicable law

C. Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with Section 7(b)(i) of this DPA.

Schedule 2: Technical and Organizational Security Measures

Celavii implements the following technical and organizational security measures to protect Customer Personal Data:

1. Access Control

  • Role-based access control (RBAC) with principle of least privilege
  • Multi-factor authentication (MFA) support for Customer accounts
  • Unique user identification and authentication for all system access
  • Automated session timeout and re-authentication requirements
  • Regular access reviews and prompt deprovisioning of terminated accounts

2. Encryption

  • Data encrypted in transit using TLS 1.2 or higher
  • Data encrypted at rest using AES-256 or equivalent encryption
  • Encryption key management with regular key rotation

3. Network Security

  • Firewall protection and network segmentation
  • Intrusion detection and prevention systems
  • DDoS mitigation measures
  • Regular vulnerability scanning and penetration testing

4. Application Security

  • Secure software development lifecycle (SDLC) practices
  • Regular security code reviews
  • Input validation and output encoding
  • Protection against common web application vulnerabilities (OWASP Top 10)

5. Data Management

  • Logical separation of Customer data (multi-tenant architecture with workspace isolation)
  • Data backup and disaster recovery procedures
  • Secure data deletion and sanitization procedures
  • Data minimization practices

6. Physical Security

  • Cloud infrastructure hosted by enterprise-grade providers (Supabase/AWS, Vercel)
  • Physical security measures managed by cloud infrastructure providers, including access controls, surveillance, and environmental controls

7. Personnel Security

  • Background checks for employees with access to Customer Personal Data (where permitted by law)
  • Confidentiality agreements for all employees and contractors
  • Regular security awareness training
  • Disciplinary procedures for security policy violations

8. Incident Response

  • Documented incident response plan
  • Designated incident response team
  • Regular incident response testing and tabletop exercises
  • Post-incident review and remediation procedures

9. Business Continuity

  • Regular data backups with tested restoration procedures
  • Disaster recovery planning
  • Service availability monitoring with automated alerting
  • Redundant infrastructure for critical systems

10. Vendor Management

  • Due diligence assessment of Sub-processors
  • Contractual data protection obligations for all Sub-processors
  • Ongoing monitoring of Sub-processor compliance

Schedule 3: Authorized Sub-processors

The following is the current list of Authorized Sub-processors as of the Last Modified date of this DPA:

Sub-processorPurposeLocation of ProcessingData Processed
Stripe, Inc.Payment processing, billing, and fraud preventionUnited StatesBilling information, payment transaction data
Supabase, Inc.Database hosting, storage, authentication, and infrastructureUnited States (primary); as selected by CustomerAccount data, Customer Data, Social Media Data
Vercel, Inc.Application hosting and content deliveryUnited States; Global CDNApplication data, usage data
Apify Technologies s.r.o.Social media data collection at Customer's directionEuropean Union (Czech Republic)Social Media Data (publicly available creator profiles, posts, engagement metrics)
Sentry (Functional Software, Inc.)Error tracking and application monitoringUnited StatesError logs, diagnostic data (may include limited user identifiers)
PostHog, Inc.Product analyticsUnited States; European UnionAnonymized/pseudonymized usage data
Cloudflare, Inc.CDN, DDoS protection, and DNS servicesGlobalIP addresses, traffic data

Celavii maintains an up-to-date list of Sub-processors at https://celavii.com/legal/sub-processors. Changes to this list are subject to the notification and objection procedures described in Section 6 of this DPA.

Execution

By using the Services and accepting the Agreement (including this DPA), Customer agrees to the terms of this DPA. No separate signature is required.

This DPA is effective as of the date Customer accepts the Agreement.