Legal

Data Processing Agreement

Last updated: March 2026

Effective date: March 24, 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Zylver Solutions LLC ("Processor", "we", "us", "our"), a company registered in Austin, TX, operating the Max Socials platform; and
  • The Subscriber ("Controller", "you", "your"), the entity that has entered into a Subscription Agreement for the Max Socials platform.

This DPA supplements the Terms of Service and forms part of the agreement between the Processor and the Controller.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection legislation (including the GDPR and CCPA).
  • Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
  • Data Subject: An identified or identifiable natural person to whom Personal Data relates.
  • Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Supervisory Authority: An independent public authority responsible for monitoring the application of data protection legislation.

3. Scope and Purpose

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Max Socials platform service. The categories of Personal Data processed include:

  • Social media analytics and engagement metrics
  • Content performance data
  • Audience demographics (age ranges, geographic regions, interest categories)

The purpose of Processing is to provide the Max Socials platform service, including trend discovery, content production, multi-channel distribution, performance analytics, and Intelligence Loop optimization.

4. Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller. The Processor shall not process Personal Data for any purpose other than the provision of the platform service, unless required by applicable law.

Processing activities include:

  • Collecting social media metrics from connected accounts via authorized API access
  • Analyzing content performance across multiple channels and formats
  • Generating Intelligence Loop adjustments to optimize content strategy based on measured performance outcomes
  • Creating aggregated, anonymized insights that cannot be used to identify individual Data Subjects

The Controller may issue additional documented instructions at any time, provided they are consistent with the Terms of Service and the capabilities of the platform.

5. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors for the purposes described:

  • AWS, cloud hosting (compute and storage)
  • Anthropic, AI text generation
  • RunPod, AI image generation compute
  • Stripe, payment processing
  • Resend, transactional email delivery
  • Ayrshare, social media API aggregation
  • Cloudflare, CDN and R2 object storage

The Processor shall notify the Controller at least thirty (30) days before adding or replacing a Sub-processor. The Controller may object to the new Sub-processor within that period. If the objection is not resolved, the Controller may terminate the Subscription Agreement.

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.

6. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
  • Per-client data isolation: Logical separation at the database level, ensuring each Controller's data is isolated from other agencies' data
  • Role-based access controls: Granular permissions ensuring only authorized personnel access Personal Data
  • Audit logging: Comprehensive logging of all data access events
  • Regular security assessments: Periodic penetration testing and security audits
  • Vulnerability scanning: Automated scanning of infrastructure and application dependencies
  • Employee access controls: Background checks, confidentiality agreements, and least-privilege access policies
  • Incident response procedures: Documented procedures for identifying, containing, and remediating security incidents

7. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests within ten (10) business days of receiving the request. Supported rights include:

  • Access: The right to obtain confirmation of whether Personal Data is being processed and to receive a copy of such data
  • Rectification: The right to correct inaccurate or incomplete Personal Data
  • Erasure: The right to request deletion of Personal Data where applicable
  • Portability: The right to receive Personal Data in a structured, commonly used, and machine-readable format
  • Restriction: The right to request limitation of Processing activities
  • Objection: The right to object to Processing based on legitimate interests

The Processor shall promptly notify the Controller if it receives a Data Subject request directly, unless prohibited by law from doing so.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, of becoming aware of a personal data breach. The notification shall include:

  • The nature of the personal data breach
  • The categories and approximate number of Personal Data records affected
  • The approximate number of Data Subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach, including measures to mitigate its adverse effects

The Processor shall cooperate with the Controller in investigating the breach and shall take all reasonable steps to contain and remediate the breach promptly.

9. Cross-Border Transfers

Personal Data is primarily processed in the United States. For transfers of Personal Data from the European Union or European Economic Area (EU/EEA) to the United States, the parties agree to rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

The Processor shall ensure that any Sub-processor located outside the EU/EEA is subject to appropriate safeguards, including SCCs or an adequacy decision, before any transfer of Personal Data.

10. Data Deletion and Return

Upon termination of the Subscription Agreement:

  • The Controller may export all Personal Data within thirty (30) calendar days of termination using the platform's data export tools.
  • After the 30-day export period, all Personal Data is permanently deleted from the Processor's systems, including backups, within a reasonable timeframe.
  • Aggregated, anonymized data that cannot be used to identify individual Data Subjects is retained by the Processor. This data does not constitute Personal Data under applicable law.

11. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per calendar year, subject to the following conditions:

  • The Controller must provide at least thirty (30) days' written notice prior to the audit.
  • The Processor shall provide relevant documentation and reasonable access to systems as necessary to demonstrate compliance.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
  • The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of applicable data protection legislation where such limitation is prohibited by law.

13. Term

This DPA remains in effect for the duration of the Subscription Agreement between the parties. The obligations of the Processor with respect to data deletion and return (Section 10) survive termination of this DPA.

14. Contact

For questions about this Data Processing Agreement, please contact:

Zylver Solutions LLC
Austin, TX
dpa@maxsocials.com