Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between GenZHook ("Processor", "Owner") and the customer ("Controller") for use of the Service. It is effective automatically upon acceptance of the Terms of Service and governs processing of personal data subject to the EU GDPR, UK GDPR, Swiss FADP, and other applicable data-protection laws. The Owner's Universal Reservation of Rights — Terms of Service section 1.1, the Authorized-Use License in section 1.2, the Benefits Reservation in section 1.3, the Dynamic Pricing & FX clause in section 1.4, the Comprehensive Owner Protections in section 18, and the No-Refund Policy are incorporated into this DPA in full and prevail over any inconsistent provision herein except to the extent applicable mandatory data-protection law requires otherwise. The exercise of any right under this DPA, the change of any sub-processor, the change of any security measure, or any decision under this DPA gives rise to no refund, credit-back, pro-rated reimbursement, alternative compensation, SLA payout, or service credit of any kind, except only where applicable mandatory law preserves an unwaivable right and only to the absolute minimum the law requires.

0. Owner's Reservation of Rights

Without limiting the Universal Reservation of Rights, the Owner reserves the absolute, exclusive, and unfettered discretion, with or without prior notice and without liability, to: (a) add, change, or replace sub-processors, AI providers, payment processors, hosting locations, infrastructure vendors, or analytics tools; (b) modify, restructure, or replace this DPA, the Annex II security measures, or any related procedure at any time with effect upon posting (subject only to legally-required minimum notice); (c) add, change, restrict, suspend, or discontinue any feature, plan, integration, price, fee, FX rate, credit weight, quota, discount, coupon, reward, or facility, partially or fully; (d) pass through any AI-provider, infrastructure, payment, telecom, hosting, tax, or third-party cost increase to invoices or credit weights, immediately or with delay, with no obligation to pass through cost decreases; (e) refuse, suspend, restrict, lock, or terminate any Controller, account, organization, or third-party at any time with or without cause; and (f) decline any data-subject or Controller request that is manifestly unfounded, excessive, abusive, repetitive, or in conflict with the Owner's legitimate interests, statutory obligations, or other users' rights, to the maximum extent permitted by law. The Controller waives any claim — including any claim to refund, credit-back, pro-rated reimbursement, alternative compensation, or service credit of any kind — arising from the exercise of these rights except only where applicable mandatory law preserves an unwaivable right and only to the absolute minimum the law requires.

1. Roles

Controller determines purposes and means of processing. Processor processes personal data on documented instructions from Controller. Where required, Processor will cooperate with the Controller's DPO or supervisory authority.

2. Subject-Matter & Duration

Subject: provision of the GenZHook Service as described in the Terms. Duration: term of the agreement + the statutory retention periods in our Retention Schedule.

3. Nature & Purpose of Processing

Hosting, authentication, content generation via third-party AI APIs, transactional email, billing, analytics (aggregate), security monitoring.

4. Categories of Data & Data Subjects

Data subjects: Controller's authorized users, end-followers whose public social posts are referenced by Controller.
Categories: identifiers (name, email, mobile), authentication data, billing metadata, user-generated prompts, social-account OAuth tokens (encrypted), usage telemetry.
Special categories: Controller agrees NOT to submit special-category data (GDPR Art. 9) or children's data via the Service.

5. Processor Obligations

Process only on documented Controller instructions (the Terms constitute such instructions).
Ensure personnel are bound by confidentiality obligations.
Implement appropriate technical and organizational measures (TOMs) — see Annex II below.
Assist Controller with data-subject rights requests, DPIAs, and breach notification.
Delete or return personal data at the end of the agreement, subject to statutory retention.
Make available information necessary to demonstrate compliance and permit audits (satisfied via third-party attestations where applicable).

6. Sub-processing

Controller provides general authorization for GenZHook to engage the sub-processors listed at /sub-processors. GenZHook will notify Controller of intended changes and impose data-protection obligations equivalent to this DPA on each sub-processor.

7. International Transfers

For transfers of personal data from the EEA/UK/Switzerland to a third country without an Adequacy Decision, the parties incorporate by reference the European Commission Standard Contractual Clauses 2021/914 (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum. Where GenZHook acts as sub-processor for a Controller that is itself a processor, Module Three applies. Docking clause: any additional controller may accede by notice.

8. Security Measures (Annex II)

Encryption in transit (TLS 1.3) and at rest (AES-256-GCM)
Per-record encryption of OAuth tokens; HMAC-SHA256 signed approval tokens
Row-Level Security on all multi-tenant tables; least-privilege IAM
24×7 logging, anomaly detection, and rate limiting
Annual penetration testing and dependency vulnerability scanning
Background checks for personnel with production access; role-based access control with quarterly review
Documented incident-response runbook with 72-hour notification SLA
Daily encrypted backups with tested restore procedures; 30-day retention

9. Breach Notification

GenZHook will notify Controller without undue delay and in any event within 72 hours of becoming aware of a confirmed personal-data breach, providing information described in GDPR Art. 33(3). See /incident-response.

10. Liability

Liability under this DPA is governed by the limitation-of-liability provisions of the Terms, except where applicable law prohibits such limitation.

11. Signature

This DPA is deemed executed upon Controller's acceptance of the Terms. Enterprise customers requiring a countersigned PDF may email privacy@genzhook.com.

0. Owner's Reservation of Rights

4. Categories of Data & Data Subjects

Data subjects: Controller's authorized users, end-followers whose public social posts are referenced by Controller.

Categories: identifiers (name, email, mobile), authentication data, billing metadata, user-generated prompts, social-account OAuth tokens (encrypted), usage telemetry.

Special categories: Controller agrees NOT to submit special-category data (GDPR Art. 9) or children's data via the Service.

5. Processor Obligations

Process only on documented Controller instructions (the Terms constitute such instructions).

Ensure personnel are bound by confidentiality obligations.

Implement appropriate technical and organizational measures (TOMs) — see Annex II below.

Assist Controller with data-subject rights requests, DPIAs, and breach notification.

Delete or return personal data at the end of the agreement, subject to statutory retention.

Make available information necessary to demonstrate compliance and permit audits (satisfied via third-party attestations where applicable).

7. International Transfers

8. Security Measures (Annex II)

Encryption in transit (TLS 1.3) and at rest (AES-256-GCM)

Per-record encryption of OAuth tokens; HMAC-SHA256 signed approval tokens

Row-Level Security on all multi-tenant tables; least-privilege IAM

24×7 logging, anomaly detection, and rate limiting

Annual penetration testing and dependency vulnerability scanning

Background checks for personnel with production access; role-based access control with quarterly review

Documented incident-response runbook with 72-hour notification SLA

Daily encrypted backups with tested restore procedures; 30-day retention