Data Processing Agreement (DPA)
Last Updated: November 2025
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller”) and Problem Solving Agency Zenahr Barzani (“Processor”). This DA applies when SpamSmacker processes personal data on your behalf under GDPR.
1. Definitions
Capitalized terms have the meanings defined in GDPR (Regulation (EU) 2016/679). “Personal Data” means any information relating to an identified or identifiable natural person processed by SpamSmacker on behalf of the Controller.
2. Scope & Purpose
SpamSmacker processes Personal Data for the following purposes:
- YouTube comment analysis and moderation
- Account management and authentication
- Service delivery and performance optimization
Categories of Personal Data processed:
- YouTube comment text and author display names
- Video metadata (titles, URLs) from scanned videos
- Account holder email addresses and Google profile information
3. Duration
Personal Data is processed for the duration of the service agreement. Upon termination, data is deleted within 30 days unless retention is required by applicable law.
4. Subprocessors
The Controller authorizes the following subprocessors:
| Subprocessor | Service | Location | DPA/SCCs |
|---|---|---|---|
| Supabase | Database, auth, API | EU | Yes |
| Vercel | Application hosting | Global | Yes |
| Paddle | Payment processing | UK/EU | Yes |
| YouTube API | Global | Yes |
SpamSmacker will notify the Controller of any changes to subprocessors at least 30 days in advance. The Controller may object to new subprocessors within 14 days of notification.
5. Technical & Organizational Measures
SpamSmacker implements:
- Encryption: TLS 1.3 (transit), AES-256 (rest)
- Access control: Row-Level Security (Supabase RLS), role-based access
- Data isolation: Multi-tenant database architecture with customer-level isolation
- Logging: Access logs, audit trails
- Backups: Daily automated backups, 30-day retention
- Incident response: 72-hour breach notification to Controllers
6. Data Subject Rights
SpamSmacker assists the Controller in responding to data subject requests (GDPR Art. 28.3.e). Requests received directly from data subjects will be forwarded to the Controller within 5 business days.
7. Data Breach Notification
In the event of a personal data breach, SpamSmacker will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.
8. Audit Rights
The Controller may audit SpamSmacker’s compliance with this DPA once per calendar year, with 30 days’ notice, during business hours, and at the Controller’s expense. SpamSmacker will provide its most recent SOC 2 or equivalent certification report in lieu of an on-site audit when available.
9. Data Deletion
Upon termination:
- YouTube comment data: deleted within 30 days
- Account data: deleted within 30 days
- Backups: purged within 90 days
- Billing records: retained for 7 years per German tax law (HGB §147, AO §147)
10. We Do Not Train on Your Data
SpamSmacker does not use Controller comment data to train machine learning models that benefit other customers. Detection pattern improvements are based on anonymized, aggregated statistics.
11. Governing Law
This DPA is governed by German law. Any disputes shall be resolved in Berlin, Germany.
12. Contact
For DPA-related inquiries: legal@spamsmacker.dev
Processor: Problem Solving Agency Zenahr Barzani, Berlin, Germany