Data Processing Agreement

You are the data controller for the personal data you process through the service (your audience’s comments, mentions and direct messages). FounderReply acts as your processor and processes that data only on your documented instructions.

The processing covers content generation, scheduling, publishing and the handling of inbound audience interactions across the social platforms you connect. Categories of data subjects are your audience and contacts; categories of data are the content and identifiers those interactions contain.

We engage the sub-processors listed on our GDPR page (Supabase, Cloudflare, Google (Gemini API), phi-cloud, Stripe, plus the platforms you connect), each bound by equivalent data-protection terms. We notify customers before adding or replacing a sub-processor.

AI drafting uses Google’s Gemini API by default (processed in the US under Google’s API terms; Google does not use API inputs to train its models). EU/CH-hosted AI via our phi-cloud integration is available when configured. Where a transfer outside the EU/EEA occurs (for example the default Gemini processing, or a non-EU platform you authorise), it relies on Standard Contractual Clauses or an equivalent safeguard.

We apply technical and organisational measures appropriate to the risk, including encryption of OAuth tokens at rest, workspace-scoped row-level security, TLS in transit and least-privilege access. Detail is on our Security page.

We assist you in fulfilling your obligations to respond to data-subject requests and to notify any personal-data breach without undue delay. Self-service deletion is available via Data & Deletion.

On termination, we delete or return the personal data we process on your behalf, subject to any retention required by law.

We make available the information necessary to demonstrate compliance with Article 28 and support reasonable audits as set out in the signed DPA.