API
Pricing
Customers
Features
Resources
Free Tools
Free Lists of Top Influencers
Blog
Creatorbooks & case studies

Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) is an agreement between Influencers Club (referred to as “Processor”) and each business customer of Influencers Club (referred to as “Customer” or “Controller”) that uses the Influencers Club platform or services under a master agreement or terms of service (the “Main Agreement”). This DPA reflects the parties’ obligations regarding the Processing of Personal Data in compliance with applicable privacy laws. By using Influencers Club’s services, the Customer agrees to the terms of this DPA, which is incorporated into and forms part of the Main Agreement. In case of any conflict between this DPA and the Main Agreement on matters of data protection, this DPA will prevail. (If Standard Contractual Clauses apply, they will prevail over both this DPA and the Main Agreement.)

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable individual that is protected as personal data, personal information, or similar under Data Protection Laws.
  • “Processing” (and “Process”) means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, use, disclosure, erasure, or destruction.
  • “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For this DPA, the Customer is the Controller.
  • “Processor” means the entity that Processes Personal Data on behalf of the Controller. For this DPA, Influencers Club is the Processor.
  • “Data Protection Laws” means all applicable laws and regulations relating to privacy, data protection, and the Processing of Personal Data, including (where applicable) the EU General Data Protection Regulation (GDPR) and any national implementing laws, the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any similar privacy laws in other jurisdictions.
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “Customer Data” (or “Controller Data”) means any Personal Data that the Customer provides or makes available to the Processor for Processing under the Main Agreement.
  • “Subprocessor” means any third party (including any Influencers Club affiliate) engaged by the Processor to assist in Processing Customer Data on behalf of the Customer.
  • “Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted or stored by the Processor or its Subprocessors. This does not include unsuccessful or insignificant incidents that do not compromise the security of Personal Data.
  • “Standard Contractual Clauses” or “SCCs” means the standard data protection contract clauses issued by the European Commission for transfers of personal data to third countries.

2. Scope and Details of Processing

Roles of the Parties: The parties acknowledge and agree that, in the context of the services provided under the Main Agreement, the Customer acts as a Data Controller and Influencers Club acts as a Data Processor on behalf of the Customer.

Subject Matter and Duration: The subject matter of the Processing is the performance of the services and any related technical support or other activities as described in the Main Agreement. The Processing will continue for the duration of the Main Agreement.

Nature and Purpose of Processing: Influencers Club will Process Customer Data solely for the following purposes: (a) to provide, maintain, and support the Influencers Club platform and services; (b) to carry out Customer’s written instructions; and (c) to comply with applicable law.

Types of Personal Data: The types of Personal Data processed include: identification and contact information; professional or public profile information; communications data; technical usage data; and any other Personal Data that Customer uploads or inputs into the service.

Categories of Data Subjects: Influencer or Creator Individuals, Outreach Recipients, Customer’s Personnel, and Other Third Parties (Incidental).

3. Obligations of the Processor (Influencers Club)

3.1 Compliance with Instructions: Processor will Process Customer Personal Data only on documented instructions from the Customer, unless otherwise required by applicable law.

3.2 No Secondary Use or “Selling” of Data: Processor shall not “sell” or “share” Personal Data and shall not Process Personal Data for any purposes other than those specified in this DPA.

3.3 Security Measures: Processor will implement and maintain appropriate technical and organizational security measures including Access Controls, Encryption, Network & System Security, Monitoring & Logging, Organizational & Personnel Security, Reliability & Backup, Testing & Assessment, and Vendor Management.

3.4 Confidentiality: Processor will ensure that any persons it authorizes to Process Customer Data are under appropriate obligations of confidentiality.

3.5 Subprocessors: Processor is authorized to engage Subprocessors only in accordance with Section 6 of this DPA.

3.6 Assistance with Data Subject Rights: Processor will assist the Customer in responding to Data Subject requests.

3.7 Assistance with Compliance and DPIAs: Processor shall provide reasonable cooperation to assist the Customer in fulfilling compliance obligations.

3.8 Personal Data Breach Notification: In the event of a Personal Data Breach, Processor will notify Customer without undue delay.

3.9 Return or Deletion Upon Termination: Upon termination, Processor will return or delete all Customer Personal Data.

4. Obligations of the Controller (Customer)

4.1 Compliance with Laws: Customer shall ensure compliance with all applicable Data Protection Laws.

4.2 Lawful Basis and Notices: Customer represents it has obtained all necessary rights, consents, and legal bases for Processing.

4.3 Data Quality and Minimization: Customer is responsible for the accuracy, quality, and legality of the Personal Data provided.

4.4 Instructions to Processor: Customer will only give documented instructions consistent with the Main Agreement and this DPA.

4.5 Customer as Processor for Third-Party Controller: If applicable, Customer warrants authorization to appoint Influencers Club as a Subprocessor.

4.6 Handling Data Subject Requests: Customer is responsible for handling Data Subject requests or complaints.

4.7 Security Responsibilities: Customer shall use the services in a manner that enables Processor to maintain appropriate security.

5. Data Subject Rights and Requests

5.1 Notification of Requests: Processor will promptly inform Customer of any Data Subject requests received.

5.2 Reasonable Assistance: Processor will assist the Customer in fulfilling verified Data Subject Requests.

5.3 Timing and Costs: Processor will provide cooperation to enable timely compliance.

5.4 Restrictions: Processor shall not independently honor or deny Data Subject requests except as instructed by Customer or required by law.

5.5 Documentation: Processor will maintain records of Data Subject Requests.

6. Subprocessors

6.1 Approved Subprocessors: A list of current Subprocessors is provided in Annex 3.

6.2 Subprocessor Obligations: Processor will impose data protection obligations no less protective than this DPA.

6.3 Notification of New Subprocessors: Processor will inform Customer at least 10 days prior to authorizing any new Subprocessor.

6.4 Customer Objection Rights: Customer may object to new Subprocessors within the notice period.

6.5 Liability for Subprocessors: Influencers Club remains fully liable for Subprocessor performance.

7. Security Measures

Influencers Club maintains comprehensive technical and organizational measures including: Access Control, Encryption, Network Security, Physical Security, Monitoring & Logging, Business Continuity & Backup, and Employee Training & Policies. See Annex 2 for full details.

8. Personal Data Breach Management

8.1 Breach Detection: Influencers Club maintains measures to detect and respond to security incidents.

8.2 Breach Notification: Notification to Customer without undue delay (no later than 72 hours after confirmation).

8.3 Updates and Collaboration: Influencers Club will investigate and provide timely updates.

8.4 Regulatory Communication: Customer has primary responsibility for regulatory notifications.

8.5 No Acknowledgment of Fault: Breach notification shall not be construed as acknowledgment of fault.

9. Audits and Compliance Verification

9.1 Information and Documentation: Influencers Club will make available information necessary to demonstrate compliance.

9.2 Audit Rights: Customer may perform audits no more than once per year with 30 days prior notice.

9.3 Confidentiality of Audit Findings: Information obtained during audits shall be treated as confidential.

10. International Data Transfers

10.1 Locations of Processing: Influencers Club may Process Customer Data in countries where it or its Subprocessors maintain facilities.

10.2 Adequacy and Authorized Transfers: The parties enter into the relevant Standard Contractual Clauses (SCCs) for cross-border transfers as required.

10.3 Additional Transfer Safeguards: Processor implements supplementary technical and organizational measures.

11. Deletion or Return of Data

11.1 Deletion Process: Influencers Club will systematically delete or anonymize all Customer Personal Data upon termination.

11.2 Return Process: If requested, Influencers Club will provide a complete copy of Customer Personal Data.

11.3 Limited Retention: Retention permitted only as required by law or legitimate business needs.

12. Miscellaneous Provisions

12.1 Data Protection Officer: Contact at legal@influencers.club.

12.2 Liability: Subject to the limitations set out in the Main Agreement.

12.3 Order of Precedence: This DPA prevails over the Main Agreement for data protection obligations.

12.4 Amendments: Parties agree to negotiate in good faith for required changes.

12.5 Governing Law: Governed by the law specified in the Main Agreement.

12.6 Jurisdiction: Subject to jurisdictional terms of the Main Agreement.

Annex 1 – Details of Processing

Data Exporter (Controller): The Customer, as identified in the Main Agreement.

Data Importer (Processor): Influencers Club. Contact: legal@influencers.club.

Subject Matter: Provision of influencer discovery, data enrichment, and outreach services.

Categories of Personal Data: Identification Data, Contact Data, Public Profile Data, Communication Data, Technical Data, User-Provided Data.

Categories of Data Subjects: Social media content creators/influencers, outreach recipients, Customer’s personnel, incidental third parties.

Annex 2 – Technical and Organizational Security Measures

  1. Access Control: Role-based access, multi-factor authentication, least privilege, quarterly access reviews.
  2. Data Access Control: Logical tenant isolation, strict need-to-know access, strong password policies, session management.
  3. Transmission Control: HTTPS/TLS 1.2+, encrypted internal communications, no unencrypted portable storage.
  4. Input Control: Detailed audit logs, tamper-resistant log storage, no plaintext secrets in logs.
  5. Job/Process Control: Processing only per documented instructions, employee training, escalation procedures.
  6. Availability Control: Redundant architecture, encrypted backups, disaster recovery plans.
  7. Separation Control: Logical multi-tenant separation, no live data in dev/test environments.
  8. Audit and Compliance: Regular vulnerability scanning, annual penetration testing, management reporting.

Annex 3 – Authorized Subprocessors

  • Amazon Web Services (AWS) – Cloud infrastructure. Location: EU (Frankfurt) primary, US (N. Virginia) backup. EU SCCs in place.
  • Twilio SendGrid – Email delivery. Location: USA. SCCs in place.
  • Google Cloud Platform (GCP) – Cloud infrastructure. Location: EU (Belgium) and US (Iowa). SCCs in place.
  • MongoDB Atlas – Managed database. Location: EU (Ireland) primary. SCCs in place.
  • Cloudflare, Inc. – CDN and security. Location: Global. SCCs in place.
  • Zendesk, Inc. – Customer support. Location: USA. SCCs in place.

Contact for subprocessor updates: legal@influencers.club