Data Protection Agreement (DPA)
Last Updated: January 7, 2026
1. Introduction & Scope
This Data Protection Agreement ("DPA") forms part of the Terms of Service between Vivida Cognitive LLC ("Data Processor," "we," "us") and the user ("Data Controller," "you") and governs the processing of personal data in connection with the Service. CommuniKate Social is a product of Vivida Cognitive LLC.
Vivida Cognitive LLC is a Minnesota limited liability company that operates the CommuniKate Social service. This DPA applies to the extent that we process personal data on your behalf in providing our multi-platform social media auto-posting service.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws including GDPR and CCPA.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Data Controller" means the entity that determines the purposes and means of Processing Personal Data (you, the user).
- "Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller (Vivida Cognitive LLC, which operates the CommuniKate Social product).
- "Sub-processor" means any third party engaged by the Data Processor to process Personal Data.
3. Data Processing Details
3.1 Subject Matter
The processing of Personal Data in connection with providing the CommuniKate social media management and auto-posting Service.
3.2 Nature & Purpose
- Account authentication and management
- Social media account connection via OAuth
- Content creation, scheduling, and publishing
- AI-powered content generation (privately-hosted on RunPod cloud infrastructure)
- Transactional email delivery via Resend
- Post history maintenance
3.3 Categories of Data Subjects
- Users of the CommuniKate Service
- Individuals whose information may appear in user-created content
3.4 Types of Personal Data Processed
| Data Type | Purpose | Retention |
|---|---|---|
| Email Address | Account identification, communication | Until account deletion |
| Name | Account personalization | Until account deletion |
| OAuth Tokens | Social media API authentication | Until disconnection/expiry |
| Social Media Identifiers | Account linking, posting | Until disconnection |
| Post Content | Publishing, history | Until deletion request |
4. Data Minimization Commitment
Our Data Minimization Principles
We are committed to collecting and processing only the minimum data necessary to provide the Service. Specifically:
- Authentication Tokens Only: We store only the OAuth tokens required to post on your behalf. We do not store your social media passwords.
- No Follower Data: We do NOT scrape, collect, or store information about your followers, following lists, or audience demographics.
- No Message Data: We do NOT access or store your direct messages, comments, or private communications on any platform.
- Post History Only: We retain only the content published through our Service, not your entire social media history.
5. AI Processing Disclosure
Private Cloud AI Processing
All AI processing for content generation is performed on dedicated RunPod cloud infrastructure managed exclusively by us:
- No Third-Party AI APIs: We do NOT send your data to OpenAI, Anthropic, Google AI, or any other third-party AI service providers.
- Private Cloud Processing: All AI inference occurs on our dedicated cloud instances hosted by RunPod. RunPod provides compute infrastructure only and does not have access to your data.
- No Model Training: Your data is NEVER used to train, fine-tune, or improve our AI models. Your content remains exclusively yours.
- Isolated Processing: AI processing is performed in isolated environments with no data persistence beyond the immediate request.
6. Processor Obligations
As Data Processor, Vivida Cognitive LLC (which operates the CommuniKate Social product) agrees to:
- Lawful Processing: Process Personal Data only on documented instructions from the Data Controller, unless required by law.
- Confidentiality: Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
- Security Measures: Implement appropriate technical and organizational measures to ensure data security, including:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Regular security assessments and penetration testing
- Access controls and audit logging
- Incident response procedures
- Sub-processor Management: Obtain authorization before engaging sub-processors and ensure they meet equivalent data protection obligations.
- Assistance: Assist the Data Controller in responding to data subject requests and data protection impact assessments.
- Breach Notification: Notify the Data Controller of any Personal Data breach without undue delay (within 72 hours of becoming aware).
- Data Return/Deletion: Upon termination, delete or return all Personal Data as requested by the Data Controller.
- Audit Rights: Make available information necessary to demonstrate compliance and allow for audits.
7. Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting and CDN | United States |
| Stripe, Inc. | Payment processing | United States |
| Resend, Inc. | Transactional email delivery | United States |
| RunPod, Inc. | Cloud infrastructure for AI processing | United States |
| Meta Platforms, Inc. | Social media API (Facebook, Instagram) | United States |
| X Corp. | Social media API (X/Twitter) | United States |
| LinkedIn Corporation | Social media API | United States |
We will notify you of any intended changes to sub-processors, giving you the opportunity to object to such changes.
8. Data Subject Rights
We will assist you in fulfilling your obligations to respond to data subject requests, including:
- Right of Access: Providing copies of Personal Data
- Right to Rectification: Correcting inaccurate data
- Right to Erasure: Deleting Personal Data ("right to be forgotten")
- Right to Restriction: Limiting processing in certain circumstances
- Right to Portability: Providing data in machine-readable format
- Right to Object: Ceasing processing based on legitimate interests
User Control Features
Users can exercise their rights as follows:
- Disconnect social media accounts at any time through the dashboard
- Request complete data deletion by emailing support@communikatesocial.com
- Export personal data in JSON format by emailing support@communikatesocial.com
- Update account information through the dashboard
9. International Data Transfers
Personal Data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) where applicable
- Data Processing Addendums with sub-processors
- Technical measures ensuring equivalent protection
10. Security Incident Response
In the event of a security incident involving Personal Data:
- We will notify you within 72 hours of becoming aware of the incident
- Notification will include:
- Nature of the incident
- Categories and approximate number of affected data subjects
- Likely consequences
- Measures taken or proposed to address the incident
- We will cooperate with any investigation and remediation efforts
- We will document all incidents and make records available upon request
11. Term & Termination
This DPA shall remain in effect for the duration of the Service agreement. Upon termination:
- We will cease all processing of Personal Data
- At your election, we will either:
- Return all Personal Data in a structured, commonly used format
- Delete all Personal Data and certify such deletion
- Deletion will be completed within 30 days of request
12. Compliance & Certifications
We maintain compliance with:
- GDPR: General Data Protection Regulation (EU)
- CCPA: California Consumer Privacy Act
- Meta Platform Terms: Facebook and Instagram data handling requirements
- X Developer Agreement: X/Twitter data protection requirements
- LinkedIn API Terms: LinkedIn data handling requirements
13. Contact Information
For questions about this Data Protection Agreement or to exercise data protection rights:
Legal Entity: Vivida Cognitive LLC
Data Protection Contact: support@communikatesocial.com
General Inquiries: support@communikatesocial.com
Contact Form: communikatesocial.com/contact
Vivida Cognitive LLC, a Minnesota limited liability company, is the contracting party for all data processing agreements. CommuniKate Social is a product and brand name of Vivida Cognitive LLC.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws applicable to the main Terms of Service, except where applicable data protection laws require otherwise (e.g., GDPR provisions for EU data subjects).