Last updated: July 8, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween the customer ("Controller") and Koya Labs("Processor", "we") — a registered business name of our company, whose full registered entity is set out on our Company Detailspage — and governs our processing of personal data on the Controller's behalf when it uses Publano (the "Service"). Where the Controller is itself acting as a processor for its own clients, this DPA applies on a back-to-back basis and we act as sub-processor. It reflects the requirements of Article 28 of the EU General Data Protection Regulation ("GDPR"). If you require a countersigned copy, contact [email protected].
For personal data contained in workspace and client content, connected-account data, and audience data the Controller brings into the Service, the Controller is the controller (or processor) and we are the processor (or sub-processor). For a limited set of data we determine the purposes of — for example account registration data, billing data, and security logs — we act as an independent controller, and that processing is governed by our Privacy Policy rather than this DPA.
The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex I. We process personal data only for the duration of the agreement and as needed to provide the Service.
We process personal data only on the Controller's documented instructions, including with regard to international transfers, unless required by EU or member-state law to do otherwise (in which case we will inform the Controller unless legally prohibited). The Controller's use of the Service, its configuration, and this DPA constitute its complete and documented instructions. We will inform the Controller if, in our opinion, an instruction infringes the GDPR.
We ensure that persons authorized to process personal data are bound by an appropriate duty of confidentiality and process the data only as instructed.
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II. These include encryption of credentials at rest (AES-256-GCM), encryption in transit (TLS), role-based access control with tenant isolation, restricted and audited administrative access, and audit logging of privileged actions.
The Controller provides general authorization for us to engage the sub-processors listed at https://publano.com/subprocessors. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain liable for their performance. We will give the Controller a means to be notified of intended changes to sub-processors and a reasonable opportunity to object on legitimate data-protection grounds before the change takes effect.
Taking into account the nature of the processing, we assist the Controller by appropriate technical and organizational measures, insofar as possible, to:
Where a data subject contacts us directly regarding data we process for the Controller, we will forward the request to the Controller and will not respond directly except on the Controller's instruction.
We notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting the Controller's personal data, and provide information reasonably available to us to help the Controller meet its own notification obligations.
On termination of the Service, and at the Controller's choice, we delete or return the personal data and delete existing copies, unless EU or member-state law requires storage. We retain the Controller's data for 30 days after termination to allow export, after which it is deleted or anonymized in the ordinary course, subject to backup rotation and legal retention requirements.
We make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. To protect the confidentiality and security of other customers, audits are conducted on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a breach), during business hours, and subject to confidentiality obligations. We may satisfy audit requests by providing existing reports, certifications, and documentation where these reasonably address the Controller's queries.
Personal data is hosted within the EU. Where a sub-processor processes personal data outside the EEA, such transfers are made under an approved transfer mechanism — the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework — together with any supplementary measures required. The Standard Contractual Clauses are incorporated into this DPA by reference where they apply.
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA does not expand either party's liability beyond what is permitted by applicable data protection law.
This DPA takes effect when the Controller begins using the Service and continues for the duration of the processing. In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails.
Subject matter: provision of the Publano social media management service.
Duration: for the term of the agreement plus the post-termination retention period.
Nature and purpose:storage, organization, scheduling, publishing, reporting, and AI-assisted drafting of social media content on the Controller's instruction.
Categories of data subjects:the Controller's staff and workspace members; the Controller's clients and their staff; and individuals appearing in content or in audience interactions (e.g. commenters and reviewers) that the Controller brings into the Service.
Types of personal data: names and contact details; account and authentication data; connected-account identifiers and encrypted access tokens; post content, captions, and media (which may contain personal data chosen by the Controller); comments, tasks, and approvals; and analytics and audience-interaction data. The Controller should not upload special categories of personal data (Article 9) unless separately agreed.
The current list of sub-processors is maintained at https://publano.com/subprocessors and is incorporated into this DPA by reference.
Koya Labs, Stockholm, Sweden — [email protected]