Overblast Back to home

Data Processing Agreement

Last updated: April 8, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Yumankind ("Processor", "we", "us") and you ("Controller", "you") for the use of the Overblast service. This DPA sets out the terms under which we process personal data on your behalf in compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

3. Scope and Purpose of Processing

We process Personal Data solely for the purpose of providing the Overblast service to you, including:

  • Managing your social media accounts and connections.
  • Storing and publishing content you create or schedule.
  • Processing messages, comments, and reviews from your connected platforms.
  • Providing API access for authorized integrations.

4. Categories of Data

Category Examples
Account data Name, email address, authentication tokens
Social media data OAuth tokens, profile information, platform user IDs
Content data Posts, messages, comments, reviews, media files
Usage data IP address, device information, access logs

5. Obligations of the Processor

We shall:

  • Process Personal Data only on your documented instructions, unless required by law.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure the security of Personal Data.
  • Not engage a Sub-processor without your prior written consent.
  • Assist you in responding to requests from data subjects exercising their rights.
  • Delete or return all Personal Data upon termination of the Service, at your choice.
  • Make available to you all information necessary to demonstrate compliance with these obligations.

6. Security Measures

We implement the following technical and organizational measures:

  • Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Social media tokens receive additional application-level encryption.
  • Access control: Role-based access control with principle of least privilege. Multi-factor authentication for infrastructure access.
  • Monitoring: Continuous monitoring and logging of access to Personal Data.
  • Backups: Regular encrypted backups with tested restoration procedures.
  • Infrastructure: Hosted on secure cloud infrastructure with SOC 2 certified providers.

7. Sub-processors

We currently use the following Sub-processors:

Sub-processor Purpose Location
Cloudflare CDN, edge computing, DNS Global (EU data residency available)
Stripe Payment processing United States / EU

We will notify you of any intended changes to Sub-processors and give you the opportunity to object.

8. Data Breach Notification

In the event of a Data Breach, we will:

  • Notify you without undue delay and in any event within 72 hours of becoming aware of the breach.
  • Provide sufficient information to allow you to meet any obligations to report the breach to supervisory authorities or data subjects.
  • Take reasonable steps to mitigate the effects of the breach.

9. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or other recognized transfer mechanisms.

10. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection to processing.

11. Audits

Upon reasonable notice, you may audit our compliance with this DPA. We will provide reasonable cooperation and access to relevant information. Audits shall be conducted during normal business hours and shall not unreasonably disrupt our operations.

12. Term and Termination

This DPA is effective for the duration of our provision of the Service to you. Upon termination, we will delete or return all Personal Data within 30 days, unless retention is required by law.

13. Contact

For any questions about this DPA or to exercise any rights, please contact us at [email protected].

Privacy Policy Terms of Service DPA

© 2026 Yumankind. All rights reserved.