Data Processing Agreement

1. Parties and Background

This Data Processing Agreement (the "DPA") is entered into between:

• Four Hawk Social ("Processor", "we", or "us"), the operator of the Four Hawk Social platform; and
• The customer organization that has executed the customer signature block below ("Controller", "Customer", or "you").

The Customer has entered into a subscription or trial agreement with Four Hawk Social governed by our Terms of Service (the "Principal Agreement"). This DPA forms part of the Principal Agreement and governs the Processing of Personal Data carried out by Four Hawk Social on the Customer's behalf in connection with the Service.

Where this DPA conflicts with the Principal Agreement, this DPA prevails to the extent of the conflict, but only with respect to the Processing of Personal Data.

2. Definitions

Capitalized terms not defined here have the meaning given in the Principal Agreement. The following terms have the meanings set out below:

• "Applicable Data Protection Law" means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"), and any other equivalent laws.
• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Special Categories of Personal Data" have the meanings given in the GDPR (or the equivalent terms under other Applicable Data Protection Law).
• "Customer Personal Data" means Personal Data that the Customer (or the Customer's clients on whose behalf the Customer uses the Service) submits to or makes available through the Service, and which Four Hawk Social Processes on the Customer's behalf.
• "Sub-processor" means any third party engaged by Four Hawk Social to Process Customer Personal Data in connection with the Service.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries published by the European Commission in Decision 2021/914, as amended; and, for transfers from the United Kingdom, the UK International Data Transfer Addendum to the SCCs (the "UK Addendum") issued by the Information Commissioner's Office.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

3. Subject Matter, Duration, Nature and Purpose of Processing

Subject matter. Four Hawk Social Processes Customer Personal Data to provide the Service: a multi-tenant social media management platform that schedules and publishes content to connected social media accounts, captures engagement and analytics data from those accounts, organizes media assets, manages internal and external approval workflows, and provides AI-assisted features (caption generation, image description, near-duplicate detection, natural-language search, and analytical insights).

Duration. Processing continues for the term of the Principal Agreement and for any subsequent retention period required under Section 12 (Return or Deletion of Personal Data) and applicable law.

Nature and purpose. The Processing comprises collection, storage, organization, retrieval, transmission to third-party social media platforms (only on Customer instruction), display in the user interface, analytical computation, machine-generated content and metadata enrichment, and deletion. The purpose is the performance of the Service in accordance with the Customer's documented instructions.

4. Categories of Data Subjects and Personal Data

Categories of Data Subjects may include:

• The Customer's authorized users (employees, contractors, team members);
• The Customer's clients (where the Customer is an agency) and the authorized users of those clients;
• Individuals who interact with the Customer's social media presence (commenters, message senders, mentioned users);
• Individuals depicted in media assets uploaded to the Service.

Categories of Personal Data may include:

• Identity and contact data: name, email address, role, profile image;
• Authentication data: hashed credentials managed by Amazon Cognito, OAuth access and refresh tokens for connected social media accounts (encrypted at rest using AES-256-GCM);
• Content: post drafts, captions, hashtags, scheduling metadata, internal notes, approval correspondence, comments and direct messages retrieved from connected platforms;
• Media: images, video, audio, and documents uploaded by the Customer or its users, together with derived metadata (dimensions, duration, AI-generated descriptions, EXIF where present);
• Performance data: impressions, reach, engagement metrics, follower counts, watch time, and other analytics retrieved from connected platforms;
• Audit and operational data: application logs, IP addresses, user-agent strings, and timestamps generated by the Customer's use of the Service.

The Customer must not submit Special Categories of Personal Data, biometric data, children's data, payment card data, or government identification numbers to the Service. Four Hawk Social does not request such data and is not configured to apply the heightened protections that those categories require.

5. Customer (Controller) Obligations

The Customer is the Controller of the Customer Personal Data and warrants that:

• It has all necessary rights, consents, and lawful bases under Applicable Data Protection Law to submit the Customer Personal Data to the Service and to direct Four Hawk Social to Process it as contemplated by the Principal Agreement;
• It will provide all notices and obtain all consents required under Applicable Data Protection Law from Data Subjects, including notices and consents relating to the use of AI-assisted features, the transmission of content to third-party social media platforms, and the storage of Personal Data on infrastructure operated by the Sub-processors listed in Section 7;
• Where the Customer is itself a processor acting on behalf of one or more of its own clients (e.g. an agency managing client social media accounts), the Customer has the necessary authority from each underlying controller to engage Four Hawk Social as a Sub-processor and to enter into this DPA on that controller's behalf;
• Its instructions to Four Hawk Social comply with Applicable Data Protection Law and do not require Four Hawk Social to act inconsistently with that law.

6. Processor Obligations

6.1 Documented instructions

Four Hawk Social will Process Customer Personal Data only on the Customer's documented instructions, including with regard to transfers of Customer Personal Data to a third country, unless required to do so by EU, UK, or Member State law to which Four Hawk Social is subject. The Customer's documented instructions consist of (a) the Principal Agreement and this DPA, (b) the configuration choices the Customer makes through the Service interface and APIs, and (c) any further instructions agreed in writing between the parties. If Four Hawk Social believes an instruction infringes Applicable Data Protection Law, it will inform the Customer without undue delay.

6.2 Confidentiality

Four Hawk Social ensures that personnel authorised to Process Customer Personal Data are subject to written confidentiality obligations, are trained in data protection responsibilities appropriate to their role, and are granted access only on a need-to-know basis.

6.3 Security measures

Four Hawk Social implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in accordance with Article 32 GDPR. These measures include, at minimum:

• Encryption of Customer Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256, including AES-256-GCM for OAuth tokens);
• Network isolation of database and worker components within a dedicated VPC, with no direct public ingress;
• Identity and access management via Amazon Cognito with role-based access control, group-based authorisation, and JWT-based session tokens;
• Centralised logging in Amazon CloudWatch with retention configured to support incident investigation;
• Reserved Lambda concurrency, API Gateway throttling, and per-instance rate limiting to mitigate denial-of-service attacks;
• Application-layer validation of all input via Zod schemas; allow-listed status transitions through dedicated endpoints;
• Environment isolation between staging and production, including separate Cognito user pools, separate databases, and separate signing keys;
• Periodic review of security headers (HSTS, X-Frame-Options, Content-Security-Policy) enforced at the CDN.

Four Hawk Social will assess and update these measures over time as the threat landscape evolves; specific controls may change provided the overall level of security is not reduced.

6.4 Assistance to the Customer

Taking into account the nature of Processing and the information available to it, Four Hawk Social will provide reasonable assistance to the Customer in fulfilling the Customer's obligations to (a) respond to Data Subject requests under Articles 15–22 GDPR (or equivalent rights under other Applicable Data Protection Law), and (b) carry out data protection impact assessments and prior consultations under Articles 35–36 GDPR, where applicable to the Customer's use of the Service.

7. Sub-processors

7.1 General authorisation

The Customer provides general written authorisation for Four Hawk Social to engage the Sub-processors listed below to Process Customer Personal Data. Four Hawk Social remains responsible to the Customer for the performance of each Sub-processor's data protection obligations and will impose data protection terms on each Sub-processor that are no less protective than those in this DPA.

7.2 Current Sub-processors

Sub-processor	Service	Region(s)
Amazon Web Services, Inc.	Cloud infrastructure (compute, storage, database, content delivery, identity, secrets management, email delivery)	United States (us-east-1)
Stripe, Inc.	Subscription billing and payment processing	United States
Anthropic PBC	AI features: image description, caption assistance, natural-language search, and analytical insights	United States

The third-party social media platforms to which the Customer chooses to publish (Meta / Facebook / Instagram, LinkedIn, Pinterest, TikTok, YouTube / Google) act as independent controllers of the data the Customer transmits to them and are not Sub-processors of Four Hawk Social. Four Hawk Social transmits data to those platforms only on the Customer's instruction.

7.3 New Sub-processors

Four Hawk Social will provide the Customer with at least 30 days' prior notice (by email to the Customer's primary administrator and/or by an in-product notice) before engaging a new Sub-processor that will Process Customer Personal Data. Within that notice period, the Customer may object on reasonable data protection grounds by emailing [email protected]. If the parties cannot agree on a remedy within 30 days of the objection, the Customer may terminate the affected portion of the Service for convenience and receive a pro-rated refund of any prepaid fees attributable to the unused portion.

8. International Data Transfers

Customer Personal Data is primarily Processed and stored in the United States (AWS region us-east-1). Where the Customer is located in the European Economic Area, the United Kingdom, or Switzerland, transfers of Customer Personal Data to Four Hawk Social and its Sub-processors in the United States are made under the following safeguards, applied in this order of precedence:

1. Adequacy. Where an adequacy decision applicable to the destination country and to Four Hawk Social or the relevant Sub-processor is in force (for example, the EU-U.S. Data Privacy Framework if Four Hawk Social or the Sub-processor is certified), the parties rely on that decision.
2. Standard Contractual Clauses. Where no adequacy decision is available, the parties incorporate the Standard Contractual Clauses (Module Two: Controller to Processor; Module Three: Processor to Processor where applicable) by reference, with Four Hawk Social as data importer and the Customer as data exporter. The optional docking clause is selected; the Annexes are completed by reference to this DPA (Annex I.A: parties as set out in Section 1; Annex I.B: subject matter as set out in Sections 3 and 4; Annex I.C: competent supervisory authority of the Customer's place of establishment; Annex II: technical and organisational measures as set out in Section 6.3). For transfers from the United Kingdom, the UK Addendum applies in addition.
3. Other safeguards. Where neither of the above is available, the parties will work in good faith to implement an alternative valid transfer mechanism under Applicable Data Protection Law.

9. Data Subject Rights

The Service provides functionality that enables the Customer to access, export, correct, restrict, and delete Customer Personal Data without Four Hawk Social's intervention. If a Data Subject contacts Four Hawk Social directly with a request relating to Customer Personal Data, Four Hawk Social will, where lawful, redirect the Data Subject to the Customer and notify the Customer without undue delay so the Customer can respond. Four Hawk Social will not respond to such requests on the Customer's behalf except on the Customer's documented instruction.

10. Personal Data Breaches

Four Hawk Social will notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours of becoming aware of the Breach. The notification will include, to the extent then known, the nature of the Breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the Breach and mitigate its possible adverse effects. Four Hawk Social will provide further information as it becomes available and will reasonably cooperate with the Customer's own breach-notification obligations under Applicable Data Protection Law.

11. Audits and Inspections

Four Hawk Social makes available to the Customer the information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. On reasonable prior written notice (and no more frequently than once per twelve-month period, unless an audit is required by a supervisory authority or follows a confirmed Personal Data Breach), the Customer may request:

• A copy of Four Hawk Social's then-current security overview and any third-party attestations or summaries (e.g. SOC 2 reports) once obtained;
• Reasonable written responses to a security questionnaire scoped to the Service;
• An on-site or remote inspection conducted at the Customer's expense by the Customer or a mutually agreed independent auditor bound by confidentiality, scoped narrowly to the Customer's data and conducted in a way that does not compromise the security or operations of other customers.

Inspections of the Sub-processors listed in Section 7.2 are governed by those Sub-processors' own audit programs, summaries of which Four Hawk Social will share where it is permitted to do so.

12. Return or Deletion of Customer Personal Data

On termination or expiry of the Principal Agreement, the Customer may export Customer Personal Data through the Service for a period of 30 days. After that period, Four Hawk Social will delete or anonymise Customer Personal Data within 90 days, except (a) backup copies, which expire on their normal rolling cycle (no longer than 35 days after the deletion event), and (b) records that Four Hawk Social is required to retain under applicable law (such as billing records). Four Hawk Social will, on the Customer's written request, provide a written confirmation of deletion.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Principal Agreement. Nothing in this DPA limits or excludes either party's liability where such limitation or exclusion is not permitted by Applicable Data Protection Law.

14. Term, Order of Precedence, and Governing Law

Term. This DPA takes effect on the date the Customer signs the customer signature block below (or, if earlier, on the effective date of the Principal Agreement) and remains in force for as long as Four Hawk Social Processes Customer Personal Data on the Customer's behalf.

Order of precedence. In the event of a conflict between this DPA and the Principal Agreement, this DPA prevails with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses prevail.

Governing law. This DPA is governed by the law specified in the Principal Agreement, unless Applicable Data Protection Law requires otherwise. Where the Standard Contractual Clauses are incorporated, the governing law and jurisdiction provisions of the SCCs apply to disputes arising under those clauses.