Last updated December 12, 2025

 

This DPA forms part of the Terms of Service between the User (“Controller”) and the App Provider (“Processor”).

1. Definitions

• “Controller”: The party determining the purpose and means of processing personal data (You).

   

• “Processor”: The party processing personal data on behalf of the Controller (App Provider).

   

• “Personal Data”: Any information relating to an identified or identifiable natural person.

   

• “Applicable Data Protection Laws”: GDPR, UK GDPR, CCPA/CPRA, and any similar global privacy laws.

   

2. Scope of Processing

The Processor processes personal data only as necessary to provide the App, including:

• Collecting or importing fan engagement data from social media APIs (via Controller authorization).

   

• Storing and displaying insights.

   

• Providing customer support.

   

• Maintaining and securing the platform.

   

Processor will not process personal data for any purpose other than those documented by the Controller.

3. Instructions

Processor will process data only on documented instructions from the Controller.
If instructions violate the law, Processor shall notify the Controller.

4. Confidentiality

Processor ensures that all individuals authorized to process personal data:

• Are subject to confidentiality obligations, and

   

• Receive appropriate privacy and data protection training.

   

5. Security Measures

Processor will implement appropriate technical and organizational measures including:

• Encryption in transit and at rest

   

• Access controls and authentication

   

• System monitoring

   

• Regular security testing

   

• Data minimization and retention limits

   

Specific measures may be listed in an Annex if needed.

6. Subprocessors

Processor may use subprocessors to provide the service (e.g., cloud hosting providers).
Processor will:

• Maintain a list of subprocessors

   

• Ensure they meet equivalent data protection obligations

   

• Notify the Controller of any changes (10 days’ notice where possible)

   

Controller may object to new subprocessors on reasonable grounds.

7. International Transfers

Processor may transfer personal data internationally, provided that:

• Appropriate safeguards are in place (e.g., Standard Contractual Clauses, transfer impact assessments), and

   

• Transfers comply with Applicable Data Protection Laws.

   

8. Data Subject Requests

Processor will:

• Forward any data subject requests received directly to the Controller

   

• Support the Controller when reasonably required

   

• Not respond to requests without authorization, unless legally required

   

9. Audit Rights

Controller may audit Processor’s compliance:

• Through documentation reviews, or

   

• Third-party auditor reports (e.g., SOC 2, ISO 27001), or

   

• On-site audit with reasonable notice and within normal business hours

   

Audits must respect confidentiality and security obligations.

10. Data Breach Notification

Processor will notify the Controller without undue delay after becoming aware of a personal data breach, including:

• Description of the breach

   

• Likely consequences

   

• Steps taken or proposed to address the breach

   

Controller remains responsible for regulatory notifications unless required otherwise by law.

11. Return or Deletion of Data

Upon termination of the service:

• Processor will delete all personal data after a retention period of [X days], unless legally required to retain it

   

• Controller may request export of data before deletion

   

12. Liability

Each party’s liability under this DPA is subject to the limitations set out in the main Terms of Service, except where prohibited by law.

13. Duration

This DPA remains in effect for as long as Processor processes personal data on behalf of the Controller.

14. Governing Law

Same as the Governing Law in the Terms of Service, unless required otherwise by GDPR.

15. Contact

For data protection matters:
info@libertymusicpr.com