Data Processing Agreement
A Data Processing Agreement is a contract required by GDPR whenever one company handles personal data on behalf of another. Here, a business customer (the controller — e.g. an agency or company using ClickCarousel) decides what happens to the data, and ClickCarousel (the processor) only handles it on their instructions. The DPA locks in how we protect that data: security, who our sub-processors are, breach notifications, deletion, and support for data-subject rights. If you're an individual creator on a normal plan, our Privacy Policy already covers you — the DPA matters mainly for business/agency customers.
1. Scope and roles
This DPA forms part of the agreement between the customer ("Controller") and ClickCarousel ("Processor") for use of the Service. It applies where ClickCarousel processes personal data on the Controller's behalf. Where terms conflict, this DPA prevails on data-protection matters.
2. Processing on instructions
ClickCarousel processes personal data only on the Controller's documented instructions (including via the Service's features), except where required by law — in which case we will inform the Controller unless legally prohibited.
3. Details of processing (Annex A)
| Subject matter | Creating, scheduling and publishing LinkedIn carousels via the Service. |
|---|---|
| Duration | For the term of the agreement, plus deletion/return period. |
| Nature & purpose | Hosting, generating, editing, storing, scheduling and transmitting content to LinkedIn. |
| Types of personal data | Account and contact details; LinkedIn profile identifiers and access tokens; content, captions and comments; usage data. |
| Categories of data subjects | The Controller's users, team members and any individuals referenced in content. |
4. Confidentiality
ClickCarousel ensures that personnel authorised to process personal data are bound by confidentiality obligations and receive appropriate training.
5. Security (Annex B)
ClickCarousel implements appropriate technical and organisational measures, including: encryption in transit; encryption of stored access tokens and secrets; access controls and least-privilege; logging and monitoring; regular backups; and secure software-development practices. Measures may be updated provided the level of protection is not reduced.
6. Sub-processors
The Controller authorises ClickCarousel to engage sub-processors under written terms that impose data-protection obligations equivalent to this DPA. The current list is published on our Third-Party Terms & Sub-processors page. We will give notice of intended changes, allowing the Controller a reasonable opportunity to object on reasonable grounds.
7. Data-subject requests
Taking into account the nature of the processing, ClickCarousel assists the Controller with appropriate measures to respond to data-subject requests (access, rectification, erasure, portability, restriction and objection), and forwards any such requests it receives directly.
8. Personal-data breach
ClickCarousel notifies the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, and provides information reasonably available to help the Controller meet its own notification duties.
9. Return and deletion
On termination, and at the Controller's choice, ClickCarousel deletes or returns the personal data and deletes existing copies, unless retention is required by law.
10. Audits
ClickCarousel makes available information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, on reasonable notice and subject to confidentiality.
11. International transfers
Where processing involves transfers of personal data outside the EEA/UK, the parties rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses, which are incorporated by reference.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main agreement.
13. Contact
Data-protection contact: privacy@clickcarousel.com. To request a signed DPA, contact legal@clickcarousel.com.