Legal

Data Processing Agreement

Last updated: 25 May 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Gibney Technology Enterprises Limited ("Processor", "we", "us") and the customer subscribing to the HipTrack.io service ("Controller", "you"), collectively the "Parties". It is incorporated by reference into the HipTrack.io Terms of Service.

This DPA sets out the terms on which the Processor will process personal data on behalf of the Controller in connection with the HipTrack.io service (the "Service"), as required by Regulation (EU) 2016/679 (the "GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable data protection laws.

1. Definitions

Terms not defined here have the meanings given in the GDPR. In this DPA:

"Controller" means the customer who determines the purposes and means of processing personal data via the Service.
"Processor" means Gibney Technology Enterprises Limited, which processes personal data on behalf of the Controller.
"Data Subject" means an identified or identifiable natural person to whom personal data relates.
"Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA.
"Processing" has the meaning given in the GDPR and "process" and "processed" shall be construed accordingly.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).

2. Roles and scope

The Parties acknowledge that with regard to the processing of Personal Data described in Annex 1, the Controller is the data controller and the Processor is the data processor within the meaning of the GDPR.

This DPA applies solely to Personal Data processed by the Processor on behalf of the Controller as part of the Service. It does not apply to Personal Data for which the Processor is an independent data controller (such as account registration and billing data, which are governed by our Privacy Policy).

3. Controller's instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller's instructions are set out in this DPA and the Terms of Service. The Controller may issue further instructions in writing during the term of the agreement; the Processor shall promptly notify the Controller if it believes any instruction infringes applicable data protection law.

4. Processor obligations

4.1 Confidentiality

The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include, as appropriate:

The pseudonymisation and encryption of Personal Data
The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing

The technical and organisational measures currently in place are described in Annex 2.

4.3 Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. The Processor shall maintain a list of Sub-processors (set out in Annex 3) and shall notify the Controller of any intended changes to the list of Sub-processors by updating Annex 3 and providing at least 14 days' prior notice. The Controller may object to a new Sub-processor on reasonable data protection grounds by notifying the Processor in writing within 14 days of receiving notice.

Where the Processor engages a Sub-processor, it shall impose data protection obligations on that Sub-processor equivalent to those set out in this DPA by way of a contract. The Processor remains fully liable to the Controller for the performance of the Sub-processor's obligations.

4.4 Assistance with data subject rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subjects' rights under Chapter III of the GDPR.

4.5 Assistance with compliance obligations

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security, notification of Security Incidents, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.

4.6 Deletion or return of data

At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of the Service, and shall delete existing copies unless European Union or Member State law requires storage of the Personal Data. The Processor shall confirm in writing when deletion has been completed.

4.7 Audit and demonstration of compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Article, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Controller shall give reasonable prior written notice (not less than 30 days, except in the case of a confirmed Security Incident) of any audit and shall bear the reasonable costs of any audit conducted at its request.

5. Security incidents

The Processor shall notify the Controller without undue delay and, where feasible, within 72 hours after becoming aware of a Security Incident affecting Personal Data processed under this DPA. Such notification shall, to the extent available, include:

A description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
The name and contact details of the data protection officer or other contact point where more information can be obtained
A description of the likely consequences of the Security Incident
A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects

Notification of a Security Incident is not an acknowledgement of fault or liability. The Controller is responsible for notifying the relevant supervisory authority and affected Data Subjects where required by applicable law.

6. International transfers

The Processor shall not transfer Personal Data originating from the European Economic Area ("EEA") or the United Kingdom ("UK") to a country outside the EEA or UK unless one of the following conditions is met:

The transfer is to a country that has been granted an adequacy decision by the European Commission or (for UK transfers) by the UK Secretary of State
Appropriate safeguards are in place within the meaning of Article 46 GDPR, such as the Standard Contractual Clauses
One of the derogations in Article 49 GDPR applies

Where the Processor transfers Personal Data to Sub-processors located outside the EEA or UK, it shall ensure that appropriate transfer mechanisms are in place, including entering into the Standard Contractual Clauses where required. Details of international transfers made by Sub-processors are noted in Annex 3.

7. Controller's obligations

The Controller represents and warrants that:

It has a valid legal basis for processing the Personal Data it submits to the Service and for directing the Processor to process that data on its behalf
It will comply with all applicable data protection laws in connection with the Personal Data it submits to the Service, including providing all required notices and obtaining all required consents from Data Subjects
It has provided appropriate privacy notices to Data Subjects whose data it submits to the Service
It shall promptly and accurately respond to any enquiry from the Processor relating to the processing of Personal Data under this DPA

8. Liability

Each Party's liability under this DPA is subject to the limitations and exclusions set out in the HipTrack.io Terms of Service.

As between the Parties only, where a Party has paid compensation or a fine to a Data Subject or supervisory authority in respect of damage to which the other Party contributed, the contributing Party shall reimburse the first Party to the extent of its contribution.

9. Term and termination

This DPA commences on the date the Controller first accepts the Terms of Service and remains in force for so long as the Processor processes Personal Data on behalf of the Controller under the Service agreement. Termination of the Terms of Service automatically terminates this DPA, subject to clause 4.6 (deletion or return of data).

10. Governing law

This DPA is governed by and construed in accordance with the laws of Ireland. The Parties submit to the exclusive jurisdiction of the Irish courts in respect of any dispute arising under or in connection with this DPA, without prejudice to the rights of Data Subjects under applicable data protection law.

11. General

This DPA supersedes any prior data processing agreements between the Parties relating to the Service. In the event of any conflict between this DPA and the Terms of Service in relation to the processing of Personal Data, this DPA shall prevail. If any provision of this DPA is invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Annex 1 — Details of processing

Subject matter and duration

The Processor provides the HipTrack.io social bookmarking and UGC management service. Processing takes place for the duration of the Controller's subscription, and for such period thereafter as is necessary to comply with clause 4.6.

Nature and purpose of processing

The Processor processes Personal Data to provide and operate the Service, including storing, organising, and displaying bookmarked content; enabling team collaboration within workspaces; sending transactional notifications; and providing customer support.

Types of personal data

Identity and contact data: names, email addresses, job titles
Account data: usernames, authentication credentials (hashed), workspace membership and role information
Content data: bookmarked URLs, titles, descriptions, images, notes, tags, and folder organisation created by users
Social media profile data associated with bookmarked content (e.g. creator handles, profile metadata retrieved from public sources or connected integrations)
Usage and log data: IP addresses, browser and device information, timestamps of activity
Communication data: content of support requests and in-app communications

Categories of data subjects

The Controller's employees and team members who are authorised users of the Service
Social media creators and public figures whose content is bookmarked by the Controller's users
Individuals mentioned or depicted in content saved to the Service

Annex 2 — Technical and organisational security measures

Access control

Authentication required for all access to production systems and the Service
Role-based access controls limiting access to Personal Data to authorised personnel on a need-to-know basis
Multi-factor authentication required for access to production infrastructure
Regular review and revocation of access rights upon change of role or departure

Encryption

All data transmitted between users and the Service is encrypted in transit using TLS 1.2 or higher
Data stored at rest is encrypted using industry-standard encryption (AES-256 or equivalent)
Passwords are stored using a cryptographic hashing algorithm with salt (bcrypt)

Infrastructure and availability

The Service is hosted on cloud infrastructure with physical security controls managed by the infrastructure provider
Automated backups are performed regularly; backup integrity is tested periodically
Systems are monitored for availability and anomalous activity
Incident response procedures are in place for Security Incidents

Organisational measures

Personnel with access to Personal Data are subject to contractual confidentiality obligations
Security awareness is maintained through internal policies and procedures
Third-party sub-processors are assessed for security compliance before engagement
Software dependencies are monitored and updated to address known vulnerabilities

Annex 3 — Sub-processors

The following Sub-processors are authorised to process Personal Data in connection with the Service. The Processor will update this list and provide notice as described in clause 4.3.

Sub-processor	Purpose	Location
DigitalOcean, LLC	Cloud application hosting and infrastructure	EU / USA (SCCs in place)
Stripe, Inc.	Payment processing and subscription management	USA (SCCs in place)
Resend, Inc.	Transactional email delivery	USA (SCCs in place)

SCCs = Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) or equivalent transfer mechanisms for UK transfers.

Contact

For any queries relating to this DPA or data protection matters, please contact:

Gibney Technology Enterprises Limited
Dublin, Ireland
Attn: Data Protection
Email: [email protected]