Last updated: 1 July 2026
How SmashOne processes service data on your behalf under Article 28 GDPR, and the safeguards around that processing.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and SmashOne ("Processor"). It governs how SmashOne processes personal data on your behalf when you use the Service to manage social-media content, audience messages and your AI assistant. Where you process personal data of your own customers through SmashOne, you act as the controller and SmashOne acts as your processor under Article 28 GDPR.
"GDPR" means Regulation (EU) 2016/679. "Personal data", "processing", "controller", "processor", "data subject" and "sub-processor" have the meanings given in the GDPR. "Customer Personal Data" means personal data processed by SmashOne on the Customer's behalf under the Service.
The Customer is the controller and SmashOne is the processor of Customer Personal Data. SmashOne separately acts as an independent controller for account, billing and support data, which is described in the Privacy Policy and is not governed by this DPA.
SmashOne processes Customer Personal Data for the duration of the subscription, solely to provide the Service: scheduling and publishing content, operating the AI assistant that replies to the Customer's audience, storing drafts and message history, and providing analytics and support. Processing ends when the subscription ends, subject to Section 9.
Customer Personal Data may include: names, contact identifiers and social handles, message content exchanged with the Customer's audience, media uploaded by the Customer, and AI-assistant conversation logs. Data subjects are the Customer's own customers, followers and contacts. (Annex 1.)
SmashOne shall: (a) process Customer Personal Data only on the Customer's documented instructions, including for transfers, unless required by EU or Polish law (in which case SmashOne will inform the Customer unless that law prohibits it); (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement the technical and organisational measures set out in Annex 3 (Article 32); (d) engage sub-processors only under Section 6; (e) assist the Customer, by appropriate measures, to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection); (f) assist the Customer with security, breach notification, data-protection impact assessments and prior consultation (Articles 32–36); (g) notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal-data breach affecting Customer Personal Data, providing the information the Customer needs to meet its own 72-hour notification obligation to the UODO under Article 33 GDPR; (h) at the Customer's choice, delete or return all Customer Personal Data at the end of the Service and delete existing copies, unless EU or Polish law requires storage; (i) make available all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates (subject to reasonable notice and confidentiality); (j) SmashOne and its AI sub-processor do not use Customer Personal Data to train, fine-tune or improve any general-purpose AI model. Customer Personal Data is processed only to generate the responses and outputs the Customer requests within the Service.
The Customer gives general authorisation for SmashOne to engage the sub-processors listed in Annex 2. SmashOne imposes the same data-protection obligations on each sub-processor by contract (flow-down). SmashOne will give at least 30 days' notice of any intended change of sub-processor and the Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected Service.
Customer Personal Data is hosted in the European Union (Frankfurt region). Where any transfer to a third country occurs, SmashOne relies on an adequacy decision, the EU Standard Contractual Clauses, or another valid Chapter V mechanism, together with supplementary measures where required.
This DPA is governed by the law of Poland. Liability under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits a data subject's rights under the GDPR or the Customer's right to lodge a complaint with the UODO.
As described in Sections 3–4.
Hetzner Online GmbH (EU application hosting and compute) · DigitalOcean, LLC (managed PostgreSQL, Valkey, and object storage/backups; Frankfurt) · Brevo / Sendinblue SAS (transactional email) · Google LLC / Vertex AI (AI processing; global processing location) · Cloudflare, Inc. (DNS, CDN, WAF, TLS edge security) · Sentry / Functional Software, Inc. (error monitoring with PII minimisation) · PostHog (EU Cloud, pseudonymous product analytics) · ScrapingBee SAS (website retrieval for the assistant's knowledge base). Payment processing is not engaged yet and will be added when EU billing goes live. The current list, with regions and transfer safeguards, is maintained on our Sub-processors page.
Encryption in transit (TLS) and at rest for credentials and tokens; role-based access control with least privilege; multi-factor authentication for administrators; audit logging and alerting; encrypted backups with restoration testing; secure software-development lifecycle; documented incident-response with a 72-hour notification timeline.
