GlintPost Logo
GlintPost

Data Processing Agreement

Last updated: April 1, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between GlintPost ("Processor") and the Customer ("Controller") for the provision of GlintPost services. This DPA applies to the extent that GlintPost processes Personal Data on behalf of the Customer.

By using GlintPost services, you agree to this DPA. If you have a separate written agreement with GlintPost, the terms of that agreement prevail in case of conflict.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by GlintPost on behalf of the Customer.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
  • "Sub-processor" means any third party engaged by GlintPost to process Personal Data on behalf of the Customer.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

2. Scope and Purpose of Processing

GlintPost processes the following categories of Personal Data on behalf of the Customer:

CategoryData elementsPurpose
Visitor identifiersPseudonymous visitor ID (v_UUID)Deduplication of votes, reactions, feedback
Engagement dataLikes, dislikes, votes, view eventsDisplaying engagement metrics
User-submitted contentFeedback responses, feature suggestionsCollecting user feedback for the Customer
Contextual attributesDatalayer fields (plan, role, region, etc.)Segmentation and filtering by Customer

3. Obligations of the Processor

GlintPost shall:

  • Process Personal Data only on documented instructions from the Customer, unless required by law.
  • Ensure that persons authorized to process Personal Data have committed to confidentiality.
  • Implement appropriate technical and organizational security measures (see Section 5).
  • Assist the Customer in fulfilling Data Subject rights requests (access, rectification, erasure, portability).
  • Delete or return all Personal Data upon termination of services, at the Customer's choice.
  • Make available all information necessary to demonstrate compliance and allow for audits.
  • Not use Customer data for any purpose other than providing the contracted services.
  • Not sell, share, or use Personal Data for cross-customer profiling or analytics.

4. Obligations of the Controller

The Customer shall:

  • Ensure a valid legal basis exists for all Personal Data processed through GlintPost widgets.
  • Obtain any required consent from end users before enabling tracking features.
  • Include GlintPost's data collection in their own privacy policy.
  • Not transmit sensitive personal data (health, financial, etc.) through datalayer fields.
  • Handle Data Subject requests from their end users, using GlintPost's tools as needed.

5. Security Measures

GlintPost implements the following security measures:

  • Encryption in transit (TLS/HTTPS for all communications)
  • Encryption at rest for sensitive fields (AES-256-GCM for API keys)
  • Password hashing (bcrypt with 12 salt rounds)
  • API key authentication for all widget endpoints
  • Strict CORS domain allowlisting (no wildcards)
  • Multi-tenant data isolation via organization-scoped database queries

6. Sub-processors

The Customer authorizes GlintPost to engage the sub-processors listed on our Sub-processors page. GlintPost will notify the Customer of any intended changes to sub-processors, providing the Customer an opportunity to object.

GlintPost ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

7. Data Breach Notification

GlintPost will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include:

  • The nature of the breach, including categories and approximate number of Data Subjects affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact details of our data protection point of contact

8. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), GlintPost ensures appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.

9. Term and Termination

This DPA is effective for the duration of the Customer's use of GlintPost services. Upon termination, GlintPost will delete all Personal Data within 30 days, unless retention is required by law.

10. Contact

For questions about this DPA or to exercise rights under it, please contact us at privacy@glintpost.com.