Data Processing Addendum (Art. 28 GDPR) – Sam’s AI Poster

Last updated: January 2026

This Data Processing Addendum (“DPA”) is between the Customer (controller) and INVEST.IN.TEK GmbH (processor) for the Sam’s AI Poster Service. It applies when we process Customer Personal Data on your instructions as processor under Article 28 GDPR. Capitalized terms not defined here have the meaning in the Terms and Conditions.

1) Roles

The Customer is the controller. INVEST.IN.TEK GmbH is the processor.

2) Scope and instructions

We process Customer Personal Data solely on documented instructions from you, including with respect to international transfers. Your use of the Service and configuration choices are instructions. If an instruction infringes GDPR or other law, we will inform you.

3) Confidentiality

Personnel are bound by confidentiality obligations appropriate to their roles.

4) Security (summary TOMs)

We implement technical and organizational measures including: encryption in transit, encrypted storage for secrets, role-based access controls with least privilege, monitoring/logging, network and application security controls, and backup/restore with 35-day rolling retention.

5) Subprocessors

General authorization applies. Current subprocessors:

Vercel Inc. (hosting/app delivery)
Supabase (EU database and file storage)
Stripe (payments)
Google Workspace EU (email)
AI/LLM providers (when platform-managed keys are used; provider depends on supported options in the Service). When you use your own API keys, you select the provider and act as controller for that choice.

We will notify you of material subprocessor changes and you may object on reasonable grounds; if unresolved, you may terminate the affected Service.

6) Assistance

We provide reasonable assistance to help you respond to data subject requests and to conduct data protection impact assessments, taking into account the nature of processing and information available to us.

7) Breach notification

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, providing information available to us to help you meet your obligations.

8) Deletion and return

Customer Content and Outputs: deleted within 30 days after account termination unless you delete earlier or request return where technically feasible.
Security logs: 90 days.
Backups: 35 days rolling retention.
Billing records and invoices are retained for 8 years (or longer if required in specific cases by applicable law).

9) Audits

On request and subject to confidentiality, we will make available information necessary to demonstrate compliance and will cooperate with audits by you or an agreed independent auditor, limited to once per year unless legally required or following a substantiated incident.

10) International transfers

Where Customer Personal Data is transferred outside the EU/EEA by us or our subprocessors, we ensure appropriate safeguards (e.g., EU Standard Contractual Clauses) unless a transfer mechanism or adequacy decision applies. For AI providers you select via your own keys, you are responsible for the transfer mechanism for that provider.

11) Term

This DPA remains in force while we process Customer Personal Data for you under the Terms.

Annex: Processing details

Subject matter: Processing Customer Personal Data to provide the Sam’s AI Poster Service.
Duration: For the term of the Service and the deletion periods stated above.
Nature and purpose: Hosting, storage, retrieval, generation of Outputs, transmission to channels, logging, support.
Categories of data subjects: Customer’s users, personnel, end-users whose data is included in Customer Content.
Categories of personal data: Account data (name, email), usage data, credentials/tokens, Customer Content and Outputs (as provided by Customer), support communications.
Special categories: Not intended. Customer should avoid including special-category/sensitive data unless a lawful basis and safeguards apply.