Data Processing Addendum
Last updated: July 12, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Solharbor Management Ltd ("Solharbor", "we", "us", or "Processor") and the customer using Solharbor services ("Customer" or "Controller") where Solharbor processes personal data on Customer's behalf.
This DPA applies to Solharbor consulting, implementation, hosting, support, automation, reporting, and software services, including Solharbor Social, to the extent Solharbor processes Customer Personal Data as a processor under applicable Data Protection Law.
1. Definitions
"Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the EU GDPR where applicable, and other applicable laws relating to the processing of personal data and privacy.
"Customer Personal Data" means personal data processed by Solharbor on behalf of Customer under the applicable services agreement, order, statement of work, or online terms.
"Controller", "processor", "data subject", "personal data", "personal data breach", "processing", and "supervisory authority" have the meanings given in applicable Data Protection Law.
2. Roles of the Parties
The parties acknowledge that Customer is the controller of Customer Personal Data and Solharbor is the processor, except where Solharbor independently determines the purposes and means of processing, such as for its own business administration, billing, security, legal compliance, and service improvement.
Customer is responsible for ensuring that it has a lawful basis for the processing it instructs Solharbor to perform and that its instructions comply with Data Protection Law.
3. Processing on Instructions
Solharbor will process Customer Personal Data only on Customer's documented instructions, including as set out in this DPA, the applicable agreement, product settings, support requests, and Customer's use of the services, unless required to do otherwise by law.
Solharbor will promptly inform Customer if, in Solharbor's opinion, an instruction infringes Data Protection Law, unless prohibited from doing so by law.
4. Details of Processing
Subject Matter
Processing of Customer Personal Data as necessary to provide, secure, support, maintain, and improve the services requested by Customer.
Duration
For the term of the applicable services agreement and until deletion or return of Customer Personal Data as described in this DPA, unless retention is required by law.
Nature and Purpose
Hosting, storage, integration, automation, data processing, reporting, support, troubleshooting, content scheduling and publishing, AI-assisted content features where enabled, and related service operations.
Types of Personal Data
Depending on the services used, Customer Personal Data may include business contact details, user account data, authentication data, connected account metadata, OAuth tokens, social account and page identifiers, profile names and images, post content, media, scheduled publishing metadata, publishing status, analytics and reporting data, support communications, logs, CRM records, deal records, and operational data supplied or connected by Customer.
Categories of Data Subjects
Customer's users, personnel, clients, prospects, suppliers, business contacts, social media account administrators, social media audience members where data is made available through an authorized integration, and other individuals whose personal data is provided to or connected with the services.
Special Category Data
The services are not intended for special category data unless explicitly agreed in writing with additional safeguards. Customer must not submit special category data unless the parties have agreed appropriate instructions and safeguards.
5. Confidentiality
Solharbor will ensure that personnel authorized to process Customer Personal Data are subject to a duty of confidentiality and process Customer Personal Data only as instructed.
6. Security
Taking account of the state of the art, costs of implementation, nature, scope, context, and purposes of processing, and the risk to data subjects, Solharbor will implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.
These measures may include encryption in transit, encryption at rest where supported by the relevant platform, access controls, least-privilege permissions, credential management, backup and restoration procedures, logging and monitoring, vulnerability management, and measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.
7. Subprocessors
Customer gives Solharbor general written authorization to engage subprocessors to provide the services. Solharbor will impose data-protection obligations on subprocessors that are materially equivalent to those in this DPA and remains responsible for each subprocessor's performance of those obligations.
Solharbor will give notice of intended additions or replacements of subprocessors by updating this page or otherwise notifying Customer where required by the applicable agreement. Customer may object on reasonable data-protection grounds.
Authorized Subprocessors
| Subprocessor | Purpose | Data Processed | Processing Location / Transfer Mechanism |
|---|---|---|---|
| Railway Corp. | Application hosting, databases, Redis/cache, storage, deployment, and service infrastructure for Solharbor Social and related services. | Account data, integration metadata, OAuth tokens, scheduled posts, media, logs, and operational data. | Regions selected for the service. Appropriate transfer mechanisms are used where required. |
| Amazon Web Services EMEA SARL / Amazon Web Services, Inc. | Cloud hosting, storage, compute, backup, and managed infrastructure where used for customer projects or service components. | Customer data hosted or processed in the relevant project environment. | UK/EU regions where configured; AWS DPA, standard contractual clauses, and UK Addendum where applicable. |
| Supabase, Inc. | Application database, backend, authentication, and control-plane services where used for customer projects. | Application records, contact data, integration records, and operational data. | UK/EU regions where configured; standard contractual clauses and UK Addendum where applicable. |
| Google Cloud EMEA Ltd / Google LLC | Email, file storage, document handling, calendars, and workspace tools. | Personal data contained in emails, documents, files, meeting records, exports, and support communications. | UK/EU regions where available; Google data processing terms, standard contractual clauses, and UK Addendum where applicable. |
| GitHub, Inc. | Source control, issue tracking, CI/CD, deployment workflows, and software development collaboration. | Technical records, project documentation, issue data, and limited customer data where included by Customer or needed for support. | United States and other locations; standard contractual clauses and UK Addendum where applicable. |
| OpenAI, L.L.C. and other AI providers where enabled | AI-assisted content generation, summarization, classification, automation, and related features requested by Customer. | Prompts, content, context, post text, documents, and outputs submitted or generated through AI-enabled features. | United States and other locations; provider data processing terms and transfer mechanisms where applicable. |
| Netlify, Inc. | Website hosting, frontend deployment, edge routing, and form handling where used. | Website traffic data, form submissions, and transient request data. | United States and other locations; standard contractual clauses and UK Addendum where applicable. |
| Payment, email, analytics, logging, and security providers | Billing, transactional email, service monitoring, error logging, abuse prevention, and security operations where enabled. | Account data, contact data, billing records, email metadata, logs, and technical diagnostics. | Locations and transfer mechanisms depend on the provider and service configuration. |
LinkedIn and other connected social platforms are external services integrated at Customer's direction. They may act as independent controllers or under their own platform terms, not as Solharbor subprocessors.
8. Data Subject Rights
Taking account of the nature of processing, Solharbor will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfil Customer's obligation to respond to data subject rights requests under Data Protection Law.
If Solharbor receives a request from a data subject relating to Customer Personal Data, Solharbor will promptly notify Customer and will not respond except on Customer's documented instruction or as required by law.
9. Assistance to Customer
Solharbor will reasonably assist Customer with obligations relating to security of processing, personal data breach notification, data protection impact assessments, and consultation with a supervisory authority, taking into account the nature of processing and information available to Solharbor.
10. Personal Data Breach
Solharbor will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. Solharbor will provide information reasonably available to allow Customer to meet any obligation to report the breach to a supervisory authority or affected data subjects.
Solharbor will take reasonable steps to mitigate the effects of, and minimize damage resulting from, the breach.
11. Deletion or Return
On termination of the services, or at Customer's written request, Solharbor will return or delete Customer Personal Data and delete existing copies unless the law requires retention. Solharbor may retain limited copies as required by law, for security, backup, audit, dispute resolution, or reasonable business records, subject to continuing protection under this DPA.
12. Audit and Information
Solharbor will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits by Customer or an auditor mandated by Customer, subject to reasonable prior notice, confidentiality, security controls, and no more than once in any twelve-month period unless a personal data breach or regulatory requirement warrants otherwise.
13. International Transfers
Solharbor will not transfer Customer Personal Data outside the United Kingdom or European Economic Area unless an appropriate transfer mechanism is in place where required, such as adequacy regulations, standard contractual clauses, the UK Addendum to the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, or another lawful transfer mechanism.
14. LinkedIn and Social Platform Data
Where Customer uses Solharbor Social with LinkedIn or another social platform, Customer instructs Solharbor to process connected account data and platform content only as necessary to provide the requested integration. Solharbor will comply with applicable platform restrictions and data storage requirements where they apply to Solharbor's processing of platform data.
Customer is responsible for ensuring that its use of connected social platforms, content, account permissions, and posting instructions complies with applicable law, platform terms, and permissions granted by relevant account owners or administrators.
15. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the applicable agreement between the parties, except to the extent prohibited by law.
16. Term
This DPA takes effect when Customer uses services to which it applies and continues while Solharbor processes Customer Personal Data. Clauses that by their nature should survive termination will survive.
17. Governing Law
Unless the applicable agreement states otherwise, this DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.
18. Contact
Questions about this DPA or Solharbor's processing of Customer Personal Data may be sent to privacy@solharbor.com.