Content Autopilot for Coaches · EU-Hosted · GDPR-compliant
CastLoop
English
DeutschEnglishEspañolItalianoFrançais
Log in
· Art. 28 GDPR

Data Processing Agreement (DPA)

Template of the DPA between CastLoop (processor) and the business customer (controller) pursuant to Art. 28 GDPR.

This is a convenience translation. The legally binding version is the German original: German version.

⚠️ Legal notice: This DPA template was created model-based on the basis of common EDPB / BayLDA model building blocks and requires, before the first signing with a customer, a review by a lawyer specialized in IT law / data protection. Until then it serves as transparency information towards business partners. A legally binding execution is provided upon informal request by email to info@castloop.de.

Contracting parties

This DPA is concluded between:

Processor:
Daniel Ovadia — CastLoop (sole proprietorship)
Eugen-Richter-Str. 159, 76187 Karlsruhe, Germany
Email: info@castloop.de

— and the controller (CastLoop customer, hereinafter: “the customer”), whose identity follows from the customer account and who, upon first requesting this execution, is to be entered by name in the preamble.

§ 1 Subject matter & duration

The subject matter of this agreement is the processing of personal data by the processor on behalf of the customer in the context of the use of the “CastLoop” service pursuant to the General Terms and Conditions (Terms) between the parties.

This DPA applies for the entire duration of the main contract (the SaaS subscription) and ends automatically upon its termination.

§ 2 The customer's right to issue instructions

The processor processes personal data exclusively within the framework of the contractual agreements and the documented instructions of the customer. If the processor is of the opinion that an instruction of the customer infringes data protection law, it will inform the customer accordingly.

Instructions are usually documented electronically via (a) the configurations made in the SaaS dashboard, (b) the contractual bases (Terms, DPA) and (c) ad-hoc instructions by email to info@castloop.de.

§ 3 Nature and purpose of the processing

The processor processes personal data for the purpose of providing the SaaS service “CastLoop” (Content Autopilot for social media publishing). Specifically, this includes in particular:

  • downloading and storing YouTube / podcast source content that the customer provides for processing;
  • automated transcription and AI-assisted analysis via Google Gemini 2.5 Flash (Google Ireland Ltd.);
  • creation of clip variants with animated subtitles (FFmpeg);
  • publication of the clips on the customer's connected social media accounts (YouTube, Instagram, Facebook, TikTok, LinkedIn, X, Threads) on behalf of the customer;
  • storage of auth tokens, metadata, analytics data for the provision of the service.

§ 4 Place of processing

Processing takes place primarily on servers of IONOS SE in Germany (EU). Regarding the third-country transfers that are unavoidable in multi-platform posting (X, Meta, TikTok group), see § 13.

§ 5 Categories of data subjects and data

Categories of data subjects:

  • the customer themselves as a natural person (if a sole proprietor);
  • employees / authorized representatives of the customer who work in the customer account;
  • persons who appear in the content provided by the customer (videos, podcasts) or who are acoustically/visually identifiable there (e.g. interview guests);
  • end users / viewers of the published clips, insofar as engagement data (views, likes, comments) is returned by the platforms.

Categories of personal data:

  • master data (name, email, company, billing address);
  • usage data (login times, IP hashes, session tokens);
  • content data (audio, video, transcripts, subtitles, metadata);
  • OAuth access tokens of the connected social media accounts (AES-256-GCM encrypted);
  • performance data (impressions, views, reach — aggregated by the platforms).

§ 6 Technical and organizational measures (TOMs)

The processor takes the technical and organizational measures required under Art. 32 GDPR. A detailed listing can be found in the separate TOM annex, which forms part of this DPA as Annex 1. The TOMs are reviewed regularly and adapted to the state of the art where necessary.

§ 7 Subcontractors (sub-processors)

The customer consents to the use of the following sub-processors upon conclusion of the contract:

Sub-processor Location Purpose
IONOS SE Montabaur, DE (EU) Hosting, SMTP relay, VM snapshot backups
Google Ireland Ltd. Dublin, IE (EU) Transcription & AI analysis (Gemini 2.5 Flash), YouTube Data API, Google Sign-In
Mollie B.V. Amsterdam, NL (EU) Payment processing (independent controller pursuant to § 9 (3) KWG)
Microsoft Ireland Operations Ltd. Dublin, IE (EU) SSO (Sign in with Microsoft)
Apple Distribution International Ltd. Cork, IE (EU) SSO (Sign in with Apple)
Meta Platforms Ireland Ltd. Dublin, IE (EU) Instagram, Facebook and Threads publications (on behalf of the customer)
TikTok Technology Ltd. Dublin, IE (EU) TikTok publications
LinkedIn Ireland Unlimited Company Dublin, IE (EU) LinkedIn publications
X Corp. San Francisco, USA (third country!) X/Twitter publications, secured by SCC 2021/914

The processor will inform the customer at least 30 days before an intended change or the addition of further sub-processors. The customer may object to their use; in the case of a legitimate, data-protection-related ground for objection, both parties are entitled to extraordinary termination of the main contract.

§ 8 Assistance obligations

The processor supports the customer in fulfilling its obligations under Art. 12 et seq. GDPR (data subjects' rights), Art. 33/34 GDPR (data breach), Art. 35 GDPR (data protection impact assessment) and Art. 36 GDPR (prior consultation).

§ 9 Notification duty in the event of data breaches

The processor notifies the customer of any data breach within the meaning of Art. 4 no. 12 GDPR that becomes known to it and that affects the customer's personal data, without undue delay, at the latest within 48 hours of becoming aware of it, by email. The notification contains the information specified in Art. 33 (3) GDPR, insofar as it is known to the processor.

§ 10 Audit and information rights

The customer has the right to monitor compliance with this DPA and the applicable data protection regulations by the processor. The audit may be carried out, at the customer's choice, through (a) written information on specific questions, (b) presentation of current certificates / audit reports (if available), or (c) — in the event of justified cause — an on-site inspection after reasonable prior notice (usually at least 14 days, outside of business hours, at the customer's expense).

§ 11 Confidentiality

The processor undertakes to treat all personal data that becomes known to it in the context of this DPA confidentially. The persons deployed for the processing are obliged to confidentiality pursuant to Art. 28 (3) lit. b GDPR, § 203 StGB (where applicable) and a corresponding contractual obligation.

§ 12 Deletion / return after end of contract

After termination of the main contract, all personal data is, on the customer's instruction, either returned or deleted. The standard option is deletion after 30 days from the production database and at the latest 30 further days from all backups (IONOS VM snapshot rotation), insofar as no statutory retention obligations (in particular § 257 HGB, § 147 AO for invoices) conflict.

§ 13 Third-country transfers

A transfer of personal data to third countries takes place only insofar as this is unavoidable for the performance of the contract — specifically in particular to X Corp. (USA) as well as to the US parent companies of the EU-resident sub-processors (Google, Meta, Microsoft, Apple, TikTok), insofar as these forward data within the group. The safeguarding takes place on the basis of the EU standard contractual clauses pursuant to Commission Implementing Decision (EU) 2021/914 as well as — where relevant — supplementary technical and organizational measures.

§ 14 Liability

Liability is governed by the provisions of the main contract (Terms § 10). Art. 82 GDPR remains unaffected.

§ 15 Final provisions

Amendments and supplements to this DPA require text form. Should individual provisions be or become invalid, the validity of the remaining provisions remains unaffected. German law applies; the place of jurisdiction is — insofar as legally permissible — the registered office of the processor (Karlsruhe).

As of: 28 May 2026 · Version 1.1 (Threads + Facebook added to the scope of services)

User task (lawyer review): This DPA template was generated model-based and requires, before the first customer signature, a review by a lawyer specialized in IT law / data protection. In particular, the following are to be examined: (a) the specific list of sub-processors, (b) the appropriateness of the notification and assistance obligations, (c) the provision on on-site inspections with regard to sole-proprietor capacity, (d) the interaction with the Terms' liability rules.

Annex: Technical and organizational measures

→ View TOM annex To homepage