Data Processing Agreement

GDPR Article 28 compliant · Version 1.0 · Effective 29 March 2026

Need a signed DPA for your organisation?

Complete the form at the bottom of this page. We will email a countersigned PDF DPA within 2 business days. This DPA is suitable for GDPR, UK GDPR, and Indian DPDP Act compliance. No legal negotiation required for standard terms — enterprise custom DPAs available on request.

Request Signed DPA → Email legal@postlister.com

Who needs a DPA? Any organisation in the EU, UK, or operating under GDPR whose employees use EngageLive as part of their work. Under GDPR Article 28, your organisation (the data controller) must have a written agreement with EngageLive (the data processor) before processing personal data. This page constitutes that agreement when countersigned.

1. Definitions

In this Agreement: "Controller" means the organisation whose employees use EngageLive; "Processor" means EngageLive / postlister.com; "Personal Data" means any information relating to an identified or identifiable person; "Processing" has the meaning given in GDPR Article 4(2); "GDPR" means Regulation (EU) 2016/679.

2. Subject Matter and Nature of Processing

The Processor provides a real-time audience engagement platform that allows the Controller's employees (hosts) to run interactive sessions with participants. Processing occurs as follows:

Data Element	Subjects	Purpose	Retention
Host email address	Employees of the Controller	Session authentication, plan activation, purchase receipts	Stored in host's own browser localStorage only. Not stored on Processor servers.
Session activity data (poll responses, quiz answers, Q&A submissions)	Session participants	Real-time display to host during session	Deleted from Firebase Realtime Database at session end (automatic TTL). Never stored on Processor's application servers.
Participant names (optional)	Session participants	Identify participants on leaderboard/responses if provided voluntarily	Deleted from Firebase at session end. Never stored on servers.
Purchase records	Employees of the Controller who purchase plans	Verify active plan, apply participant limit increase	Retained for 13 months from purchase date for accounting purposes, then deleted.

3. Controller's Instructions

The Processor shall process Personal Data only on documented instructions from the Controller. The Controller's use of EngageLive constitutes its instructions to process data as described in Section 2. The Controller warrants that its instructions comply with applicable law.

4. Processor's Obligations

Confidentiality: The Processor shall ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
Security: The Processor shall implement appropriate technical and organisational measures as set out in Section 7.
Sub-processors: The Processor shall not engage sub-processors without the Controller's general authorisation. The list of authorised sub-processors is in Section 6.
Data subject rights: The Processor shall assist the Controller in responding to requests from data subjects to exercise their rights under GDPR Articles 15–22.
Data breach notification: The Processor shall notify the Controller without undue delay (and in any case within 72 hours) of becoming aware of a Personal Data breach.
Data Protection Impact Assessments: The Processor shall provide reasonable assistance to the Controller in relation to any DPIAs.
Deletion on termination: Upon termination of services, the Processor shall delete or return all Personal Data.
Audit rights: The Processor shall make available all information necessary to demonstrate compliance with this Article and allow for audits and inspections by the Controller.

5. International Data Transfers

Personal Data processed through EngageLive may be transferred to the following locations:

Data Type	Location	Transfer Mechanism
Session real-time messages (Firebase)	Google Firebase — asia-southeast1 (Singapore)	Google Cloud Standard Contractual Clauses; Firebase Data Processing Terms
Purchase records	Hostinger servers (EU — Lithuania)	GDPR Art. 3 — data processed within EU/EEA
Payment data	PayPal (USA/Luxembourg); PayU (India)	PayPal Standard Contractual Clauses; PayU DPDP compliance

6. Authorised Sub-processors

Sub-processor	Purpose	Location	Privacy Policy
Google LLC (Firebase)	Real-time database for session messaging	Singapore (asia-southeast1)	policies.google.com/privacy
Hostinger International Ltd	Web hosting and file storage	Lithuania, EU	hostinger.com/privacy-policy
PayPal Holdings Inc	Payment processing (optional)	USA / Luxembourg	paypal.com
PayU Payments Pvt Ltd	Payment processing — India (optional)	India	payu.in
Cloudflare Inc	CDN, DDoS protection, SSL termination	USA (with EU servers)	cloudflare.com

The Processor will notify the Controller of any intended changes to this list with at least 14 days' notice by email, giving the Controller the opportunity to object.

7. Technical and Organisational Security Measures

Encryption in transit: All data transmitted between users and servers is encrypted using TLS 1.2 or higher. Firebase connections use WSS (WebSocket Secure).
Encryption at rest: Purchase records stored on Hostinger servers are protected by Hostinger's platform-level encryption. Firebase data is encrypted at rest by Google.
Minimal data collection: Session response data is never written to Processor application servers. Firebase is used solely for transit, not storage.
Access controls: Admin panel access is protected by password authentication. Server access is restricted by SSH key.
Automatic deletion: Firebase Realtime Database session data is automatically deleted at session end through Firebase Security Rules with TTL.
No tracking: No analytics SDKs, session recording tools, or behavioural tracking are deployed on EngageLive.
Vulnerability disclosure: Security vulnerabilities can be reported to security@postlister.com. See our Security Policy.

8. Duration and Termination

This Agreement remains in force for as long as the Controller's employees use EngageLive. Either party may terminate by providing 30 days' written notice. On termination, the Processor shall delete all Personal Data within 30 days.

9. Governing Law

This Agreement is governed by the laws of India, with GDPR Article 28 obligations interpreted in accordance with EU law. For Controllers in the EU/EEA/UK, EU/UK GDPR takes precedence over conflicting provisions of Indian law in respect of data protection obligations only.

10. Standard Contractual Clauses

Where Personal Data of EU/UK data subjects is transferred outside the EEA/UK, the parties agree to be bound by the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) as published on 4 June 2021 (EU SCCs), which are incorporated into this Agreement by reference.

Request a Countersigned DPA

Email us directly at legal@postlister.com with the following details and we will send a countersigned PDF DPA within 2 business days:

Include in your email

1.Organisation name and registered country
2.Contact name and job title (e.g. Data Protection Officer, Legal Counsel)
3.Reply-to email address for the signed PDF
4.Approximate number of users (for our records)
5.Any special requirements — e.g. UK GDPR addendum, specific governing law, custom clauses (optional)

✉️ Email legal@postlister.com →

We respond to all DPA requests within 2 business days. For urgent requests or custom enterprise DPAs, contact legal@postlister.com directly with "URGENT DPA" in the subject line. We do not share your details with any third party.