Data Processing Addendum

For customer-submitted personal data, the customer acts as controller, business, or equivalent decision-maker, and COBAN acts as processor, service provider, or equivalent vendor unless a separate agreement says otherwise.

COBAN processes customer personal data only to provide, secure, support, maintain, and improve the contracted services; follow documented customer instructions; comply with law; or perform obligations under written agreements.

If COBAN believes an instruction violates applicable law or creates material security risk, COBAN may pause that instruction and request clarification.

Processing may include collection, import, storage, retrieval, organization, analysis, classification, enrichment, deduplication, brand mapping, campaign labeling, reporting, export, deletion, and backup of customer-configured data.

Categories of data may include user account data, business contact data, client and workspace metadata, public social media content, page or profile identifiers, post metrics, campaign references, taxonomy labels, model-generated analysis, and support records.

Data subjects may include customer users, agency staff, client contacts, public social media authors, brand page administrators, influencers, creators, and other people represented in configured datasets.

COBAN limits access to customer personal data to personnel and contractors with a business need to provide, secure, support, or improve the service.

Personnel with access to customer personal data are bound by confidentiality obligations or equivalent professional duties.

COBAN may use hosting, database, storage, analytics, model, monitoring, communication, security, and support providers to deliver the service. COBAN remains responsible for sub-processor performance under applicable agreements.

COBAN will use reasonable diligence in selecting sub-processors and require commitments that are materially protective of customer personal data.

Customers may request current sub-processor information by contacting coban.service@cobanvn.com.

COBAN maintains reasonable technical and organizational measures for confidentiality, integrity, availability, access control, incident response, backup, recovery, vulnerability management, and secure development.

Measures include authenticated access, workspace separation, encrypted transport where supported, managed-service security controls, restricted production access, credential management, operational monitoring, and backup practices.

If COBAN receives a request from an individual relating to customer-controlled data, COBAN may direct the requester to the customer or assist the customer according to product capabilities, written agreements, and applicable law.

Customers remain responsible for validating requester identity, deciding whether a request should be fulfilled, and giving COBAN clear instructions where customer-controlled data is involved.

COBAN will notify affected customers without undue delay after confirming a personal data breach involving customer personal data, subject to investigation, security, legal, and law-enforcement constraints.

Notifications will include available information about incident nature, affected data, likely consequences, mitigation steps, and recommended customer actions when reasonably known.

COBAN will provide reasonable information needed to demonstrate compliance with this DPA, subject to confidentiality, security, privilege, and protection of other customers' data.

On-site audits require prior written agreement, reasonable scope, business-hours scheduling, confidentiality protections, and controls that avoid disruption or risk to production systems.

Where customer personal data is transferred internationally, COBAN will rely on appropriate safeguards as required by applicable law, which may include contractual commitments, standard contractual clauses, transfer risk assessments, or provider-based safeguards.

At termination or upon valid customer request, COBAN will delete or return customer personal data according to product capabilities, written agreements, legal retention duties, and operational backup lifecycles.

COBAN may retain limited records needed for security, audit, legal compliance, dispute resolution, fraud prevention, or service continuity.

Access: authenticated users, role-aware workspaces, least-privilege production access, and removal of access when no longer needed.

Protection: encrypted transport where supported, provider-backed storage controls, secrets outside source control, credential rotation when needed, and logical customer separation.

Operations: monitoring of jobs and errors, backup and recovery practices, incident triage, secure development review, and controlled deployment workflows.