Data Processing Agreement (DPA)
Tube Responder — https://tuberesponder.com
Last updated: March 2026
Parties
This Data Processing Agreement ("DPA") is entered into between:
Data Controller:
The user of Tube Responder who has accepted the Terms of Service ("Controller", "you")
Data Processor:
Tube Responder, Chemin des Artisans 17, 1616 Attalens, Switzerland ("Processor", "we")
This DPA forms part of the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Tube Responder service. In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to personal data processing.
1. Purpose & Scope
The Processor provides YouTube comment management and AI-assisted reply services to the Controller. In doing so, the Processor processes personal data on behalf of the Controller as described in this DPA.
This DPA applies specifically to YouTube Data — comments, replies, author names, and engagement metadata retrieved from the Controller's YouTube channel via the YouTube Data API, including AI-based analysis of that data strictly for the purpose of providing the Service.
The Service uses the youtube.force-ssl OAuth scope, which is required to enable comment reply functionality. Actual use of this access is strictly limited to reading channel, video, and comment data, and posting replies exclusively upon explicit action by the Controller. The Processor does not perform automated posting, video modification, comment deletion, or any background actions on the Controller's YouTube account.
For the Processor's own data (user accounts, billing, sessions), the Processor acts as an independent Data Controller, as described in the Privacy Policy.
2. Nature and Purpose of Processing
| Attribute | Detail |
|---|---|
| Nature | Automated collection, storage, AI analysis, and display |
| Purpose | Providing the Tube Responder service (comment management, AI reply suggestions, sentiment analysis) |
| Types of data | Comment text, commenter names, engagement metrics, video metadata |
| Data subjects | Third-party YouTube commenters on the Controller's channel |
| Duration | For the duration of the Controller's subscription + data retention period |
3. Controller's Instructions
The documented instructions of the Controller are defined by:
- The Terms of Service
- The functionality of the Service as described in the Privacy Policy and product documentation
- Any additional written instructions provided by the Controller to the Processor
The Processor shall process personal data only on the basis of these documented instructions, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of the legal requirement before processing, unless prohibited by law from doing so.
The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection laws, including the GDPR or the Swiss revFADP.
4. Controller's Obligations
The Controller agrees to:
- Ensure there is a valid legal basis for processing YouTube commenter data under applicable law (GDPR, revFADP, or other)
- Comply with YouTube's Terms of Service and API Policies regarding data use
- Respond to data subject requests from their YouTube audience, with the Processor's assistance where required
- Not instruct the Processor to process data in a manner that violates applicable law
- Maintain appropriate privacy notices on their YouTube channel where required by law
5. Processor's Obligations
The Processor agrees to:
- Process data only on documented instructions from the Controller, as defined in Section 3
- Ensure confidentiality — authorize access to data only for personnel who need it and are bound by confidentiality obligations
- Implement appropriate security measures — see Section 7
- Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection)
- Assist with DPIAs — assist the Controller in carrying out data protection impact assessments (DPIAs) and prior consultations with supervisory authorities where applicable
- Notify the Controller of any personal data breach without undue delay and, where feasible, within 72 hours of becoming aware
- Delete or return data upon termination per Section 10
- Make available documentation to demonstrate compliance with this DPA upon reasonable request
6. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Role | Location | Transfer Mechanism | Privacy Policy |
|---|---|---|---|---|
| Google / YouTube API | Data source and publishing | US | Google's API terms / SCCs | Link |
| Groq | AI text processing | US | SCCs | Link |
| Vercel | Hosting infrastructure | US | SCCs | Link |
| MongoDB Atlas | Database hosting | US | SCCs | Link |
| LemonSqueezy | Payments | US | SCCs | Link |
| Brevo | Email delivery | EU/US | SCCs | Link |
The Processor remains fully liable to the Controller for the performance of any sub-processor's obligations under this DPA.
All sub-processors are contractually prohibited from using the data for any purpose other than providing their specific services to the Processor. The Processor's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
The Processor will inform the Controller of any intended changes to the sub-processor list (additions or replacements) with at least 14 days' advance notice. The Controller may object to a new or replacement sub-processor within that 14-day period by contacting contact@tuberesponder.com. If no objection is raised, the change is deemed accepted. If the Controller objects and the parties cannot resolve the issue within a reasonable time, the Controller may terminate the Service without penalty.
7. Security Measures (TOMs)
The Processor implements the following technical and organizational measures, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons:
Technical measures:
- Passwords hashed using bcrypt or equivalent
- OAuth tokens encrypted at rest
- HTTPS/TLS encryption for all data in transit
- Role-based access controls limiting exposure of production data
- Regular dependency updates and security patching
Organizational measures:
- Access to personal data limited to the operator and authorized personnel
- Confidentiality obligations in place for any personnel with data access
- Incident response procedures for data breaches
8. Data Subject Rights Assistance
Upon request, the Processor will assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection) relating to personal data processed under this DPA.
To initiate a data subject rights request, contact: contact@tuberesponder.com
9. Data Breach Notification
In the event of a personal data breach affecting data processed under this DPA, the Processor will:
- Notify the Controller without undue delay (and where feasible, within 72 hours)
- Provide information about: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed
- Cooperate with the Controller in meeting any regulatory notification obligations
10. Deletion & Return of Data
Upon termination of the Service, or at the Controller's written request, the Processor shall — at the choice of the Controller — either delete or return all personal data processed under this DPA, unless applicable law requires continued retention.
The Controller may request written confirmation of deletion. Timelines:
- YouTube data is automatically deleted within 7 calendar days of channel disconnection or detection of token invalidity (whether revoked in-app or via Google Account settings)
- All other data is deleted within 30 days of account termination or deletion request
11. Audit Rights
The Processor shall make available all information necessary to demonstrate compliance with this DPA and shall allow for audits, including inspections conducted by the Controller or an auditor mandated by the Controller, subject to:
- Reasonable prior written notice
- Confidentiality obligations
- Costs borne by the Controller where the audit is extensive or repetitive
12. International Data Transfers
Where data is transferred outside the EU or Switzerland, the Processor ensures appropriate safeguards through:
- Standard Contractual Clauses (SCCs) — EU Commission decision 2021/914
- Swiss equivalents — in accordance with FDPIC guidance under the revFADP
13. Duration & Termination
This DPA is effective for the duration of the Controller's use of the Service. It survives termination to the extent necessary to cover data retained during the applicable retention period. Upon full deletion or return of Controller data per Section 10, this DPA terminates automatically.
14. Governing Law
This DPA is governed by the laws of Switzerland. Disputes shall be subject to the exclusive jurisdiction of the courts of [Canton], Switzerland.
Contact for DPA matters: contact@tuberesponder.com