Data Processing Agreement

Last Updated: 25 October 2025

This Data Processing Agreement (“DPA”) and is incorporated by reference into the PostWave Terms of Service (“Principal Agreement”) between PostWave (“PostWave”, “Processor”) and the platform user — whether Employer, Community Partner, or Applicant (“User”, “Controller”) — collectively referred to as “Parties”.

1. Roles and Responsibilities

1.1 PostWave acts as Data Processor when processing personal data on behalf of:

  • Employers submitting company, job, or billing details.
  • Communities providing member and profile information.
  • Applicants creating profiles and tracking job interest.

1.2 Each Employer, Community Partner, or Applicant acts as a Data Controller for their own data input and any data collected through their activity on the platform.

1.3 The Parties agree to comply with all applicable laws under the UK GDPR, Data Protection Act 2018, and related regulations.

2. Subject Matter and Duration

2.1 This DPA governs the processing of personal data in connection with PostWave's platform functionality, hosting, credit purchases, payouts, and marketing integrations.

2.2 The DPA remains in effect for the duration of the User’s engagement with PostWave, and continues thereafter for data retained under retention and compliance obligations.

3. Scope and Purpose of Processing

PostWave processes personal data solely for the following lawful purposes:

  • Creating, maintaining, and securing user accounts.
  • Publishing public profiles for Employers and Communities.
  • Facilitating credit purchases, sponsorships, and payouts.
  • Sending notifications and transactional communications.
  • Tracking referral links, engagement, and campaign metrics.
  • Preventing fraud and ensuring compliance with employment and marketing standards.

Processing is conducted under the lawful bases of contract performance (Article 6(1)(b)), legitimate interest (Article 6(1)(f)), or legal obligation (Article 6(1)(c)).

4. Types of Personal Data Processed

Key: Party | Categories of Data | Source | Purpose

  • Employers | Name, company name, email, logo, job descriptions, transaction info | Direct input | Job post publishing, billing, promotions
  • Communities | Name, logo, community details, size, platform, member interests | Direct input | Promotion listings, payouts
  • Applicants | Name, email, image, job click-tracking logs | Direct input and analytics | Job link tracking
  • Platform Use | Technical data (IP, browser type, timestamps) | Automated logs | Security, analytics

No special category (sensitive) data is intentionally collected. Any such information provided voluntarily must be pre-authorised and subject to additional safeguards.

5. Sub-Processors

PostWave uses the following authorised third-party subprocessors in accordance with Article 28 UK GDPR.

Key: Service | Role | Processing Location | Purpose

  • Webflow | Hosting | EU / US (SCCs in place) | Website and database hosting
  • Memberstack | Authentication and account management | EU / US | User login and session management
  • Make (Integromat) | Workflow automation | EU / US | Secure data transfer between systems
  • Stripe | Payments | EU / US | Credit purchases and billing
  • Tremendous | Payout processing | US (SCCs in place) | Community payouts
  • Dub | Link tracking | EU / US | Campaign and referral tracking
  • Hey | Email | US | Transactional and notification email
  • Cloudflare | DNS, security, analytics | Global | DDoS protection and performance
  • Notion | Workflow automation and account management | EU / US | Task management and administration

PostWave ensures that each subprocessor provides data protection guarantees under enforceable data protection agreements and Standard Contractual Clauses (where applicable).

6. Security and Confidentiality Measures

6.1 PostWave implements appropriate technical and organizational measures including:

  • HTTPS encryption for all traffic.
  • Secure, access-controlled databases.
  • Two-factor authentication for administration.
  • Regular vulnerability assessments and logging.
  • Data minimization and retention policies aligned with purpose limitation principles.

6.2 Personnel authorized to process data are bound by confidentiality obligations.

7. Data Subject Rights

Users and their data subjects may request:

  • Access to their data.
  • Rectification or erasure of inaccurate data.
  • Restriction of processing.
  • Data portability (where technically feasible).

Requests will be addressed within 30 days unless legal grounds require otherwise.

8. International Transfers

PostWave may transfer data outside the UK only where adequate safeguards exist via:

  • Standard Contractual Clauses (2021/914/EU),
  • Adequacy determinations by the UK ICO,
  • Or user consent where necessary.

9. Data Breach Notification

PostWave shall notify affected Controllers within 48 hours of becoming aware of any unauthorised access, loss, or breach involving Controller Data, including the nature, cause, and remediation steps.

10. Audits and Supervision

PostWave maintains records of data processing activities and will provide summaries upon written request from Controllers or competent authorities. Formal audits may be requested with reasonable notice and cost-sharing.

11. Deletion and Return of Data

Upon termination or written request, PostWave will delete or anonymize all personal data within 90 days, except where retention is required for billing, dispute resolution, or legal obligations.

12. Liability and Indemnification

Each Party’s liability for GDPR breaches under this DPA is limited to the extent of their own acts or omissions. Controllers remain responsible for lawful data collection and consents. Processors are liable only for unjustified deviations from Controller instructions.

13. Contact and Complaints

For data protection queries or breach notifications email: support@postwave.co

Get in touch
Hey! I'm Gareth. Have a question? Drop me a message. I usually respond in <24 hours on weekdays.
Thank you! I have received your message. I will get back to you as soon as possible.
Oops! Something went wrong while submitting the form.