Data Processing Agreement (DPA)
Effective Date: March 20, 2026
1. Purposes of Data Processing
TubeForge (hereinafter the "Data Processor") processes personal data on behalf of users (hereinafter the "Data Controller") for the following purposes:
- Providing a SaaS platform for YouTube content creation
- User authentication and account management
- AI content generation (thumbnails, text, metadata)
- Payment processing and subscription management
- YouTube channel analytics and data visualization
- Sending transactional email notifications
- Improving service quality and resolving technical issues
Data processing is carried out solely in accordance with the Data Controller's instructions and in compliance with this Agreement, the Terms of Service, and TubeForge's Privacy Policy.
2. Types of Personal Data
The Processor processes the following categories of personal data:
| Category | Data | Legal Basis |
|---|---|---|
| Identification | Name, email, profile photo, Google ID | Contract performance |
| Payment | Stripe Customer ID, transaction history, subscription plan | Contract performance |
| Content | Projects, thumbnails, metadata, text | Contract performance |
| Technical | IP address, User-Agent, session data | Legitimate interest |
| Analytics | Platform activity, page views | Consent |
| YouTube | Channel statistics, video metrics | Consent |
The Processor does not process special categories of personal data (race, health, biometrics, etc.).
3. Sub-processors
The Processor engages the following sub-processors for personal data processing:
| Sub-processor | Purpose | Location | Data |
|---|---|---|---|
| Stripe, Inc. | Payment processing | US / EU | Payment data, email |
| Google LLC | OAuth authentication, YouTube API | US / EU | Name, email, YouTube data |
| OpenAI, Inc. | AI content generation | US | Project content (no personal data) |
| Resend, Inc. | Email notification delivery | US | Email address, message content |
| OVHcloud | Server and database hosting | EU (France) | All platform data |
Each sub-processor is bound by contractual obligations ensuring a level of data protection no less than that provided by this Agreement. We will notify you of any changes to the sub-processor list at least 30 days in advance.
4. Data Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account data | Duration of use + 30 days after deletion | Contract performance |
| Content and projects | Duration of use + 30 days after deletion | Contract performance |
| Payment records | Up to 7 years after transaction | Legal requirement |
| Analytics data | Up to 26 months | Consent |
| Security logs | Up to 12 months | Legitimate interest |
| Backups | Up to 90 days | Legitimate interest |
Upon expiration of these retention periods, data is automatically deleted or anonymized.
5. Technical and Organizational Security Measures
The Processor implements the following measures to ensure the security of personal data:
Technical measures:
- Data encryption in transit (TLS 1.3) and at rest (AES-256)
- OAuth 2.0 authentication (no passwords stored)
- Protection against CSRF, XSS, and SQL injection attacks
- Firewall and IP-based access restrictions
- Automated backups
- API rate limiting
- VPN for internal communications (WireGuard)
Organizational measures:
- Principle of least privilege
- Regular security and dependency audits
- 24/7 infrastructure monitoring
- Security incident response procedures
- Staff training on data protection
6. Data Subject Rights
The Processor assists the Controller in ensuring the following data subject rights in accordance with GDPR:
- Right of access (Art. 15 GDPR) — provision of a copy of personal data
- Right to rectification (Art. 16 GDPR) — correction of inaccurate data
- Right to erasure (Art. 17 GDPR) — deletion of personal data
- Right to restriction (Art. 18 GDPR) — restriction of processing
- Right to data portability (Art. 20 GDPR) — export of data in a machine-readable format
- Right to object (Art. 21 GDPR) — objection to processing
The Processor commits to responding to data subject requests within 30 days and assisting the Controller in fulfilling its obligations.
7. Incident Notification
In the event of a security incident affecting personal data, the Processor commits to:
- Notify the Controller within 72 hours of discovering the incident
- Provide a description of the incident, affected data categories, and approximate number of data subjects
- Describe potential consequences and measures taken to mitigate them
- Cooperate with the Controller in notifying the supervisory authority
8. Right to Audit
The Controller has the right to audit compliance with this Agreement. The Processor commits to providing the necessary information and access for conducting an audit, subject to at least 30 days prior notice.
9. Contact Information
For all questions related to data processing and this Agreement:
Email: dpa@tubeforge.co
Data Protection Officer: privacy@tubeforge.co