Annex 1 - Details of Processing

Areto Labs utilizes the following third-party entities (each, a “sub-processor”) to process personal data on behalf of Areto Labs customers and in accordance with contract terms between Areto Labs and the sub-processor. These agreements uphold Areto Labs' commitments as outlined in the Areto Labs Data Processing Addendum.

Compliance and Security:

Areto Labs conducts annual compliance reviews of its sub-processors.
For any sub-processor engagement involving cross-border data transfers, Areto Labs performs Transfer Impact Assessments as required by applicable data protection laws.
Areto Labs imposes obligations on its sub-processors to implement appropriate technical and organizational measures to ensure personal data is protected to the standards required by applicable data protection laws.

Transparency and Access:

Further information regarding sub-processor security measures can be found via the external links provided below.
For each sub-processor listed, personal data will be processed for the duration of the customer's use of the applicable service(s), and for the retention periods specified in the customer's agreement with Areto Labs and any product documentation.

Data Processing Details:

The Processor (Areto) shall process the following Personal Data of the following categories of Data Subjects for the following purposes and duration:

Subject Matter and Duration: The Processor will process Personal Data for the purpose of providing social media content moderation, community guideline enforcement, and analytics services. The duration of the processing will be co-terminus with the term of the service agreement between the Controller and the Processor.
Nature and Purpose: The Processor will process Personal Data for the following purposes:

Identifying and removing spam, scams, illegal streaming content, and other forms of harmful or inappropriate content posted on the Controller's social media channels.
Enforcing the Controller's community guidelines.
Analyzing online sentiment and user behavior to provide the Controller with actionable insights for improving audience engagement and growth.
Generating reports and analytics on moderation activities, content performance, and community health.
Providing multilingual analysis of social media content.
Scoring sentiment expressed in social media content.

Types of Personal Data and Categories of Data Subjects: The Processor will process the following types of Personal Data:

User-generated content: Text, images, videos, comments, and other content posted by users on the Controller's social media channels. This may include personal data if users include it in their posts (e.g., names, usernames, profile pictures, opinions).
User profile data: Publicly available information from user profiles on social media platforms (e.g., usernames, profile pictures, bio information, number of followers). Note: The extent of profile data available depends on the platform and user privacy settings.
Metadata: Data associated with user-generated content, such as timestamps, location data (if enabled by the user), device information, and IP addresses (to the extent permitted by applicable laws and platform policies).
Interaction data: Data related to user interactions with content, such as likes, shares, comments, and reactions.
Controller-provided data: Any data provided by the Controller to Areto necessary for the service, such as lists of keywords to flag, community guidelines, or internal user data for context (if applicable and legally permissible).

The categories of Data Subjects are:

Users of the Controller's social media channels.

Controller's Obligations and Rights: The Controller is responsible for providing clear instructions regarding the types of content to be moderated and the community guidelines to be enforced. The Controller has the right to access reports and analytics generated by the Processor and to conduct reasonable audits of the Processor's processing activities to ensure compliance with this Agreement and applicable data protection laws. The Controller is responsible for ensuring they have the appropriate legal basis for processing user data from their social media channels.

  
  
  Data Sharing Overview
  



  Data Sharing Overview

  
    
      System
      Data Shared
      Vendor
      Location
    

      Application hosting and data processing
      All sensitive data including names, email
      Google Cloud
      1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA
    

      Email delivery
      Names and email addresses
      Squarespace
      225 Varick Street, 12th Floor, New York, NY 10014, USA
    

      Email delivery
      Data submitted by customers to Areto Labs employees may be processed by Google
      Google Workspace
      1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
    

      Email delivery
      User names and email addresses
      SendGrid
      375 Beale Street, Suite 300, San Francisco, CA 94105, USA
    

      Customer Relationship
      Company names, email addresses of admins and business contacts
      Freshsales
      Neue Grünstraße 17, 10179 Berlin, Germany, +49 305 884 9246
    

      Customer Invoicing
      Company name, billing information, business contact names
      Strategic Management Force
      #102 Kirpatrick Cres, Leduc AB T9E0W2 Canada, cwagner@strategicmforce.com, www.strategicmforce.com
    

      Project Management
      Company names, admin names, screenshots of error screens that may contain user names
      Shortcut
      110 Fifth Avenue, Fifth Floor, New York, NY 10011, USA
    

      Messaging
      Personal Data from the customer’s end users may be processed if provided in customer support communications
      Slack Technologies, LLC
      415 Mission Street, San Francisco, USA
    

      Logging
      Processes any information sent for debugging purposes
      Honeycomb
      548 Market Street, San Francisco, California 94104, USA
    