Data protection
GDPR & DPA
How Somemind AI supports customers' GDPR responsibilities and governs processing performed on their behalf.
- Updated
- 30 June 2026
- DPA version
- 2.0
Somemind AI is designed with GDPR principles and safeguards in mind. Compliance depends on the service, the Customer's configuration and instructions, and each party fulfilling its own legal duties; no product can make a customer automatically compliant.
1. Roles
Punasaari Research is controller for its own account administration, billing, security, support and product operations. The Customer is normally controller for personal data contained in its social media content, media, team workflows and connected accounts. Punasaari Research acts as processor for that Customer data when it processes it solely to provide the contracted service.
2. Data Processing Agreement
Workspace owners must accept the DPA during workspace creation. The recorded acceptance identifies the user, workspace, DPA version and time. The DPA applies when Punasaari Research processes personal data on the Customer's documented instructions under GDPR Article 28.
The processing details are:
| Subject and duration | Providing Somemind AI for the subscription term and documented deletion/return period. |
|---|---|
| Nature and purpose | Hosting, organizing, generating, scheduling, publishing, securing and analyzing customer-directed social media content. |
| Data subjects | Customer users, team members, contacts or audience members whose information the Customer lawfully includes in content or permitted platform data. |
| Data types | Identifiers, contact details, roles, content, media, brand context, social account identifiers, tokens and permitted performance data. |
3. Processor commitments
- Process Customer personal data only on documented instructions, unless Union or Member State law requires otherwise.
- Ensure persons authorized to process data are bound by confidentiality.
- Maintain measures appropriate to risk under Article 32.
- Use sub-processors under equivalent data-protection obligations and provide information needed for lawful authorization and objection processes.
- Assist, taking into account the nature of processing, with data-subject requests, security, breach assessment, DPIAs and supervisory consultation.
- Delete or return Customer personal data at the end of services, subject to applicable law and backup rotation.
- Provide information reasonably necessary to demonstrate Article 28 compliance and support proportionate audits.
4. Customer commitments
- Have a lawful basis and provide required notices for all personal data submitted or connected.
- Issue lawful, documented instructions and avoid uploading unnecessary or special-category data.
- Configure roles, approvals, automation and connected platforms appropriately.
- Review AI output before publication and respond to data-subject requests concerning Customer-controlled content.
- Comply with the connected platform's terms and have authority over connected Facebook Pages, professional Instagram accounts and TikTok accounts.
5. Technical and organizational measures
| Area | Measures |
|---|---|
| Identity and access | Supabase sessions, workspace membership and role checks, protected admin sessions and optional provider sign-in. |
| Isolation | Workspace-scoped authorization and database row-level controls for tenant data. |
| Encryption | HTTPS in transit; AES-256-GCM for stored social access tokens; signed storage access. |
| Abuse prevention | Rate limits, input validation, audit events, webhook signature checks and least-privilege service paths. |
| Resilience | Managed infrastructure, provider monitoring, graceful failure handling and controlled backup rotation. |
| Lifecycle | Account disconnection, token revocation handling, deletion requests and legal-retention controls. |
6. Sub-processors and transfers
| Provider | Purpose |
|---|---|
| Supabase | Database and authentication |
| Vercel | Application hosting and delivery |
| Cloudflare | Media storage and delivery |
| Stripe | Subscription and payment processing |
| Resend | Transactional email |
| Google Gemini | AI-assisted text processing |
| FAL | AI-assisted image and video generation |
| Meta Platforms | Authorized Facebook and Instagram connectivity and publishing |
| TikTok | Authorized TikTok connectivity, account signals and publishing |
Actual processing locations depend on provider configuration and service routing. Transfers outside the EEA must rely on a valid GDPR mechanism, such as an adequacy decision or Standard Contractual Clauses, plus supplementary measures where appropriate.
7. Incident and breach support
We maintain procedures to assess security events. Where we act as processor and become aware of a personal data breach affecting Customer data, we notify the Customer without undue delay and provide available information needed for the Customer's Articles 33 and 34 duties. Where Punasaari Research is controller, it assesses notification to the competent authority within the applicable 72-hour period and communication to affected people where required.
8. Rights, deletion and contact
Individuals can exercise GDPR rights as described in the Privacy Policy. Workspace owners can use in-product controls or contact info@punasaariresearch.fi. Meta connection and deletion instructions are at /datadeletion.
Customers needing a signed DPA copy, sub-processor information or a reasonable security review should contact the same address.