Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between the customer who agrees to be bound in the Terms of Use or Enterprise Agreement between  

(“Customer”) and Suade Inc. (“Provider”). This DPA applies to Customer Data processed by Provider on Customer’s behalf in connection with the Services.

1. Definitions 

1.1 “Agreement” means the Enterprise Agreement or Terms of Use or other agreement governing Customer’s use of the Services.

1.2 “Customer Data” means personal data submitted to the Services by or on behalf of Customer, including personal data accessed via Customer-authorized integrations.

1.3 “Data Protection Laws” means applicable privacy and data protection laws and regulations that apply to the processing of Customer Data.

1.4 “Subprocessor” means a third party engaged by Provider to process Customer Data on Provider’s behalf.

2. Roles and Scope

2.1 Controller and Processor. Customer is the Controller of Customer Data and determines the purposes and means of processing. Provider is a Processor of Customer Data and will process Customer Data only on Customer’s documented instructions as set out in this DPA, the Agreement, and Customer’s configuration and use of the Services.

2.2 Provider as independent Controller. Provider is an independent Controller (not a Processor) for: (a) account registration and administration; (b) billing and payments; (c) security logs, fraud and abuse prevention; and (d) Provider’s corporate compliance obligations. Provider may also use aggregated or de-identified data for service improvement, analytics, and benchmarking.

2.3 Customer responsibility. Customer represents that it has the right to provide Customer Data to Provider and, where required, has provided required notices and obtained necessary consents for Customer’s use of the Services (including for any integrations or ingestion of message content).

3. Provider Obligations

Provider will:

3.1 Process on instructions. Process Customer Data only to provide, secure, and maintain the Services and to provide support.

3.2 Confidentiality. Ensure personnel authorized to process Customer Data are bound by confidentiality obligations.

3.3 Security. Implement appropriate technical and organizational measures to protect Customer Data (Schedule 2).

3.4 Assistance. Provide commercially reasonable assistance to Customer for responding to data subject requests relating to Customer Data, taking into account the nature of processing and the information available to Provider.

3.5 Breach notice. Notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data and provide information reasonably necessary for Customer’s compliance obligations as it becomes available.

4. Subprocessors

4.1 General authorization. Customer provides general authorization for Provider to use Subprocessors. Provider will impose written obligations on Subprocessors that are no less protective than this DPA.

4.2 Updates and objection. Provider will maintain a list of Subprocessors (Schedule 1) and will provide notice of material changes (e.g., by email or in-product notice). If Customer reasonably objects on data protection grounds and the parties cannot resolve the objection, Customer may terminate the affected Services and receive a pro-rated refund of prepaid fees for the terminated portion (if any).

5. International Transfers

If Customer Data is transferred from the EEA and UK and Switzerland to a country without an adequacy decision, the parties will rely on an applicable transfer mechanism such as Standard Contractual Clauses and, where applicable, the UK Addendum. Provider will make the mechanism available upon request.

6. Deletion and Return 

Upon termination of the Services, Provider will delete or return Customer Data within a reasonable period, unless retention is required by law or for security and backup purposes. Residual copies may persist in backups for limited periods and will be protected and deleted in accordance with Provider’s backup cycles.

7. Audit

Customer may request information reasonably necessary to demonstrate compliance with this DPA. No more than once per year, Customer may perform an audit on reasonable notice, subject to confidentiality and minimal disruption. Provider may satisfy audit requests by providing standard security documentation and, if available, a current independent security report.

8. Liability and Precedence

This DPA does not expand either party’s liability beyond the limitations in the Agreement (except where prohibited by law). If there is a conflict between this DPA and the Agreement regarding Customer Data processing, this DPA controls.

Schedule 1, Subprocessors

Provider may use the following categories of Subprocessors to deliver the Services (actual vendors may vary by region and configuration): 

• Cloud hosting and infrastructure providers

• Integration providers (only as enabled by Customer)

• Customer support tooling

• Analytics and performance monitoring providers (configured to minimize personal data)

• Payment processors (for Provider-controlled billing data)

Schedule 2, Security Measures

• Least privilege access controls and MFA for privileged access

• Encryption in transit (TLS) and encryption at rest for production systems where feasible

• Security logging and monitoring for critical systems

• Vulnerability management and risk-based patching

• Incident response process for investigation and remediation

• Data minimization and tenant segregation controls appropriate to the Services

Schedule 3, Processing Details

• Subject matter: provision of the Services.

• Duration: term of the Agreement and limited post-termination retention as described in Section 6.

• Nature and purpose: hosting, storing, retrieving, transmitting (as configured), and otherwise processing Customer Data to provide the Services.

• Types of personal data: contact details; communications metadata; message content and attachments (if enabled); workflow and deal data; user activity within the Services.

• Categories of data subjects: This includes Customer users, Customer contacts, prospects, counterparties, and other individuals whose data Customer submits.