Data Processing Addendum
Effective Date: March 15, 2026
Table of content
This Data Processing Addendum ("DPA") forms part of the Master Service Agreement ("MSA") between SMYADGT LTD ("Processor") and the Client ("Controller"). This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of GDPR.
1. DEFINITIONS
Controller is the Client; Processor is Solwees (SMYADGT LTD). Data Protection Laws mean the GDPR and applicable EU regulations.
2. PROCESSING & AI IMPROVEMENT
Processor shall process Personal Data only on documented instructions from the Controller.
Processor may use anonymized and aggregated data derived from the Service for the purposes of training and improving its AI models.
Processor guarantees that such data will be processed in a way that it can no longer be attributed to a specific Data Subject or the Controller.
3. CONFIDENTIALITY
Processor ensures that all persons authorized to process Personal Data (employees, contractors) have committed themselves to confidentiality via binding Non-Disclosure Agreements (NDA).
4. SUB-PROCESSORS & NOTICE
Controller authorizes current Sub-processors (AWS, Stripe, Meta).
Processor will notify Controller at least 14 days in advance of any intended changes to Sub-processors via email or dashboard notification.
Controller has 14 days to object on reasonable grounds.
5. DATA SUBJECT RIGHTS (DSR)
Processor shall promptly forward any Data Subject request received directly to the Controller and shall not respond to such requests except on documented instructions from the Controller.
6. BREACH NOTIFICATION
Processor shall notify Controller within 72 hours of becoming aware of a Personal Data Breach affecting Client data.
7. DATA RETURN & DELETION
Upon termination, Processor shall return Personal Data in JSON/CSV format (or other formats upon mutual agreement) via a secure link.
Data will be deleted from active systems within 60 days.
Personal Data will be deleted from backups within 60 days of active system deletion, subject to technical feasibility (e.g., rotation cycles).
8. DATA RETENTION
System logs containing Personal Data are retained for 90 days.
Backups are retained for 30 days.
Retention may be extended if required by law.
9. DPIA ASSISTANCE & AUDITS
Processor shall provide reasonable assistance for Controller's DPIAs and allow for audits conducted by the Controller or mandated auditor, subject to reasonable notice (min 14 days) and confidentiality.
10. TECHNICAL MEASURES (TOMs)
Processor implements: AES-256 encryption at rest, TLS 1.2+ in transit, MFA for admin access, and infrastructure hosted in ISO 27001 / SOC 2 certified EEA data centers.