Data Processing Agreement

This Data Processing Agreement (“Agreement”) is entered into by and between:

Collectively, “the Parties”. This Agreement supplements any existing commercial or service agreement (“Principal Agreement”) and is executed to ensure compliance with Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.

1. Definitions and Interpretation

Unless otherwise stated, capitalized terms shall have the meanings assigned in the GDPR:

• “Customer Personal Data” means any Personal Data processed by the Processor on behalf of the Customer in connection with the Principal Agreement.
• “Data Protection Laws” means GDPR and applicable national data privacy laws.
• “Services” means the translation, prompt generation, configuration, and AI SaaS tools provided via SimpleT’s platform.
• “Subprocessor” means any third party appointed by or on behalf of the Processor to process Customer Personal Data.
• “Standard Contractual Clauses (SCCs)” refers to the European Commission’s 2021/914 standard contractual clauses for international data transfers (Module Two, where applicable).

2. Subject Matter and Duration

1. 2.1 This Agreement governs the Processing of Customer Personal Data in connection with the Services provided by the Processor on behalf of the Customer.
2. 2.2 This Agreement remains in force for the duration of the Principal Agreement and for so long as the Processor retains Customer Personal Data for the purposes of providing the Services; the Processor’s deletion and confidentiality obligations survive until such data is deleted or returned in accordance with this Agreement.

3. Nature and Purpose of Processing

1. 3.1 The nature of the Processing includes collection, storage, organization, retrieval, translation, analysis, and structured delivery of metadata and configuration inputs on behalf of the Customer.
2. 3.2 The purpose of the Processing is to provide, operate, support, and secure SimpleT’s Salesforce translation and AI productivity Services for the Customer. No other purpose applies unless agreed in writing by the Parties.

4. Types of Personal Data and Data Subjects

4.1 Categories of Personal Data:

• Identifiers (name, email, company, login IP).
• Usage logs and telemetry.
• Configuration metadata (from Salesforce environments).
• Support communications (content of tickets/chats/emails strictly related to the Services).

4.2 Categories of Data Subjects:

• Direct Service Users: Customer’s authorized users of the Services and Customer’s commercial/billing and support contacts.
• Contained in Customer Content (SimpleT AI Components): Individuals whose personal data is included in Customer’s Salesforce records/files (e.g., Leads, Contacts, customers/partners including Experience Cloud users, vendors/suppliers, email correspondents).
• SimpleTranslate Note: Processing typically concerns metadata (e.g., object/field labels, validation messages) and does not ordinarily include personal data, except where provided by Customer (e.g., in support materials).
• Exclusion: The Services are not intended to process Special Categories of Personal Data or children’s data unless expressly agreed in writing by the Parties.

5. Obligations of the Processor

The Processor shall:

• Process Customer Personal Data only on documented instructions from the Customer.
• Not engage Subprocessors without the Customer’s prior written authorization.
• Implement appropriate technical and organizational measures under Article 32 GDPR.
• Ensure that persons authorized to process the data are subject to confidentiality obligations.
• Cooperate with the Customer in handling data subject requests or supervisory authority inquiries.

6. Confidentiality

1. 6.1 The Processor shall ensure the confidentiality of the Customer Personal Data and shall not disclose it to third parties unless required by law or approved in writing by the Controller.
2. 6.2 This duty shall survive termination of this Agreement.

7. Security Measures

The Processor shall implement and maintain security measures that include, at a minimum:

• Data encryption in transit and at rest.
• Access control (RBAC).
• Audit logs and monitoring tools.
• Regular penetration testing and patch management.

Security practices must align with ISO 27001 and GDPR Article 32.

8. Data Subject Rights

The Processor shall implement appropriate measures to assist the Controller in responding to data subjects’ requests under GDPR Articles 12–23, including:

• Access, rectification, erasure, portability, and objection.
• Ensuring no direct response to a data subject unless legally required or instructed by the Controller.

8.2 The Processor shall immediately notify the Controller upon receipt of any such request or complaint.

9. Personal Data Breach Notification

1. 9.1 The Processor shall notify the Controller without undue delay and in any event within 36 hours of becoming aware of any Personal Data Breach affecting Customer Personal Data.
2. 9.2 The notification must include:
   • A description of the nature of the breach, including categories and approximate number of affected data subjects and records.
   • Likely consequences of the breach.
   • Measures taken or proposed to address the breach and mitigate its effects.
   • A point of contact for further information.
3. 9.3 The Processor shall:
   • Cooperate fully with the Controller in investigating and mitigating the breach.
   • Not notify any third party, including affected data subjects or supervisory authorities, unless directed to do so by the Controller or where such notification is legally required; in that case, the Processor shall promptly inform the Controller unless prohibited by law.

10. Data Protection Impact Assessments & Prior Consultation

1. 10.1 Upon request, the Processor shall provide reasonable assistance to the Controller in:
   • Conducting Data Protection Impact Assessments (DPIAs).
   • Engaging in prior consultations with supervisory authorities where required under GDPR Articles 35 and 36.
2. 10.2 Such assistance shall relate only to processing activities carried out by the Processor on behalf of the Controller and shall include relevant documentation, risk evaluations, and proposed mitigation measures.

11. Return or Deletion of Data

1. 11.1 Upon termination or expiry of the Principal Agreement, or upon written request by the Controller, the Processor shall within ten (10) business days:
   • Return all Customer Personal Data in a structured, commonly used, machine-readable format; or
   • Delete all Customer Personal Data and certify such deletion in writing.
2. 11.2 Exceptions to deletion may apply where:
   • Retention is required by applicable law (in which case Processor shall notify the Controller).
   • Data must be preserved for ongoing legal proceedings.

12. Subprocessing

12.1 The Processor shall not engage any Subprocessor to process Customer Personal Data without prior written consent from the Controller.

12.2 Where Subprocessors are authorized:

• The Processor shall ensure a written agreement is in place imposing the same data protection obligations as under this DPA.
• The Processor remains fully liable for the acts or omissions of any Subprocessor.

12.3 The current list of approved Subprocessors includes:

• OpenAI (USA)
• Anthropic
• Microsoft AI
• Stripe (USA)
• Google Cloud (EU)
• AWS Translate
• DeepL
• Sentry (EU/USA)
• MongoDB

The Processor will provide at least 30 days’ prior notice of any intended additions or replacements, and the Controller may object on reasonable privacy or security grounds. If the Parties cannot resolve an objection, the Controller may suspend or terminate the affected Services (with a pro-rata refund of prepaid, unused fees).

13. International Data Transfers

1. 13.1 The Processor shall not transfer Customer Personal Data outside the European Economic Area (EEA) unless:
   • The destination country ensures an adequate level of protection (as determined by the European Commission); or
   • Appropriate safeguards under GDPR Chapter V are implemented (e.g., Standard Contractual Clauses (SCCs) or binding corporate rules).
2. 13.2 The Processor shall provide copies of the applicable transfer mechanisms upon request and assist the Controller in demonstrating lawful transfer arrangements.

14. Audit Rights

14.1 Upon at least ten (10) business days’ prior written notice, the Controller may conduct an audit or inspection of the Processor’s facilities and systems (or engage an independent third-party auditor bound by confidentiality) to verify compliance with this Agreement.

14.2 The Processor shall:

• Make available all information necessary to demonstrate compliance.
• Cooperate fully during audits.
• Address identified compliance gaps in a timely manner.

14.3 Routine audits may be conducted once per calendar year, unless:

• There is a significant data incident.
• Required by a competent authority.
• Material changes are made to the Processor’s operations or Subprocessors.

15. Governing Law and Jurisdiction

1. 15.1 This Agreement shall be governed by and construed in accordance with the laws of the Republic of Croatia.
2. 15.2 Any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Osijek-Baranja County, without prejudice to either Party’s right to seek urgent injunctive relief elsewhere if necessary.
3. 15.3 For international data transfers governed by the EU Standard Contractual Clauses, the provisions on governing law and jurisdiction in Clauses 17 and 18 of the SCCs shall apply and prevail for those transfers.