Data Processing Addendum (DPA)

1. Parties and Scope

This DPA forms part of the master agreement or Terms of Service between Customer (the “Controller”) and Appklet (the “Processor”) and governs Processor’s Processing of Customer Personal Data on behalf of Customer in connection with the Services.

2. Roles and Responsibilities

• Customer acts as “Controller” (or equivalent under applicable law).
• Appklet acts as “Processor” (or “Service Provider” under CCPA/CPRA).
• Each party will comply with its respective obligations under applicable Data Protection Laws (e.g., GDPR, UK GDPR, CCPA/CPRA, LGPD, PDPA, PIPEDA).

3. Processing Instructions

Processor will Process Customer Personal Data solely (i) to provide and improve the Services; (ii) per documented, lawful instructions from Customer; and (iii) as required by applicable law (in which case Processor will inform Customer unless prohibited).

4. Confidentiality

Processor ensures persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations.

5. Security

Processor implements appropriate technical and organizational measures to protect Customer Personal Data, including encryption in transit and at rest where applicable, access controls, least-privilege, monitoring, vulnerability management, and regular security reviews. Details may be provided upon request subject to confidentiality.

6. Sub-processors

Customer authorizes Processor to engage Sub-processors to support the Services. Processor will impose data protection obligations on Sub-processors consistent with this DPA and remains responsible for their performance. Current Sub-processors (illustrative, subject to change):

• AWS (Infrastructure/Hosting, primary region as disclosed in our Privacy Policy)
• Cloudflare (Security/CDN)
• Analytics and email providers as disclosed in the Privacy Policy

Processor will provide reasonable notice of material Sub-processor changes; Customer may object on reasonable, documented grounds relating to data protection.

7. International Data Transfers

Where Processor or its Sub-processors transfer Customer Personal Data internationally, Processor will ensure appropriate safeguards (e.g., EU SCCs, UK IDTA/Addendum, adequacy decisions) are in place.

8. Data Subject Requests

Taking into account the nature of Processing, Processor will provide reasonable assistance to Customer in responding to requests from data subjects (access, rectification, deletion, restriction, portability, objection) as required by law.

9. Cooperation and DPIAs

Processor will provide reasonable assistance for Customer’s data protection impact assessments (DPIAs) and consultations with supervisory authorities as required, limited to information available to Processor.

10. Breach Notification

Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and provide information reasonably required for Customer to meet its legal obligations.

11. Deletion or Return

Upon termination or expiry of the Services, Processor will delete or return Customer Personal Data (at Customer’s choice), unless retention is required by law. Backup copies will be securely deleted in line with standard retention cycles.

12. Audits

Upon reasonable prior written notice, Processor will make available information necessary to demonstrate compliance with this DPA and, where required by law, allow for audits (no more than once annually) conducted by Customer or an independent auditor, subject to confidentiality, scheduling, and reasonable time/materials fees.

13. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict regarding Processing of Customer Personal Data.

14. Definitions

Capitalized terms not defined herein have the meanings given in the Agreement or under applicable Data Protection Laws (e.g., GDPR Art. 4).