Data processing addendum

Capitalized terms have the meaning given in the GDPR (Regulation 2016/679) and the UK GDPR unless otherwise defined here. "Agreement" means the Terms of Service governing the Customer's use of AFEND. "Personal Data" means any information relating to an identified or identifiable natural person processed by Sodasoft LLC on behalf of Customer. "Sub-processor" means any third party engaged by Sodasoft LLC to process Personal Data.

The Customer is the Controller and Sodasoft LLC is the Processor with respect to Customer Personal Data processed in AFEND workspaces. Sodasoft LLC processes Personal Data only on documented instructions from the Customer, which are the Terms, this DPA, and any configuration the Customer makes within the service.

Where Sodasoft LLC acts as Controller for its own operational purposes (account provisioning, billing, marketing to the account owner on consent), the Privacy Policy at /legal/privacy applies. This DPA is not intended to transform those Controller activities into Processor activities.

Subject matter: the processing of Personal Data necessary to provide the AFEND readiness platform to the Customer. Duration: for as long as the Customer has an active workspace, plus the grace period defined in Section 10.

Nature and purpose: hosting, rendering, backing up, and making available ISMS content (scope, risks, controls, policies, evidence, audit findings, management review records) to Customer's authorized members. Automated processing is limited to computed readiness metrics and reminder schedules.

Types of Personal Data: work email, display name, role, activity timestamps, content the Customer uploads (which may include Personal Data about their employees, suppliers, or data subjects per the Customer's own processing). Categories of data subjects: Customer's employees, contractors, suppliers, and any individuals mentioned in the Customer's uploaded content.

Sodasoft LLC will: (a) process Personal Data only on documented Customer instructions; (b) ensure persons authorized to process are bound by confidentiality; (c) implement appropriate technical and organizational measures aligned with ISO/IEC 27001:2022 including encryption in transit and at rest, RLS-based tenant isolation, magic-link auth, governance logging, least-privilege access; (d) assist the Customer in responding to data subject rights requests; (e) notify the Customer of any Personal Data breach without undue delay.

Technical and organizational measures are described in the Privacy Policy, Section 7. Updates that materially weaken security are not permitted without advance notice to the Customer.

The Customer authorizes Sodasoft LLC to engage the following Sub-processors: Supabase Inc. (Postgres database, authentication, object storage, EU region), Vercel Inc. (application hosting and edge delivery), Stripe Inc. (payment processing, Customer billing data only). Each Sub-processor is bound by written terms equivalent to the obligations in this DPA.

Sodasoft LLC will maintain an up-to-date list of Sub-processors. Sodasoft LLC will notify the Customer of additions or replacements at least 30 days in advance via email to the billing contact or an in-product notice. The Customer may object on reasonable data protection grounds; unresolved objections permit the Customer to terminate the affected service.

Where Personal Data is transferred outside the EEA, UK, or Switzerland (including to Sodasoft LLC in the United States and to other Sub-processors), Sodasoft LLC relies on the European Commission's Standard Contractual Clauses (Module 2 Controller-to-Processor, 2021/914/EU) and the UK International Data Transfer Addendum, supplemented by the security measures described in Section 5. A signed copy is available on request to office@sodasoft.com.

Sodasoft LLC will provide reasonable assistance to the Customer, taking into account the nature of processing and the information available, in fulfilling the Customer's obligations to respond to data subject requests under Articles 15-22 GDPR. Customer can export all workspace data via the Readiness Pack at any time; for requests requiring Sodasoft action beyond self-service, email office@sodasoft.com.

Sodasoft LLC will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer's Personal Data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address it.

On termination of the Agreement, Sodasoft LLC will, at the Customer's choice, return all Personal Data or delete it, including all copies, within 30 days (the grace period), except where retention is required by Union, Member State, or US law (for example, tax and billing records). Backup media are overwritten on the next regular rotation. Sodasoft LLC will certify deletion in writing on request to office@sodasoft.com.