Data Processing Addendum (DPA)

GDPR Article 28 Compliant Agreement

This Data Processing Addendum (DPA) is incorporated into our Terms of Service and applies when SolvXYZ processes personal data on behalf of our Business Customers as a Data Processor.

1. Definitions and Scope

Key Definitions

"Controller": The customer who determines purposes and means of personal data processing
"Processor": SolvXYZ, which processes data on behalf of the Controller
"Personal Data": Any information relating to an identified or identifiable natural person
"Processing": Any operation performed on personal data (collection, storage, use, deletion, etc.)
"Processing Instructions": Documented specifications for how data should be processed
"Sub-processor": Third parties engaged by the Processor to process personal data

Applicability: This DPA applies when our Services involve processing personal data on your behalf as defined by GDPR or similar data protection laws.

2. Scope of Processing

Aspect	Details
Subject Matter	Processing of customer data as part of platform services (user accounts, transactions, communications)
Duration	For the term of the service agreement plus retention period as specified in Privacy Policy
Nature	Storage, organization, analysis, backup, security monitoring, analytics
Purpose	Providing Services, fraud prevention, compliance, account management, analytics
Data Types	Contact info, transaction records, usage data, profile information, communication records
Data Categories	End-user data that you upload or process through our Services

3. Controller's Processing Instructions

We process personal data only according to your documented instructions, including:

Processing for the specific services you've contracted for
Processing in accordance with your account settings and privacy choices
Processing as required by applicable law
Processing at your explicit written request

                            
                            Restriction: We will not process personal data for any purpose not previously authorized or required by law without your explicit written consent.
                        

4. Data Security & Confidentiality

Security Measures

We implement comprehensive technical and organizational security measures:

Encryption: End-to-end encryption for data in transit (TLS 1.2+) and at rest (AES-256)
Access Control: Role-based access, multi-factor authentication, audit logging
Infrastructure: Hosted on ISO 27001 certified servers (Hostinger)
Regular Testing: Penetration testing, vulnerability scanning, security audits
Backup & Recovery: Redundant backups, disaster recovery plans, 99.99% uptime SLA
Data Isolation: Customer data segregated and logically isolated
Staff Training: All employees trained on data protection and confidentiality

Confidentiality Obligations

All personnel with access to personal data are bound by confidentiality agreements and data protection obligations.

5. Sub-Processors & Third Parties

We may engage sub-processors (third-party service providers) to assist in processing personal data:

Sub-Processor	Processing Activity	Location	DPA Status
Razorpay	Payment processing	India	✅ DPA Signed
Stripe	Payment processing	USA	✅ DPA Signed
Google Analytics	Analytics & usage tracking	USA	✅ DPA Signed
Hostinger	Cloud hosting & storage	Lithuania (EU)	✅ DPA Signed

Sub-Processor Updates: We notify Controllers of any changes to sub-processors at least 30 days in advance. Controllers have the right to object on reasonable grounds.

6. Your Rights as a Controller

You have the right to:

Inspect our processing facilities and security measures (upon request)
Audit our compliance with this DPA and applicable law
Request assistance with fulfilling data subject rights requests
Obtain information about data processing activities
Require compliance with any additional security measures as specified in writing
Terminate sub-processor relationships if you object on reasonable grounds

7. Assistance with Data Subject Requests

We assist you in responding to requests from data subjects exercising their rights under GDPR and similar laws:

Access Requests: Provide extracts of personal data within 15 business days
Deletion Requests: Securely delete data upon instruction within 30 days
Correction Requests: Update or correct inaccurate data within 10 days
Portability Requests: Provide data in machine-readable format within 20 days
Restriction Requests: Limit processing as instructed

                            
                            Response Time: We will respond to your requests within 5 business days. For complex requests, we may take up to 30 days.
                        

8. Data Breach Notification

In case of a data breach involving personal data we process on your behalf:

Timeline: We will notify you within 24 hours of discovering a breach
Method: Notification via email to your registered account contacts
Information: Nature of breach, affected data, likely impact, remediation steps
Cooperation: We will cooperate fully in breach investigation and regulatory reporting

9. International Data Transfers

Where we transfer personal data outside the EEA, we use:

Standard Contractual Clauses (SCCs) approved by EU Commission
Adequacy Decisions where applicable
Binding Corporate Rules if applicable

For transfers to the USA, we comply with all applicable data transfer frameworks and conduct Transfer Impact Assessments as required.

10. Termination & Data Deletion

Upon Termination

When your service agreement ends, we will:

Stop processing personal data (except as required by law)
Return or securely delete all personal data within 30 days
Provide certification of deletion upon request
Delete data from all backups within 90 days

Data Export

You may request a complete export of your data in machine-readable format at any time during your agreement term.

11. Liability & Indemnification

We are liable for damages caused by:

Processing data contrary to this DPA or your instructions
Unauthorized access to or disclosure of personal data
Failure to implement adequate security measures
Breaches of confidentiality obligations

Limitation: Our total liability is capped at the fees paid for the affected service in the 12 months preceding the claim.

12. DPA Questions & Support

DPA Inquiries

For questions about this DPA or data processing:
Email: contact@solvxyz.com
Subject: DPA Question
Response Time: Within 2 business days

Menu

Data Processing Addendum

GDPR Article 28 Compliant Agreement

1. Definitions and Scope

Key Definitions

2. Scope of Processing

3. Controller's Processing Instructions

4. Data Security & Confidentiality

Security Measures

Confidentiality Obligations

5. Sub-Processors & Third Parties

6. Your Rights as a Controller

You have the right to:

7. Assistance with Data Subject Requests

8. Data Breach Notification

9. International Data Transfers

10. Termination & Data Deletion

Upon Termination

Data Export

11. Liability & Indemnification

12. DPA Questions & Support

DPA Inquiries

B2B Data Processing

Menu

Categories

Data Processing Addendum

GDPR Article 28 Compliant Agreement

1. Definitions and Scope

Key Definitions

2. Scope of Processing

3. Controller's Processing Instructions

4. Data Security & Confidentiality

Security Measures

Confidentiality Obligations

5. Sub-Processors & Third Parties

6. Your Rights as a Controller

You have the right to:

7. Assistance with Data Subject Requests

8. Data Breach Notification

9. International Data Transfers

10. Termination & Data Deletion

Upon Termination

Data Export

11. Liability & Indemnification

12. DPA Questions & Support

DPA Inquiries

B2B Data Processing

🍪 Cookie & Consent

🍪 Cookie & Consent Management

📋 Required

✨ Optional

ℹ️ Data Processing & Your Rights