SHAARTLegal
Legal

Data Processing Agreement (DPA)

For B2B customers — GDPR Article 28, UK-GDPR, LGPD.

Last updated:

Preamble

This Data Processing Agreement (“DPA”) forms part of the agreement between SHAART USA LLC (“Processor”) and the customer signing up for or using our Service (“Controller”). It reflects the parties' obligations under Regulation (EU) 2016/679 (“GDPR”), UK GDPR, and Brazil's LGPD (where applicable).

1. Definitions

  • Personal Data: data relating to an identified or identifiable natural person processed under this DPA.
  • Processing: any operation performed on Personal Data.
  • Data Subject: the identified or identifiable person to whom Personal Data relates.
  • Sub-processor: any third-party processor engaged by us to assist in providing the Service.
  • Personal Data Breach: a breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Subject matter and duration

This DPA governs our processing of Personal Data on Controller's behalf for the duration of the Service agreement.

3. Nature, purpose, and scope

  • Purpose: provide the Service per the agreement.
  • Nature: hosting, storing, processing, displaying, transmitting Personal Data.
  • Types of Personal Data: as determined by Controller (typically: names, contact details, business data, message content, lead information).
  • Categories of Data Subjects: Controller's end users, leads, customers, employees, contractors.

4. Obligations of SHAART as Processor

  • Process Personal Data only on documented instructions from Controller (the Service agreement constitutes such instructions).
  • Ensure persons authorized to process are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see Annex II).
  • Assist Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
  • Assist Controller in ensuring compliance with security, breach notification, DPIA, and consultation obligations.
  • Delete or return Personal Data at the end of services (per Controller's choice), unless retention is required by law.
  • Make available all information necessary to demonstrate compliance and allow audits.

5. Obligations of Controller

  • Ensure lawful basis for processing.
  • Provide all required notices and obtain required consents from Data Subjects.
  • Respond directly to Data Subject requests (we will forward any received).
  • Ensure data shared with us complies with applicable law.
  • Not provide special category data (health, biometric, etc.) without explicit lawful basis communicated to us in advance.

6. Sub-processors

Controller authorizes us to engage Sub-processors listed at /sub-processors. We:

  • Notify Controller at least 30 days before adding or replacing Sub-processors.
  • Bind Sub-processors by written agreement with equivalent data protection obligations.
  • Remain liable for Sub-processor compliance.

Controller may object to a new Sub-processor within 30 days; if we cannot reasonably accommodate the objection, Controller may terminate the affected portion of the Service.

7. Security measures (Annex II)

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls (RBAC, RLS, audit logs).
  • Pseudonymization where feasible.
  • Regular vulnerability scanning and patching.
  • Penetration testing at least annually.
  • Incident response procedures.
  • Personnel training on data protection.
  • Vendor risk management.
  • Documented disaster recovery (RPO ≤ 24h, RTO ≤ 1h for critical services).

8. Personal Data Breach

  • We notify Controller without undue delay (within 48 hours) of becoming aware of a Personal Data Breach affecting Controller's data.
  • Notification includes: nature of breach, categories and approximate number of Data Subjects, likely consequences, measures taken or proposed.
  • We assist Controller in fulfilling its breach notification obligations to supervisory authorities and Data Subjects.

9. International transfers (Annex III)

Where Personal Data is transferred outside the EEA/UK/Switzerland, the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller to Processor) by reference, with relevant annexes populated by this DPA and the Sub-processors list.

For UK transfers: the UK International Data Transfer Addendum applies.

For Brazil: equivalent contractual safeguards per LGPD apply.

10. Audits

Controller may audit our compliance with this DPA upon 30 days' written notice, not more than once per year, at Controller's expense, during business hours, without disrupting our operations. We may provide third-party audit reports (e.g., SOC 2) in lieu of on-site audits.

11. Return or deletion

Upon termination of the Service, Controller may export its data within 30 days. After 30 days, we delete Controller data from active systems within an additional 30 days; backups are purged within 90 days. Anonymized/aggregated derivations may be retained.

12. Liability

Liability under this DPA is subject to the limitations of liability in the Service agreement.

13. Governing law

This DPA is governed by the law of the State of Florida, USA (or, where required, the law of the Controller's establishment for EU-related provisions).

14. Order of precedence

In case of conflict between this DPA and the Service agreement on data protection matters, this DPA controls.

15. Signature / acceptance

Acceptance of the Service Terms of Service constitutes acceptance of this DPA on behalf of the Controller. For a counter-signed copy, email legal@shaartusa.com.

Annexes (summary)

  • Annex I — Processing details: as described in Sections 2-3 above.
  • Annex II — Security measures: as described in Section 7 above.
  • Annex III — Sub-processors: see /sub-processors.