Data Processing Addendum

Last updated: January 24, 2025

Data Processing Addendum

Effective Date: January 24, 2025

This Data Processing Addendum (“DPA”) supplements the ShipSilently Terms of Service and governs the processing of personal data by Slewsoft (“Company”, “Processor”, “we”, “us”, or “our”) on behalf of our customers (“Controller”, “you”, “your”).

1. Definitions and Interpretation

1.1 Definitions

For the purposes of this DPA:

  • “Applicable Data Protection Laws” means all laws and regulations relating to the processing of personal data applicable to either party, including GDPR, CCPA, PIPEDA, and other applicable privacy laws.

  • “Controller” means the entity that determines the purposes and means of processing personal data.

  • “Data Subject” means an identified or identifiable natural person to whom personal data relates.

  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.

  • “Personal Data” means any information relating to an identified or identifiable natural person.

  • “Processing” means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

  • “Processor” means an entity that processes personal data on behalf of the Controller.

  • “Services” means the ShipSilently platform and related services.

  • “Sub-processor” means any processor engaged by the Processor to process personal data.

1.2 Interpretation

This DPA forms part of the Terms of Service. In case of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA prevails.

2. Scope and Applicability

2.1 Scope of Processing

This DPA applies to personal data processed by us in the course of providing the Services to you, where you act as Controller and we act as Processor.

2.2 Data Categories

Personal data we may process includes:

  • Account Data: Names, email addresses, job titles
  • Usage Data: Feature flag configurations, API usage patterns
  • Technical Data: IP addresses, device identifiers, log data
  • Communication Data: Support requests, feedback

2.3 Data Subjects

Data subjects may include:

  • Your employees and contractors
  • Your customers and end users
  • Your business contacts
  • Website visitors (where applicable)

3. Processing Instructions

3.1 Authority to Process

We will process personal data only:

  • On your documented instructions as Controller
  • To provide the Services as described in our Terms of Service
  • To comply with applicable legal obligations
  • As otherwise agreed in writing

3.2 Prohibited Processing

We will not:

  • Process personal data for our own purposes except as permitted by law
  • Sell or share personal data with third parties for their marketing purposes
  • Use personal data to build profiles for advertising purposes
  • Process personal data outside the scope of this DPA without your consent

3.3 Processing Records

We maintain records of processing activities as required by applicable data protection laws.

4. Security Measures

4.1 Technical Safeguards

We implement appropriate technical measures including:

  • Encryption: Data encrypted in transit and at rest
  • Access Controls: Role-based access with multi-factor authentication
  • Network Security: Firewalls, intrusion detection, secure protocols
  • Data Backup: Regular backups with encryption and integrity checking

4.2 Organizational Measures

We maintain organizational safeguards including:

  • Staff Training: Regular privacy and security training
  • Access Management: Principle of least privilege access
  • Incident Response: Documented procedures for security incidents
  • Vendor Management: Due diligence on third-party providers

4.3 Security Standards

Our security program is designed to meet or exceed industry standards and may include certifications such as:

  • SOC 2 Type II compliance
  • ISO 27001 framework alignment
  • Regular third-party security assessments
  • Penetration testing and vulnerability management

5. Sub-processing

5.1 Authorized Sub-processors

You consent to our engagement of sub-processors for specific processing activities. Current sub-processors include:

Infrastructure Providers:

  • Cloud hosting and data storage services
  • Content delivery networks
  • Monitoring and analytics services

Business Services:

  • Payment processing providers
  • Customer support tools
  • Email and communication services

5.2 Sub-processor Requirements

All sub-processors must:

  • Provide sufficient guarantees of data protection compliance
  • Be bound by data protection obligations equivalent to this DPA
  • Implement appropriate technical and organizational measures
  • Submit to regular audits and assessments

5.3 Sub-processor Changes

We will:

  • Maintain a current list of sub-processors
  • Notify you of any intended changes to sub-processors
  • Provide you opportunity to object to new sub-processors
  • Work with you to resolve objections or find alternatives

6. Data Subject Rights

6.1 Facilitating Rights Requests

We will assist you in responding to data subject requests by:

  • Providing access to personal data in our systems
  • Implementing technical measures to support rights fulfillment
  • Responding to your requests within reasonable timeframes
  • Documenting our assistance and actions taken

6.2 Specific Rights Support

We provide tools and assistance for:

  • Access Requests: Data export and reporting capabilities
  • Rectification: Data correction and update mechanisms
  • Erasure: Data deletion tools and procedures
  • Portability: Data export in structured formats
  • Restriction: Ability to limit processing activities

6.3 Direct Requests

If we receive data subject requests directly, we will:

  • Promptly forward the request to you
  • Not respond directly except as required by law
  • Assist you in formulating an appropriate response
  • Implement your instructions regarding the request

7. Data Transfers

7.1 International Transfers

Personal data may be transferred to and processed in countries outside your jurisdiction, including Canada and the United States.

7.2 Transfer Safeguards

For transfers outside the European Economic Area, we implement appropriate safeguards:

  • Standard Contractual Clauses: EU-approved contractual protections
  • Adequacy Decisions: Transfers to countries with adequate protection
  • Binding Corporate Rules: Where applicable for multinational transfers
  • Additional Measures: Supplementary technical and organizational measures

7.3 Transfer Notifications

We will notify you of:

  • Countries where personal data is processed
  • Legal basis for international transfers
  • Additional safeguards implemented
  • Changes to transfer arrangements

8. Data Retention and Deletion

8.1 Retention Periods

We retain personal data only as long as necessary to:

  • Provide the Services to you
  • Comply with legal obligations
  • Resolve disputes and enforce agreements
  • Meet legitimate business needs

8.2 Data Deletion

Upon termination of Services or your request, we will:

  • Delete or anonymize personal data within 30 days
  • Provide confirmation of deletion upon request
  • Retain data only as required by applicable law
  • Ensure sub-processors also delete data

8.3 Backup Data

Personal data in backup systems will be:

  • Deleted according to standard backup retention schedules
  • Not used for any processing activities
  • Subject to the same security measures as primary data
  • Deleted within reasonable timeframes

9. Data Breach Notification

9.1 Incident Response

In the event of a personal data breach, we will:

  • Detect and respond to the incident promptly
  • Contain and mitigate the breach’s impact
  • Investigate the root cause and implement corrective measures
  • Document the incident and response actions

9.2 Notification Timeline

We will notify you of personal data breaches:

  • Without undue delay after becoming aware
  • Within 72 hours where feasible
  • With all information available at the time
  • With updates as investigation progresses

9.3 Notification Content

Breach notifications will include:

  • Description of the incident and its likely consequences
  • Categories and approximate numbers of affected data subjects
  • Measures taken or proposed to address the breach
  • Contact information for further details
  • Assessment of risk to data subjects

10. Audits and Compliance

10.1 Audit Rights

You have the right to:

  • Conduct audits of our processing activities
  • Review our compliance with this DPA
  • Inspect relevant documentation and procedures
  • Engage third-party auditors (at your expense)

10.2 Audit Procedures

Audits will be conducted:

  • Upon reasonable notice (typically 30 days)
  • During normal business hours
  • With appropriate confidentiality protections
  • In a manner that minimizes operational disruption

10.3 Compliance Reporting

We provide:

  • Annual compliance summaries
  • Security assessment reports
  • Certification and audit reports
  • Incident and breach summaries

11. Liability and Indemnification

11.1 Liability Allocation

Each party is liable for compliance with its obligations under applicable data protection laws and this DPA.

11.2 Processor Liability

As Processor, we are liable for damage caused by processing where we:

  • Have not complied with data protection obligations
  • Have acted outside or contrary to your lawful instructions

11.3 Indemnification

We will indemnify you against third-party claims arising from our breach of this DPA, subject to:

  • Prompt notification of claims
  • Reasonable cooperation in defense
  • Our control over defense and settlement
  • Limitations in our Terms of Service

12. Term and Termination

12.1 DPA Term

This DPA remains in effect for as long as we process personal data on your behalf under the Terms of Service.

12.2 Termination Effects

Upon termination, we will:

  • Return or delete personal data as instructed
  • Cease all processing activities
  • Ensure sub-processors comply with deletion requirements
  • Provide confirmation of compliance

12.3 Survival

Provisions relating to liability, confidentiality, and data protection obligations survive termination for the period required by applicable law.

13. Amendments and Updates

13.1 Amendment Process

This DPA may be amended:

  • To comply with changes in applicable law
  • To reflect changes in our processing activities
  • To address new regulatory guidance
  • By mutual written agreement

13.2 Notification of Changes

We will notify you of material changes through:

  • Email to your account administrators
  • Notices in our service interface
  • Updates to our legal documentation
  • Direct communication for significant changes

14. Contact Information

14.1 Data Protection Inquiries

For questions about this DPA or our data processing practices:

Slewsoft
6D - 7398 Yonge St Unit # 348
Thornhill, ON L4J 8J2
Canada

Email: privacy@slewsoft.com or support@shipsilently.com

14.2 Data Protection Officer

For EU-related data protection matters, contact our data protection representative at the above address.

14.3 Incident Reporting

For data protection incidents:

By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Addendum.

Last Updated: January 24, 2025

For questions about these terms, please contact us at support@slewsoft.com or support@shipsilently.com.