Data Processing Addendum (DPA) - GDPR

1. Subject matter & duration

Processor processes Customer Personal Data solely to provide the Service on Customer's documented instructions for the term of the Agreement and any wind-down/back-up period.

2. Nature & purpose of processing

• •Ingestion, storage, transformation, analysis, activation of Customer Data from sources/destinations configured by Customer.
• •Model inference to generate responses to Customer prompts.
• •Support & security (incident investigation, telemetry/logs). Processor will not process for its own independent purposes.

3. Types of data & data subjects

• •Data subjects: end-users/visitors/customers of Customer; Customer personnel/contractors.
• •Personal data: online identifiers, events/engagement data, campaign metadata, order/customer records from commerce systems; prompts/outputs; basic account identifiers (e.g., name, email).
• •Special categories: not intended. Customer will not submit special-category data, children's data, payment card numbers, national IDs, or precise geolocation unless agreed in writing with appropriate safeguards.

4. Roles; independent platforms

For Customer-connected data, Processor acts as processor (or sub-processor where Customer is itself a processor). Platforms such as Google (GA4/Ads), Meta, Shopify are typically independent controllers for their services. Processor acts only on Customer's instructions for the data flows Customer initiates to or from those platforms.

5. Processor obligations

Processor shall: (a) process only on documented instructions (this DPA, in-app settings, Customer's written requests); (b) ensure confidentiality and training of personnel; (c) implement appropriate technical and organizational measures ("TOMs") in Annex II; (d) assist Customer with data subject requests, security, DPIAs, and consultations (Arts. 32-36) to the extent relevant; (e) delete or return Customer Personal Data at termination or upon written request, unless law requires retention; (f) maintain records of processing and provide information necessary to demonstrate compliance, including audit rights (Section 10); (g) not train AI models on Customer Personal Data unless Customer opts in in writing; (h) for Google user data obtained via Google APIs, comply with Google's API Services User Data Policy (Limited Use); and for Google Ads API data, restrict processing to read-only operations as exposed by the Service.

6. Sub-processors

• •6.1 Authorization. Customer authorizes Processor to use the sub-processors listed on Processor's Sub-processor Page (as updated from time to time and incorporated by reference into this DPA).
• •6.2 Processor obligations. Processor will: (a) impose data-protection terms no less protective than this DPA; (b) remain liable for sub-processor performance; and (c) provide advance notice of new/replacement sub-processors by updating the Sub-processor Page and, where feasible, via in-app/email at least 30 days in advance.
• •6.3 Objection. Customer may object on reasonable privacy/security grounds. The parties will work in good faith to resolve the objection; failing resolution, Customer may suspend the impacted feature or terminate the relevant Order with a pro-rated refund.

7. International transfers

Primary hosting is in the EEA (GCP europe-west1). Where processing occurs in a third country (e.g., Firebase Authentication or certain AI inference), Processor implements the EU Standard Contractual Clauses (SCCs) (Module 2 and, if applicable, Module 3) and supplementary safeguards. On request, Processor will provide details of transfer mechanisms.

8. Security incidents

Processor will notify Customer without undue delay and in any case within 48 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. Processor will provide available details, take reasonable steps to mitigate, and cooperate with Customer's remediation and notifications.

9. Data subject requests

Where feasible, Processor will enable Customer to address data subject requests (access, rectification, erasure, restriction, portability, objection). If Processor receives a request directly, Processor will promptly forward it to Customer (unless legally prohibited).

10. Audits

Once per 12-month period (and after a breach), Customer may conduct a reasonable audit of Processor's compliance. Processor may satisfy audit requests by providing third-party reports/certifications (e.g., SOC/ISO), security questionnaires, and interviews. On-site audits occur only where necessary, on 30 days' notice, during business hours, and subject to confidentiality and safety requirements.

11. Revocation & deletion assistance

Processor will provide reasonable assistance for revocation of third-party access (e.g., disconnecting Google connections) and will delete tokens and dependent cached data from its systems within a reasonable period after revocation or Customer's written request.

12. Return & deletion

Upon termination/expiry, Processor will (at Customer's choice) return or delete Customer Personal Data and existing copies within a reasonable period (backups purge on rolling cycles). If law prevents deletion, Processor will securely isolate and protect the data.

13. Liability & governing law

Liability is as set out in the Agreement. This DPA is governed by the Agreement's governing law and venue (Sweden / Stockholm).

Annex I - Description of Processing

• •Controller: Customer (and/or Customer's clients, where Customer acts as processor).
• •Processor: Swavvy AB.
• •Processing activities: as set out in Sections 2, 4, and the Agreement.
• •Frequency: continuous during the term.
• •Duration: term of the Agreement + retention windows (see Privacy Policy).
• •Data transfers: as in Section 7.
• •Data subjects & data types: as in Section 3.
• •Special categories: not intended.

Annex II - Technical & Organizational Measures (TOMs)

• •Governance: Security policy; RBAC/least privilege; background-checked staff; controlled onboarding/offboarding.
• •Identity & auth: SSO/MFA support; Firebase Auth for sign-in; session cookie HttpOnly/Secure/SameSite; server-side session store; session rotation on privilege change.
• •Encryption: TLS 1.2+ in transit; AES-256 (or provider equivalent) at rest; KMS-managed keys for tokens/secrets.
• •Application security: secure SDLC; code review; dependency scanning; vulnerability management; periodic penetration tests.
• •Network & infra: segmentation; firewalls; hardened images; backups (rolling ~35 days); monitoring/alerting.
• •Data minimization & retention: org-configurable transcript retention; default minimization of cached results; redaction where feasible.
• •Logging & audit: audit trails for admin actions and data access; immutable logs where feasible; time synchronization.
• •Business continuity: redundancy in GCP europe-west1; disaster-recovery runbooks.
• •Incident response: documented IR plan; 24×7 alerting; breach notification within 48 hours.
• •Vendor risk: sub-processor review; SCCs for transfers; annual re-assessment.
• •Sentry controls: PII redaction enforced; no Customer Data payloads in error telemetry.
• •AI provider controls: no-training by default on Customer Personal Data; prompts/outputs limited to what's necessary for inference; human access only under narrow exceptions (security/abuse/legal).

Annex III - Authorized Sub-processors (as of this DPA)

• •Google Cloud Platform (GCP) - hosting, storage, networking - EU (europe-west1).
• •Firebase Authentication (Google LLC) - authentication - US/global auth infra (SCCs).
• •Sentry (Functional Software, Inc.) - error/performance monitoring - EU residency where available; otherwise US (SCCs; data minimization/redaction).
• •OpenAI (GPT-5) - model inference - global (may include US) (SCCs; no-training by default).

Annex IV - SCCs

• •Module 2 (Controller → Processor) and, where Customer is itself a processor, Module 3 (Processor → Processor).
• •The parties complete the SCC annexes by reference to Annex I-III above.
• •Supervisory authority: IMY (Sweden), unless otherwise required by Customer's establishment.
• •The Docking clause applies.

The live list at /sub-processors is incorporated by reference and may be updated with 30 days' advance notice where feasible.