Data Processing Addendum

1.1 Definitions

For the purposes of this DPA:

• "Controller" means you, the Pro plan user, who determines the purposes and means of processing personal data
• "Processor" means SS Doc (SoftSolvez), acting on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data
• "Data Subject" means the individual whose personal data is being processed
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "Services" means SS Doc's document collection and management platform

1.2 Scope

This DPA applies when you use SS Doc Pro services to collect, store, or process personal data through document collections. It does not apply to your own account data, which is covered by our Privacy Policy.

2.1 Processing Authority

SS Doc processes personal data only on your documented instructions as the Controller. These instructions include:

• Configuration of document collection settings
• Access controls and permissions
• Retention and deletion requirements
• Export and data subject access requests

2.2 Prohibited Processing

SS Doc will not process personal data for any purpose other than providing the Services as instructed by you. We will not sell, share, or use personal data for our own commercial purposes.

4.1 Technical Safeguards

SS Doc implements the following technical security measures:

4.2 Organizational Measures

• Staff training on data protection and security
• Regular security assessments and penetration testing
• Incident response and breach notification procedures
• Secure development lifecycle practices
• Business continuity and disaster recovery planning

5.1 Current Sub-processors

SS Doc may engage the following categories of sub-processors:

5.2 Sub-processor Changes

We will provide 30 days' advance notice of any changes to sub-processors. If you object to a new sub-processor, you may terminate your Pro subscription without penalty within the notice period.

8.1 Notification Timeline

In case of a personal data breach, SS Doc will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

8.2 Notification Content

Breach notifications will include:

• Nature and categories of personal data affected
• Approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact information for further details

9.1 Upon Termination

Upon termination of your Pro subscription, we will:

• Provide 30 days to export your data
• Delete all personal data after the export period
• Confirm deletion in writing upon request
• Retain only what's required by law

9.2 Data Deletion Requests

You may request deletion of specific data at any time. We will implement deletions within 30 days unless legally required to retain the data.

10.1 Information Provision

SS Doc will provide information necessary to demonstrate compliance with this DPA, including security certifications, audit reports, and compliance documentation.

10.2 Audit Cooperation

We will reasonably cooperate with audits conducted by you or an independent auditor mandated by you, subject to confidentiality obligations and reasonable advance notice.