Data Processing Addendum.
'Controller' means the Customer receiving SmartPluvia services. 'Processor' means SmartPluvia Studio Sp. z o.o. 'Personal Data' means any information relating to an identified or identifiable natural person. Terms not defined here have the meaning given in GDPR Art. 4.
The Processor processes Personal Data only on documented instructions from the Controller, expressed through use of the Service and this DPA. Categories of data: contact (email, name), technical (IP, user-agent), project (site metadata). Categories of subjects: users of the Controller's account.
This DPA takes effect on acceptance and continues for as long as the account is active. On termination the Processor returns or deletes all Personal Data within 30 days, except where retention is required by law.
The Processor implements organizational and technical measures consistent with GDPR Art. 32: encryption at rest (AES-256) and in transit (TLS 1.3), MFA for admin access, regular testing. Details — Annex II.
The Controller grants the Processor general authorization to engage the subprocessors listed in Annex III. Changes — 30-day notice via email + dashboard. Right to object — within 14 days; if no resolution, the Controller may terminate.
The Processor assists the Controller in fulfilling data subject requests (access, rectification, erasure, portability). Standard requests — via self-service in Settings; formal requests — via DPO email, response within 30 days.
On a personal data breach the Processor notifies the Controller without undue delay and no later than 24 hours after detection. Notice includes: nature of the incident, categories and approximate count of subjects, likely consequences, mitigation measures.
The Controller may audit compliance with this DPA once per year, at the Controller's expense, with 30 days' notice. In lieu of an audit the Processor may provide a SOC 2 Type II report or equivalent.
Transfers of Personal Data outside the EEA happen only under Standard Contractual Clauses (Module 2 — Processor to Processor) or to a recognized adequate jurisdiction. Current transfer list — Annex III.
Current as of the document update date. Changes — 30 days' notice via email and dashboard.
| Subprocessor | Service | Location | Transfer mechanism |
|---|---|---|---|
| AWS · Amazon Web Services | Hosting · S3 · RDS | Frankfurt, DE | SCC + ISO 27001 |
| Stripe Payments Europe Ltd | Billing · payment processing | Dublin, IE | SCC + PCI DSS L1 |
| Postmark · ActiveCampaign LLC | Transactional email | Chicago, US | SCC + DPA |
| Sentry · Functional Software | Error monitoring · APM | San Francisco, US | SCC |
| Plausible Analytics OÜ | Anonymized usage analytics | Tallinn, EE | EU only · no PII |
| Cloudflare Inc. | CDN · DDoS protection | San Francisco, US | SCC + ISO 27001 |
AES-256 at rest · TLS 1.3 in transit · KMS-managed keys
SSO + MFA · RBAC · least privilege · audit log 12 mo
Multi-AZ · backups 4×/day · 30d retention · DR drill
Private VPC · WAF · DDoS protection · no public DB
OWASP ASVS L2 · monthly SAST/DAST · annual pen-test
DPA-signed subprocessors · 30-day change notice · audit
Ready to sign?
Self-service signing in Settings → Billing → Legal. Owners sign on behalf of the organization. Counter-signed PDF — same section.