Data Processing Addendum (DPA)

1. Definitions

• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means SMB EDGE, which processes Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" means any information relating to a Data Subject.
• "Sub-processor" means a third party engaged by the Processor to process Personal Data. See our Subprocessors page for a current list.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only to the extent necessary to provide the shepi platform services as described in the Terms of Service, and in accordance with the Controller's documented instructions.

3. Processor Obligations

• Process Personal Data only on documented instructions from the Controller.
• Ensure that persons authorized to process Personal Data have committed to confidentiality.
• Implement appropriate technical and organizational security measures, including encryption at rest and in transit, access controls, and regular security assessments.
• Not engage another processor (sub-processor) without prior written authorization of the Controller. The current list of approved sub-processors is maintained at shepi.ai/subprocessors.
• Assist the Controller in responding to requests from Data Subjects exercising their rights.
• Delete or return all Personal Data at the end of the service relationship, at the Controller's choice.
• Make available to the Controller all information necessary to demonstrate compliance with these obligations.

4. Data Subject Rights

The Processor shall assist the Controller, by appropriate technical and organizational measures, in fulfilling obligations to respond to Data Subject requests including access, rectification, erasure, restriction, portability, and objection.

5. International Data Transfers

Where Personal Data is transferred outside the United Kingdom or the European Economic Area, the Processor shall ensure that appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) as approved by the relevant authorities, or other lawful transfer mechanisms.

6. Data Retention and Deletion

The Processor shall retain Personal Data only for as long as necessary to fulfill the purposes of processing. Upon termination of the agreement or upon the Controller's request, the Processor shall securely delete or return all Personal Data within 30 days, unless retention is required by applicable law.

7. Audit Rights

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, with reasonable notice. Audit requests should be directed to privacy@shepi.ai.

8. UK GDPR Specific Provisions

For processing subject to the UK General Data Protection Regulation (UK GDPR), this DPA incorporates the International Data Transfer Addendum to the EU Standard Contractual Clauses as issued by the UK Information Commissioner's Office (ICO). The Processor commits to cooperating with the ICO and honoring the rights of UK Data Subjects.

9. Canadian PIPEDA Specific Provisions

For processing subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), the Processor shall ensure that Personal Data of Canadian residents is handled in accordance with PIPEDA's ten fair information principles, including accountability, consent, limiting collection, limiting use, and safeguards. The Processor shall notify the Controller of any breach of security safeguards involving Personal Data of Canadian residents as required under PIPEDA.

10. Contact Information

To execute this DPA or for any questions regarding data processing, please contact us at privacy@shepi.ai.