Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of and supplements the Sugra Terms of Service between Sugra Systems, Inc. ("Sugra", the "Processor") and the Subscriber ("Customer", the "Controller"). This DPA applies where, and to the extent that, Sugra processes Personal Data (as defined below) on behalf of the Customer in its provision of the Service. Capitalized terms used but not defined here have the meanings given in the Terms of Service or in applicable Data Protection Law.

1. Scope and Application

This DPA applies to the processing of Personal Data by Sugra as a Processor acting on behalf of the Customer as Controller, in connection with the Customer's use of the Service. Where the Customer is subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, or an analogous data protection law (collectively, "Data Protection Law"), this DPA governs the parties' respective obligations under such law with respect to such processing.

Where Sugra processes Personal Data as a Controller in its own right, including user account information of the Customer's authorized personnel, such processing is governed by the Sugra Privacy Policy and not by this DPA.

2. Subject Matter

The subject matter of the processing is the provision of the Service to the Customer in accordance with the Terms of Service. This includes the operation of the API, authentication, rate limiting, usage metering, billing, customer support, and related technical and administrative activities.

3. Nature and Purpose of Processing

Sugra processes Personal Data for the following purposes:

1. Authenticating API requests and associating them with the Customer's subscription.
2. Enforcing rate limits and subscription quotas.
3. Maintaining technical logs necessary for security, fraud prevention, debugging, and service operation.
4. Managing billing and subscription lifecycle events.
5. Providing customer support in response to Customer inquiries.

Sugra does not inspect, analyze, or derive insights from the content of the Customer's API requests or responses beyond what is necessary for the above purposes.

4. Categories of Data Subjects and Personal Data

Categories of Data Subjects. The Customer and its authorized personnel who access the Service, and, to the extent the Customer transmits such data through API request headers, metadata, or parameters, the Customer's own end users or customers.

Categories of Personal Data. Typical categories include:

1. Identification data: name, business email address, account identifier.
2. Authentication data: hashed credentials, API keys, OAuth tokens.
3. Technical data: IP address, user-agent, request metadata, timestamps.
4. Usage data: aggregated counts of API requests per subscription.
5. Billing data: billing address, Stripe customer identifier, payment method last four digits and type (Sugra does not receive or store full payment card data).

Special categories. The Service is not designed to process special categories of Personal Data (as defined in Article 9 of the GDPR), and the Customer shall not transmit such data through the Service.

5. Processor Obligations

Sugra shall:

1. Process Personal Data only on documented instructions from the Customer. The Terms of Service, this DPA, and any subsequent written instructions from the Customer constitute the Customer's documented instructions.
2. Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.
3. Implement and maintain the technical and organizational measures described in Section 8.
4. Assist the Customer, to the extent reasonably possible and taking into account the nature of the processing, in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Law.
5. Assist the Customer, taking into account the nature of processing and the information available to Sugra, in ensuring compliance with the Customer's obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation).
6. At the Customer's choice, delete or return all Personal Data to the Customer after the end of the provision of the Service, except to the extent that retention is required by applicable law.
7. Make available to the Customer the information necessary to demonstrate compliance with this DPA.

6. Sub-processors

The Customer authorizes Sugra to engage the sub-processors listed below in the provision of the Service. Each sub-processor processes Personal Data strictly for the purpose of providing the functions described.

1. Microsoft Corporation (Microsoft Azure) - provision of cloud infrastructure, including compute, storage, database, and managed cache services. Primary processing region: East US (United States).
2. Stripe, Inc. - payment processing, subscription management, and related billing functions. Stripe operates under its published Data Processing Addendum, available at stripe.com/legal/dpa, which includes the European Commission's Standard Contractual Clauses. Global operations, U.S. headquarters.
3. Resend, Inc. - transmission of transactional email (account verification, password reset, billing notifications, and other service-related messages). Global operations, U.S. headquarters.

Changes to sub-processors. Sugra will notify the Customer at least thirty (30) days in advance of any intended addition or replacement of a sub-processor that processes Personal Data. The Customer may object in writing to such change on reasonable grounds relating to the sub-processor's ability to comply with Data Protection Law. If the parties cannot resolve the objection, the Customer may terminate the affected part of the Service on reasonable notice.

Sub-processor obligations. Sugra shall enter into a written agreement with each sub-processor imposing data protection obligations substantially similar to those set forth in this DPA, and shall remain liable for the acts and omissions of its sub-processors as if they were its own.

7. International Transfers

Sugra is established in the United States and its principal processing operations occur in the United States. Where the Customer's use of the Service results in the transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to the United States or to a third country not recognized as providing an adequate level of protection:

1. The parties incorporate by reference the European Commission's Standard Contractual Clauses, Module Two (Controller to Processor), as set out in Commission Implementing Decision (EU) 2021/914, with Sugra acting as "data importer" and the Customer acting as "data exporter", for EU transfers.
2. The UK International Data Transfer Addendum to the Standard Contractual Clauses applies with respect to transfers from the United Kingdom.
3. The parties select optional clauses consistent with the nature of the Service: Clause 7 (Docking Clause) not applied; Clause 9 (Use of sub-processors) - Option 2 (General written authorization) with thirty (30) days' prior notice; Clause 11 (Redress) optional language not applied; Clause 17 (Governing law) - law of the Republic of Ireland; Clause 18 (Choice of forum) - courts of Ireland.
4. Where a sub-processor operates its own data transfer mechanism (for example, Stripe's published DPA), that mechanism flows through and applies to the corresponding processing.

The Customer's instruction to Sugra to provide the Service outside the Customer's jurisdiction constitutes the Customer's authorization for such transfers.

8. Security Measures

Taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, Sugra implements technical and organizational measures appropriate to the risk. Current measures include, without limitation:

1. Encryption of Personal Data in transit over public networks using TLS 1.2 or higher.
2. Encryption of Personal Data at rest where supported by the underlying storage service.
3. Role-based access controls for personnel accessing production systems; principle of least privilege.
4. Authentication controls for administrative access, including multi-factor authentication where supported.
5. Network segmentation between public-facing and internal infrastructure, including private endpoints for shared datastores.
6. Logging of administrative and security-relevant events.
7. Regular application of security patches to operating systems and dependencies.
8. Periodic review of user access rights.
9. Documented incident response procedures.

Sugra may update these measures from time to time provided that the overall level of protection is not materially reduced.

9. Personal Data Breach Notification

Sugra shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. Such notification shall include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Sugra shall reasonably cooperate with the Customer in the investigation, remediation, and, where applicable, notification of the breach to supervisory authorities and affected Data Subjects.

10. Audit Rights

Upon reasonable written request, and no more than once per twelve (12) month period except where required by a supervisory authority or following a Personal Data Breach, Sugra shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. This may take the form of written responses, policy summaries, third-party attestations, or audit reports commissioned by Sugra.

Where the foregoing does not satisfy the Customer's reasonable audit needs, the Customer may conduct or commission an audit on reasonable prior written notice, during regular business hours, by a mutually agreed independent auditor bound by appropriate confidentiality obligations. The auditor may not access the Personal Data of any other Sugra customer. The Customer shall bear the costs of such audit unless the audit reveals material non-compliance attributable to Sugra.

11. Term and Termination

This DPA applies for the duration of the Terms of Service. Upon termination of the Service, Sugra shall delete or return Personal Data in accordance with Section 5, except to the extent that applicable law requires continued storage. Obligations that by their nature survive termination (including confidentiality and the defense of pre-termination claims) shall survive.

12. Miscellaneous

Governing law; dispute resolution. Except where Data Protection Law or the Standard Contractual Clauses require otherwise, this DPA is governed by and construed in accordance with the law of the State of Delaware, and disputes are resolved in accordance with the dispute resolution provisions of the Terms of Service.

Precedence. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA prevails. The Standard Contractual Clauses, where applicable, prevail over this DPA.

Amendment. This DPA may be amended from time to time, including to reflect changes in applicable Data Protection Law or in Sugra's sub-processing arrangements. Material changes will be communicated as described in the Terms of Service.

Contact. Data protection inquiries: privacy@sugra.systems. Legal inquiries: legal@sugra.systems.