Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you (the "Customer", acting as data controller) and Serointech VOF ("Incogsurf", acting as data processor) and applies whenever Incogsurf processes personal data on behalf of the Customer in connection with the Service.

Where this DPA conflicts with the Terms of Service, this DPA prevails for processing of personal data. Where this DPA conflicts with Article 28 GDPR or other mandatory law, the mandatory rule prevails.

1. Definitions

Terms used here have the meanings given in Article 4 GDPR: "personal data", "processing", "controller", "processor", "data subject", "personal data breach", "sub-processor".

2. Subject matter, duration, nature and purpose

• Subject matter: Personal data the Customer or its end users upload to or generate through the Service (account data, identity tuples, billing data, audit events).
• Duration: For as long as the Customer's subscription is active, plus the retention periods specified in our Privacy Policy.
• Nature and purpose: Hosting, storage, retrieval, transmission, and other processing necessary to provide the Service per the Terms of Service.
• Categories of data subjects: Customer's end users; identity-tuple subjects (persons whose data the Customer uploads in the course of authorised testing).
• Categories of personal data: Identifiers (email, phone), authentication credentials (hashed), billing addresses, IP addresses, user-agent strings, validation results.

3. Controller and processor

The Customer is the controller of personal data uploaded to or generated through the Service. Incogsurf is the processor and processes personal data only on documented instructions from the Customer.

The Customer's instructions are: (a) the Terms of Service and this DPA; (b) the Customer's configuration in the Service (which features are enabled, which tenants are created); and (c) any further written instructions the Customer provides to Incogsurf, to the extent technically feasible and compatible with applicable law.

Incogsurf will inform the Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data-protection law.

4. Confidentiality

Incogsurf ensures that personnel authorised to process the personal data are bound by confidentiality, whether through contract or statute. Currently the operator and any contracted sub-processor staff are the only personnel with system-level access.

5. Security measures (Article 32 GDPR)

Incogsurf maintains appropriate technical and organisational measures, taking into account the state of the art and the risk to data subjects. Current measures include:

• Encryption in transit: TLS 1.2+ for all client-server traffic, including DNS-over-HTTPS where supported.
• Encryption at rest: Identity tuples are encrypted with per-tenant keys (AES-GCM); deleting the per-tenant key crypto-shreds the rows. Database backups at Supabase use disk-level encryption.
• Authentication: Argon2id password hashing via Supabase Auth. TOTP MFA is required for every account; AAL2 is enforced for all authenticated routes.
• Authorisation: Postgres row-level security policies enforce tenant isolation at the database layer. Service-role keys are scoped to specific Edge Functions; not used in the renderer.
• Audit logging: Every privileged action writes to the append-only audit_events table with tenant ID, user ID, IP, user-agent, and event metadata.
• Suspension flow: AUP-violating tenants can be suspended; suspension takes effect within ~60 seconds via entitlement-check cache TTL.
• Backups: Daily encrypted database backups, retained 30 days per Supabase configuration.
• Vulnerability management: Dependencies tracked via npm audit and Dependabot; critical patches applied within 7 days.

6. Sub-processors

The Customer grants Incogsurf general authorisation to use sub-processors. The complete and current list is published at /legal/subprocessors with role, region, what data flows, and date added for each one.

Incogsurf will inform the Customer of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance via email. The Customer may object on reasonable data-protection grounds; if the objection cannot be resolved, the Customer may terminate the subscription with refund of the unused portion of the current billing period.

Where Incogsurf engages a sub-processor for carrying out specific processing activities on behalf of the Customer, the same data-protection obligations as set out in this DPA are imposed on the sub-processor by contract.

7. Data subject requests

Where a data subject submits a request directly to Incogsurf for the exercise of their GDPR rights (access, rectification, erasure, restriction, portability, objection), Incogsurf will, to the extent legally permitted, forward the request to the Customer and assist the Customer by appropriate technical and organisational measures to respond within the statutory deadlines.

8. Personal data breach notification

Incogsurf notifies the Customer of a confirmed personal data breach without undue delay and in any event within 72 hours of becoming aware of it. The notice includes, to the extent known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach and mitigate its possible adverse effects.

The Customer is responsible for any onward notifications to supervisory authorities (Article 33 GDPR) and to data subjects (Article 34 GDPR) that the controller is required to make.

9. Audits

Incogsurf makes available to the Customer all information necessary to demonstrate compliance with this DPA. The Customer or an independent auditor mandated by the Customer may, on reasonable notice and at the Customer's expense, audit Incogsurf's compliance no more than once per twelve-month period unless an audit is mandated by a supervisory authority or follows a personal data breach.

10. International transfers

Where Incogsurf or a sub-processor transfers personal data outside the EU/EEA, the transfer relies on: (a) an adequacy decision of the European Commission; or (b) appropriate safeguards under Article 46 GDPR, including the EU Commission's standard contractual clauses (Implementing Decision 2021/914) with supplementary measures where necessary; or (c) the EU-US Data Privacy Framework where applicable.

11. Return and deletion of personal data

On termination of the subscription, the Customer may export personal data via the Service for 30 days. After 30 days, Incogsurf deletes the personal data in line with the retention periods stated in the Privacy Policy. Records Incogsurf is required to retain by Union or Member State law (notably 7-year VAT aggregates) are retained for the statutory period and then deleted.

12. Liability

The limitation of liability in the Terms of Service applies to this DPA. Nothing in this DPA limits a data subject's right to compensation under Article 82 GDPR.

13. Term and termination

This DPA enters into force when the Customer accepts the Terms of Service and terminates automatically when the subscription terminates and the retention periods in the Privacy Policy have expired.

14. Signature

Acceptance of the Terms of Service constitutes acceptance of this DPA. No separate signature is required. For B2B customers requiring a counter-signed PDF, email privacy@incogsurf.com with your VAT ID and we will arrange one.