Data Processing Agreement

Suparse Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into by and between the Customer ("Controller") and Suparse ("Processor") and is incorporated into and governed by the Suparse Terms of Service ("Agreement").

This DPA applies to the extent that Processor processes Personal Data on behalf of the Controller in the course of providing the Service.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

• "Data Protection Law" means all applicable data protection and privacy laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and any national implementing laws, regulations, and secondary legislation.
• "Personal Data" means any information relating to an identified or identifiable natural person that is contained within User Data and processed by Processor on behalf of Controller.
• "Processing", "Data Subject", "Personal Data Breach", and "Supervisory Authority" shall have the meanings given to them in the GDPR.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data in connection with the Service.

2. Processing of Personal Data

2.1. Roles of the Parties: The parties acknowledge that for the purposes of this DPA, the Controller is the data controller and the Processor is the data processor of the Personal Data.

2.2. Controller’s Instructions: Processor shall only process Personal Data on behalf of and in accordance with Controller's documented instructions, which include the Agreement, this DPA, and the Controller's use of the Service. Processor shall immediately inform Controller if, in its opinion, an instruction infringes Data Protection Law.

2.3. Details of Processing: The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are set forth in Exhibit A to this DPA.

3. Processor’s Obligations

3.1. Confidentiality: Processor shall ensure that its personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2. Security: Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Exhibit B. These measures are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

3.3. Sub-processing: a) Controller provides a general written authorization for Processor to engage Sub-processors to support the provision of the Service. The current list of Sub-processors is available in Exhibit C. b) Processor shall provide Controller with at least 30 days' prior written notice of any intended changes concerning the addition or replacement of Sub-processors. c) Controller may object to a new Sub-processor by notifying Processor in writing within fifteen (15) days of the notice. If Controller objects, the parties will discuss the objection in good faith. If the objection cannot be resolved, Controller may terminate the portion of the Service provided by the new Sub-processor. d) Processor shall ensure that any Sub-processor it engages is bound by a written agreement containing data protection obligations no less protective than those in this DPA. Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

3.4. Data Subject Rights: Taking into account the nature of the Processing, Processor shall assist Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Law. If Processor receives a request directly from a Data Subject, it shall promptly forward the request to the Controller.

3.5. Personal Data Breach: Processor shall notify Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach. The notification shall include information required by Data Protection Law to enable Controller to meet its own breach notification obligations.

3.6. Data Protection Impact Assessments: Taking into account the nature of the Processing and the information available, Processor shall provide reasonable assistance to Controller with any data protection impact assessments and prior consultations with Supervisory Authorities, as required under Data Protection Law.

4. Controller’s Obligations

Controller represents and warrants that: a) It shall comply with its obligations as a data controller under Data Protection Law. b) It has a valid legal basis for the Processing of Personal Data as described in this DPA. c) Its documented instructions to the Processor for the Processing of Personal Data shall comply with Data Protection Law.

5. Audits

Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with its obligations under this DPA. Upon reasonable request, Processor will provide information on data processing activities, security measures, and compliance procedures for audits conducted by the qualified auditor mandated by the Controller. Any such audit shall be subject to reasonable written notice (at least 30 days), limited to once per year, conducted remotely durin business hours, at Controller's expense, so as not to disrupt Processor's business operations and subject to Processor’s confidentiality obligations.

6. International Data Transfers

6.1. Mechanism: The parties agree that where the transfer of Personal Data from the Controller to the Processor is a transfer to a country outside the European Economic Area (EEA), the UK, or Switzerland not recognized as providing an adequate level of protection, such transfers shall be governed by the SCCs.

6.2. Application of SCCs: a) For transfers subject to the GDPR, the SCCs will apply, completed as follows: Module Two (Controller to Processor) will apply; Clause 7 (Docking Clause) will not apply; in Clause 9, Option 2 will apply and the time period for notice of Sub-processor changes is set out in Clause 3.3 of this DPA; in Clause 11, the optional language will not apply; in Clause 17, the governing law shall be the law of the Republic of Poland; in Clause 18(b), disputes shall be resolved by the courts of Warsaw, Poland. b) For transfers subject to the UK GDPR, the SCCs will apply as amended by the UK Addendum. c) For transfers subject to the Swiss Federal Act on Data Protection, the SCCs will apply with modifications necessary to comply with Swiss law.

6.3. Annexes of the SCCs: The details required by Annex I and II of the SCCs are set forth in Exhibit A and Exhibit B of this DPA, respectively.

7. Deletion of Personal Data

Upon termination of the Agreement, or upon Controller's written request, Processor shall delete all Personal Data in its possession or control in accordance with the data retention policy set out in the Agreement. Processor shall delete such data within 30 days unless applicable law requires storage of the Personal Data.

8. General

8.1. Liability: The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

8.2. Precedence: In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the subject matter of data protection. In the event of a conflict between this DPA and any applicable SCCs, the SCCs shall prevail.

8.3. Governing Law: This DPA and any disputes arising from it shall be governed by the laws of the Republic of Poland.

---

Exhibit A: Details of Processing

This Exhibit forms part of the DPA and serves as Annex I to the SCCs.

A. LIST OF PARTIES

Data Exporter (Controller):

• Name: The Customer as defined in the Suparse Terms of Service.
• Address: The Customer's address as provided during account registration.
• Contact Person: The contact details provided by the Customer in their account.
• Activities: Using the Suparse Service to process documents for data extraction.
• Role: Controller.

Data Importer (Processor):

• Name: Suparse
• Contact Information: support@suparse.com
• Activities: Provision of the Suparse data extraction service as per the Agreement.
• Role: Processor.

B. DESCRIPTION OF TRANSFER

Item	Details
Categories of Data Subjects	Employees, customers, vendors, clients, and other business partners of the Controller whose Personal Data is contained within the documents uploaded to the Service.
Categories of Personal Data	The Controller may submit any Personal Data to the Service, the extent of which is determined and controlled by the Controller. This may include, but is not limited to: names, contact details, financial information, bank account details, addresses, identification numbers, and any other data present in invoices, bank statements, receipts, or other documents.
Special Categories of Data (if applicable)	The Service is not designed to process special categories of data. Controller agrees not to upload documents known to contain special categories of data (as defined in Article 9 of the GDPR) unless it is strictly necessary and a valid legal basis exists.
Nature of the Processing	Processing operations include storing, hosting, parsing, and using automated AI/OCR technology to extract structured data from user-submitted digital documents.
Purpose of the Processing	To provide the data extraction service as described in the Agreement.
Frequency of Transfer	Continuous, on an as-needed basis determined by the Controller's use of the Service.
Period for which Personal Data will be Retained	As per Clause 6 of the Agreement, Personal Data will be retained for a maximum of 30 days unless deleted earlier by the Controller.
Transfers to Sub-processors	The subject matter and nature of processing by Sub-processors are detailed in Exhibit C.

C. COMPETENT SUPERVISORY AUTHORITY The competent supervisory authority shall be the Polish Personal Data Protection Office (UODO), unless otherwise required by Data Protection Law based on the Controller's place of establishment.

---

Exhibit B: Technical and Organizational Security Measures

This Exhibit forms part of the DPA and serves as Annex II to the SCCs.

Processor implements and maintains the following technical and organizational measures:

1. Encryption:

   • In Transit: All data transmitted between the Controller and the Service, and between internal services, is encrypted using industry-standard TLS 1.2 or higher.
   • At Rest: All User Data, including source files and extracted data, is encrypted at rest using AES-256 or a comparable standard.

2. Access Control:

   • Access to systems containing Personal Data is restricted to authorized personnel on a "need-to-know" basis.
   • Strong password policies are enforced for all personnel with access to production environments.
   • User authentication is managed by Supabase Auth, which uses secure password hashing.

3. Data Minimization & Retention:

   • We process only the data necessary to provide the Service.
   • Our data retention policy (30-day automatic deletion) ensures that Personal Data is not stored longer than necessary.

4. Resilience and Availability:

   • Our infrastructure is hosted on Google Cloud Platform, providing high availability and redundancy.
   • Regular backups of database and system configurations are performed to ensure timely restoration in case of an incident.

5. Logging and Monitoring:

   • Access to production systems is logged and monitored to detect and respond to security incidents.
   • A formal incident response plan is in place to address any Personal Data Breaches.

6. Physical Security:

   • Our cloud infrastructure providers (Google Cloud Platform) are responsible for the physical security of data centers, which are certified to meet industry-standard security requirements (e.g., ISO 27001, SOC 2).

7. Personnel Security:

   • All employees and contractors undergo background checks and are required to sign confidentiality agreements.
   • Regular security and data protection training is provided to all personnel.

---

Exhibit C: Sub-Processor List

This Exhibit forms part of the DPA.

Sub-Processor	Service Provided (Purpose)	Country of Processing
Google Cloud Platform	Core infrastructure hosting, secure file storage (GCS), and document processing.	USA
Supabase, Inc.	Database hosting for user accounts and extracted data. User authentication and identity management.	USA
Paddle.com Market Ltd.	Payment processing, subscription management, invoicing, and tax handling (Merchant of Record).	UK / Ireland