Data Processing Addendum

1. Definitions and roles

Capitalised terms not defined here have the meaning given in the Terms of Service. "Data Protection Law" means the GDPR, the UK GDPR, the ePrivacy Directive, and any other privacy or data-protection law applicable to a party. "Customer Personal Data" means personal data contained in Customer Data that we process on your behalf. For Customer Personal Data, you are the controller (or a processor acting for a third-party controller) and we are your processor (or sub-processor). For the personal data we process as a controller (e.g. account and billing data), the Privacy Policy — not this DPA — governs.

2. Subject matter, duration, nature and purpose

We process Customer Personal Data only to provide and support the Service. The processing comprises hosting, storage, retrieval, indexing, analysis, transmission, display, backup and deletion. It lasts for the term of your subscription plus the post-termination period in Section 9. The types of personal data and categories of data subjects are determined and controlled by you through your use of the Service; you agree not to submit special-category data, criminal-conviction data, or data of children, unless we have agreed otherwise in writing.

3. Your instructions and obligations

We process Customer Personal Data only on your documented instructions, including as to international transfers, unless required to act otherwise by EU or member-state law (in which case we will inform you first, unless that law prohibits it on important public-interest grounds). The Terms, this DPA, and your configuration and use of the Service constitute your complete and final instructions; additional instructions require agreement (and may incur a fee). You warrant that you have a lawful basis for the processing, that you have provided all required notices and obtained all required consents, and that your instructions comply with Data Protection Law.

4. Confidentiality

We ensure that personnel authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality and process the data only as needed to provide the Service.

5. Security

We implement and maintain appropriate technical and organisational measures to protect Customer Personal Data, taking into account the state of the art, costs, and the nature, scope, context and purposes of processing, as required by Article 32 GDPR. The current measures are those described in Section 8 of our Privacy Policy (the "Security Measures"), which include encryption in transit and at rest, access controls and least-privilege, environment segregation, vulnerability management, logging and monitoring, and incident-response and disaster-recovery procedures. We may update the Security Measures provided the level of protection is not materially reduced.

6. Sub-processors

You give us general written authorisation to engage sub-processors to process Customer Personal Data. Our current sub-processors are listed at trendskew.com/subprocessors. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will notify you of an intended addition or replacement of a sub-processor at least thirty (30) days in advance and you may object on reasonable, data-protection-related grounds within that period. If you object and we cannot provide a reasonable alternative, you may terminate the affected Subscription and receive a pro-rata refund of unused prepaid Fees.

7. Assistance to you

Taking into account the nature of the processing and the information available to us, we will assist you by appropriate technical and organisational measures, insofar as possible, to:

• respond to requests from data subjects exercising their rights under Data Protection Law (and, where a data subject contacts us directly, we will refer them to you);
• ensure compliance with your obligations regarding security of processing, breach notification, data-protection impact assessments, and prior consultation with a supervisory authority (Articles 32–36 GDPR).

8. Personal-data breach

We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and in any event in sufficient time to enable you to meet your own notification obligations under Articles 33 and 34 GDPR. The notification will describe, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed, and will be supplemented as further information becomes available. We will cooperate with you and take reasonable steps to mitigate and remediate the breach. Our notification is not an acknowledgement of fault or liability.

9. Return and deletion

On termination or expiry of the Service, we will, at your choice, delete or return all Customer Personal Data, and delete existing copies, unless EU or member-state law requires storage. You may export Customer Data for thirty (30) days after termination. After that window we will delete Customer Personal Data, with deletion (including from routine backups) completed within ninety (90) days of termination unless storage is required by law. This is the single deletion timeline for Customer Personal Data under the Terms, the Privacy Policy and this DPA; personal data we are required to retain as a controller for our own legal obligations (for example billing and tax records, as described in the Privacy Policy) follows the separate statutory retention period that applies to those records.

10. Audits

We will make available to you the information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an independent auditor you mandate. To minimise disruption and protect confidentiality and the security of other customers, we may first satisfy audit requests by providing relevant certifications, third-party audit reports and a completed security questionnaire. Audits are limited to once per twelve (12) months (unless required by a supervisory authority or following a breach), on reasonable prior notice, during business hours, subject to confidentiality, and at your cost.

11. International transfers

Customer Personal Data is processed in the EEA by default. Where we, or a sub-processor, transfer Customer Personal Data outside the EEA, UK or another jurisdiction that restricts transfers, we rely on a valid transfer mechanism, in this order of preference: (i) an adequacy decision (including the EU–US Data Privacy Framework for certified recipients); or (ii) the European Commission's Standard Contractual Clauses (Decision 2021/914), which are incorporated into this DPA by reference and completed as follows — for transfers where you are a controller and we are a processor, Module Two applies; where you are a processor and we are a sub-processor, Module Three applies — together with the UK Addendum / IDTA for UK transfers and supplementary measures consistent with EDPB Recommendations 01/2020. The docking-clause, audit and sub-processor options are completed consistently with this DPA, and the governing law and forum are those of the Terms (or, where the SCCs require an EEA member state, the Republic of Lithuania).

12. Liability and precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service, except that, consistent with Section 13.3 of the Terms, those limits do not apply to, and nothing in this DPA or the Terms limits, any liability that cannot be limited under Data Protection Law, including compensation owed to a data subject under Article 82 GDPR or UK GDPR. Nothing in this Section overrides the liability allocation in the SCCs as between the parties and towards data subjects. In the event of a conflict between this DPA and the rest of the Terms on a data-protection matter, this DPA prevails; in the event of a conflict between this DPA and the SCCs, the SCCs prevail. Except as expressly modified here, the Terms remain in full force.

13. US state privacy laws (service-provider / contractor terms)

To the extent we process personal information on your behalf that is subject to the California Consumer Privacy Act (as amended by the CPRA) or a comparable US state privacy law, we act as your "service provider" or "contractor" (or "processor") and not as a "third party", and the following apply. We will: (i) process the personal information only to perform the Service under the Terms and this DPA, and not for any other purpose; (ii) not sell or share the personal information, and not retain, use or disclose it outside the direct business relationship with you or for any purpose other than the business purposes specified; (iii) not combine it with personal information from other sources except as permitted for a service provider; (iv) comply with the applicable law and provide the same level of privacy protection it requires; and (v) notify you if we determine we can no longer meet these obligations. You may take reasonable and appropriate steps to confirm our use of the personal information is consistent with your obligations, and to stop and remediate unauthorised use. We certify that we understand and will comply with these restrictions.

14. Contact

Questions about this DPA, or requests for a counter-signed copy, can be sent to privacy@trendskew.com.

Annex — Standard Contractual Clauses particulars

Where the SCCs apply under Section 11, the following complete the Annexes to the SCCs.

Annex I.A — Parties

Data exporter: the Customer identified in the Order, acting as controller (or, for Module Three, as processor). Data importer: the operator of TrendSkew identified in the "Service provider" block at the foot of this page, acting as processor (or, for Module Three, as sub-processor). The parties' contact details are those in the Order and at privacy@trendskew.com.

Annex I.B — Description of processing

The subject matter, nature and purpose of the processing, the categories of data subjects and personal data, and the duration are as set out in Sections 2 and 3 of this DPA. The frequency of the transfer is continuous for the term of the subscription. Special categories of data are not transferred (Section 2).

Annex I.C — Competent supervisory authority

The competent supervisory authority is determined by the data exporter under Clause 13 of the SCCs: where you (the exporter) are established in an EEA member state, it is the supervisory authority of that member state; where you are not EEA-established but fall within the territorial scope of the GDPR under Article 3(2), it is the supervisory authority of the member state in which your Article 27 representative is established. For transfers connected with the data importer's own establishment, the competent authority is the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija).

Annex II — Technical and organisational measures

The technical and organisational measures the data importer has implemented are the Security Measures described in Section 5 of this DPA and Section 8 of our Privacy Policy.

Annex III — Sub-processors

The list of authorised sub-processors is maintained at trendskew.com/subprocessors, and the controller's authorisation and the notification and objection mechanism are set out in Section 6 of this DPA.