Data Processing Agreement

1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Gradefy, operated by Redwood Global Partners LLC, a company registered in the United Arab Emirates, trading as Gradefy ("Processor", "we", "us"), and the entity agreeing to the Terms of Service ("Controller", "you", "your") — collectively "the Parties".

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in the course of providing the Gradefy review management platform ("the Service"). This DPA is governed by the General Data Protection Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK GDPR.

By using the Service, you accept this DPA. If you are accepting on behalf of an organization, you represent that you have authority to bind that organization.

2. Definitions

• Personal Data: any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• Data Subject: the identified or identifiable natural person to whom the Personal Data relates (e.g., reviewers submitting reviews through the Service).
• Processing: any operation performed on Personal Data, as defined in Article 4(2) GDPR.
• Controller: the entity that determines the purposes and means of processing Personal Data (you, the Gradefy customer).
• Processor: the entity that processes Personal Data on behalf of the Controller (Gradefy).
• Sub-processor: a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Supervisory Authority: an independent public authority responsible for monitoring GDPR compliance.

3. Subject Matter and Duration

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Service: collecting, storing, moderating, displaying, and analyzing customer reviews.

Processing begins when the Controller creates an account and continues until the Controller's account is terminated and all Personal Data is deleted in accordance with Section 11.

4. Categories of Data and Data Subjects

Categories of Data Subjects:

• Reviewers (end users who submit reviews through the Controller's projects)
• Controller's authorized users (team members accessing the dashboard)

Categories of Personal Data:

• Reviewer identifiers: name, email address, profession, company
• Review content: ratings, review text, titles
• Technical data: IP addresses, user agent strings, timestamps
• Account data: name, email address, authentication tokens
• Order references (if provided by the reviewer)

No special category data (Article 9 GDPR) is intentionally collected. The Controller must not configure the Service to collect special category data.

5. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures as described in Section 8.
• Not engage another processor (sub-processor) without prior written authorization from the Controller, as set out in Section 7.
• Assist the Controller in responding to Data Subject requests (Section 9).
• Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, data protection impact assessments).
• Delete or return all Personal Data upon termination, at the Controller's choice (Section 11).
• Make available all information necessary to demonstrate compliance and allow for audits (Section 10).

6. Obligations of the Controller

The Controller shall:

• Ensure there is a lawful basis for processing Personal Data collected through the Service (e.g., legitimate interest, consent).
• Provide clear and transparent privacy notices to Data Subjects (reviewers) before or at the time of data collection.
• Ensure that the use of the Service complies with applicable data protection laws.
• Not instruct the Processor to process Personal Data in violation of GDPR.
• Respond to and resolve Data Subject rights requests, with assistance from the Processor as needed.

7. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object within 30 days.

If the Controller objects on reasonable data protection grounds and the Processor cannot accommodate the objection, the Controller may terminate the Service.

Current Sub-processors:

This list may be updated from time to time. Changes will be communicated via the email address associated with the Controller's account at least 30 days before the new sub-processor begins processing Personal Data.

8. Technical and Organizational Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Role-based access control and tenant-level data isolation
• Input validation and protection against common web vulnerabilities
• Rate limiting on public-facing endpoints
• Real-time monitoring and alerting
• Audit logging for administrative actions
• Access to production systems limited to authorized personnel
• Confidentiality obligations for all staff with data access

A detailed description of security measures is available upon request to enterprise customers under NDA.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject requests under Articles 15–22 GDPR, including:

• Right of access (Article 15): Data export functionality available in the dashboard.
• Right to rectification (Article 16): Controllers can edit reviewer data and review content.
• Right to erasure (Article 17): Controllers can delete individual reviews. Account deletion removes all associated data.
• Right to restriction (Article 18): Reviews can be unpublished/moderated without deletion.
• Right to data portability (Article 20): Data export in machine-readable format (JSON/CSV).
• Right to object (Article 21): Reviews can be removed upon request.

If the Processor receives a Data Subject request directly, it will promptly redirect the request to the relevant Controller unless legally required to respond directly.

10. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting the Controller's data.

The notification shall include:

• A description of the nature of the breach, including categories and approximate number of Data Subjects affected
• Contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

11. Data Deletion and Return

Upon termination of the Service or upon the Controller's written request, the Processor shall:

• Provide the Controller with a complete export of their data in a machine-readable format (JSON or CSV), available for 30 days after termination.
• Delete all Personal Data within 90 days after termination, unless retention is required by EU or Member State law.
• Confirm deletion in writing upon the Controller's request.

Anonymized, aggregated data that cannot be used to identify any Data Subject may be retained for analytics and service improvement purposes.

12. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

Audit requests must be made with at least 30 days' written notice and shall be conducted during normal business hours, no more than once per calendar year (unless required by a Supervisory Authority or following a data breach). The Controller shall bear the reasonable costs of any audit.

13. International Data Transfers

Personal Data is primarily stored in the European Union (Supabase database in Frankfurt, Germany). Where Personal Data is transferred to sub-processors located outside the EEA, the Processor ensures adequate safeguards are in place:

• Standard Contractual Clauses (SCCs): Applied to transfers to US-based sub-processors (Stripe, Sentry, Google) in accordance with Commission Implementing Decision (EU) 2021/914.
• Adequacy decisions: Where applicable, transfers rely on adequacy decisions adopted by the European Commission.
• EU-US Data Privacy Framework: Sub-processors certified under the DPF are recognized where applicable.

The Processor shall inform the Controller if it becomes aware that applicable transfer mechanisms are invalidated by a court or supervisory authority.

14. Liability

Each Party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either Party's liability for breaches of data protection law where such limitation would not be permitted under applicable law.

15. Term and Termination

This DPA takes effect when the Controller accepts the Terms of Service and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. Termination of the Service automatically terminates this DPA, subject to Section 11 (Data Deletion and Return).

16. EU Representative

As the Processor is established outside the European Economic Area (EEA), we have appointed an EU representative in accordance with Article 27 GDPR. Our EU representative is based in Finland. For contact details, see Section 18.

17. Governing Law

This DPA is governed by the laws of Finland, without regard to conflict of law principles. Any disputes arising under this DPA shall be resolved by the courts of Helsinki, Finland. This is without prejudice to the rights of Data Subjects under Article 79 GDPR.

18. Contact

For questions regarding this DPA or data protection matters, contact us at: privacy@gradefy.app