Data Processing Agreement
This Data Processing Agreement ("DPA") applies where you use Superjolt to process personal data for which you are the controller (for example, personal data inside the VMs and content you run). It forms part of our Terms of Service and reflects the requirements of Article 28 of the UK and EU GDPR. In it, "we"/"processor" means Superjolt Limited and "you"/"controller" means the customer.
1. Roles
You are the controller of the personal data you process through the Service; we are your processor. For the account-level data we determine the purposes of, we are the controller — that's covered by our Privacy Policy, not this DPA.
2. Subject-matter, duration, nature and purpose
We process personal data only to provide the Service to you, for the duration of your use of it. The nature of the processing is the hosting, storage, transmission, and computation you direct through VMs, storage, email, and related primitives.
3. Types of data and data subjects
The categories of personal data and data subjects are determined by you, through what you choose to run and store. We don't inspect the contents of your VMs, so you control the scope.
4. Our obligations
- Process personal data only on your documented instructions, including for international transfers, unless required by law (in which case we'll tell you where permitted).
- Ensure people authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (see section 6).
- Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations.
- Delete or return personal data at the end of the Service, as described in section 8.
- Make available the information needed to demonstrate compliance and allow for reasonable audits (section 9).
5. Subprocessors
You authorise us to engage subprocessors to help provide the Service. A current list of our subprocessors is available to customers on request to [email protected]. We impose data-protection obligations on them no less protective than this DPA, remain responsible for their performance, and will give notice of changes so you can object.
6. Security
We maintain measures appropriate to the risk, including encryption of sensitive fields at rest (AES-256-GCM), tenant and network isolation between customers, access controls, and audit logging. Details are in our Security Policy and Privacy Policy.
7. Personal data breaches
In accordance with Article 33(2) of the UK and EU GDPR, we will notify you without undue delay after becoming aware of a personal data breach affecting your data. Our notification will include, to the extent available to us, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures we have taken or propose to take. We will provide reasonable assistance so you can meet your own obligations — including notifying your supervisory authority within 72 hours where required (Article 33(1)) and affected data subjects where required (Article 34).
8. Deletion and return
On termination, and on your request, we'll delete or return your personal data, subject to the retention windows in our Privacy Policy and any legal retention requirements. Deleting your account destroys your VMs and removes your tenant data; backups are disposed of on their normal lifecycle.
9. Audits
We'll make available information necessary to demonstrate compliance with this DPA and contribute to audits conducted by you or an auditor you mandate, on reasonable notice and subject to confidentiality, in a way that doesn't compromise other customers' security.
10. International transfers
Where we transfer your personal data outside the UK/EEA, we rely on appropriate safeguards (UK IDTA / EU Standard Contractual Clauses or an adequacy decision), as described in our Privacy Policy.
Requesting a countersigned DPA
If your organisation needs a signed copy of this DPA, email [email protected] and we'll arrange it.