Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Master Services Agreement ("MSA") between saTekk ("Processor") and the client ("Controller") and applies whenever saTekk processes personal data on the Controller's behalf in connection with the Services.

This page provides our standard DPA template for review. The executed version attached to each engagement is the legally binding instrument.

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR (EU 2016/679), the UK GDPR, the CCPA/CPRA, or the MSA.

2. Scope and roles

Controller determines the purpose and means of processing. Processor acts only on Controller's documented instructions. The categories of data subjects, types of personal data, and processing purposes are described in Schedule 1 of the executed DPA.

3. Processor obligations

• Process personal data only on Controller's documented instructions.
• Ensure personnel processing personal data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Schedule 2).
• Assist Controller with data subject requests, DPIAs, and breach notifications.
• Delete or return personal data at the end of the engagement.
• Make available all information necessary to demonstrate compliance.

4. Subprocessors

Controller provides general written authorization for Processor to engage subprocessors, subject to the conditions in this Section. The current list is published at satekk.com/subprocessors.

Processor will notify Controller of any new subprocessor at least 30 days in advance and will impose contractual obligations equivalent to those in this DPA.

5. International data transfers

For transfers outside the EEA or UK, the parties agree to the EU Standard Contractual Clauses (Module 2 — Controller to Processor) and, where applicable, the UK International Data Transfer Addendum, both incorporated by reference.

6. Security

Schedule 2 of the executed DPA sets out the security measures, which include encryption in transit and at rest, role-based access controls, secret management, regular dependency and vulnerability scanning, audit logging, incident response procedures, and employee security training.

7. Personal data breach

Processor will notify Controller without undue delay (and in any event within 48 hours) of becoming aware of a personal data breach affecting Controller's data, and will assist Controller in fulfilling its breach-notification obligations.

8. Audits

Once per year (or more frequently following a breach or regulatory request), Controller may audit Processor's compliance, on reasonable notice and at Controller's expense. Processor may satisfy audit requirements by providing third-party attestations (e.g., SOC 2, ISO 27001) where available.

9. Term and termination

This DPA is effective from the start of the engagement and continues until all personal data has been deleted or returned in accordance with the MSA.

10. AI-specific terms

• AI model outputs are probabilistic and may contain errors. Controller is responsible for downstream validation and acceptance.
• Processor will not submit Controller personal data to AI model providers that retain or train on inputs without Controller's written authorization.
• Processor will assist Controller in meeting transparency obligations under the EU AI Act, including disclosure of AI use to end-users (Article 50).

How to execute

To request a counter-signed DPA, email legal@satekk.com with the legal entity name, signatory contact, and applicable engagement reference.