Data Processing Addendum — Summary

• You are the data controller for the personal data contained in your backups.
• SafePod Backup acts as data processor, processing personal data on your documented instructions.
• Where SafePod Backup processes account-level data (e.g., billing, account contact), it acts as an independent controller.

• Subject matter: Provision of cloud-based backup, storage, restore, and related support services.
• Duration: For the term of your subscription, plus a short post-termination period for safe deletion.
• Nature & purpose: Storing and retrieving data on your behalf, performing backup verification, and responding to your support requests.
• Categories of data: Whatever you choose to back up, plus account/usage metadata.
• Categories of data subjects: Your employees, customers, and any other individuals whose data you choose to back up.

We maintain technical and organizational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control with least privilege for our personnel.
• Multi-factor authentication for administrative access.
• Audit logging of administrative actions on customer data.
• Regular vulnerability management and patching.
• Backup verification and integrity checks.
• Incident response procedures and notification commitments.

We use vetted subprocessors to deliver the service. Current subprocessors:

• Amazon Web Services, Inc. — Cloud hosting and storage. Processing region: customer-selected (eu-central-1 Frankfurt, eu-west-1 Dublin, or us-east-1 N. Virginia).
• Stripe, Inc. — Payment processing. Processing region: United States and Ireland.
• ActiveCampaign LLC (Postmark) — Transactional email delivery. Processing region: United States.
• Plausible Insights OÜ — Cookieless website analytics. Processing region: European Union (Estonia / Germany).

We provide at least 30 days' advance notice of new subprocessors and you may object on reasonable grounds.

Where personal data is transferred outside its country of origin, we rely on appropriate safeguards such as the EU Standard Contractual Clauses ("SCCs") and the UK Addendum, supplemented by additional measures where required.

We assist you in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing reasonable tools and information. You remain responsible for evaluating and responding to such requests.

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, providing the information you reasonably need to meet your own notification obligations.

We make available the information necessary to demonstrate compliance with our obligations and, where required, allow for and contribute to audits, subject to reasonable confidentiality and security restrictions.

At the end of the agreement, we will, at your choice, return or delete your personal data, except to the extent retention is required by law.

To request the full DPA, including the SCCs and subprocessor list, email admin@safepodbackup.com.