Data processing addendum

1. Parties

This addendum is entered into between:

2. Scope and roles

This addendum applies whenever SmarTest processes personal data on behalf of the Controller in connection with the Service. The Controller determines the purposes and means; the Processor acts on documented instructions. The Terms of Service and Privacy Policy form the background instructions, supplemented by any written communication from the Controller's authorised representatives.

3. Subject matter of processing

4. Sub-processors

The Controller grants general authorisation to the Processor to engage the sub-processors listed in the privacy policy, section 5. The current list is:

• Google Cloud, application database (Firestore), authentication (Firebase Auth), and generation (Vertex AI, Gemini 2.5 Pro), EU primary with US secondary for inference.
• Vercel, web hosting, EU with global edge.
• Sentry, error reporting, EU (planned, not yet active).
• Resend, transactional email, EU and US (planned, not yet active).
• Stripe, payments, EU and US (planned, not yet active).

The Processor will give the Controller at least 14 days notice before adding, removing, or replacing a sub-processor. The Controller may object in writing on reasonable data protection grounds; in that case the parties will work in good faith to resolve the objection, and failing resolution the Controller may terminate the Service without penalty.

5. Security measures

The Processor implements appropriate technical and organisational measures to protect personal data, including but not limited to:

• TLS 1.3 encryption in transit; AES-256 encryption at rest for database and backups.
• Admin-provisioned email and password authentication with salted-hash storage (Firebase Auth). No public signup.
• Workspace-scoped authorisation on every Firestore read and write; every query is gated by the authenticated user's uid and admin flags.
• Production access restricted to named personnel via short-lived, audited credentials with mandatory multi-factor authentication.
• Daily encrypted backups, point-in-time recovery for 7 days, 30 day snapshot retention.
• Written incident response plan; annual penetration test; continuous vulnerability monitoring.

Full current detail is maintained on the security page.

6. International transfers

Primary storage is in the European Union. Where a sub-processor requires transfer of personal data outside the EU or UK, the Processor relies on the European Commission's Standard Contractual Clauses (Module 3, processor to processor) and, where applicable, the UK International Data Transfer Addendum. Copies of executed SCCs are available to the Controller on request.

7. Assistance with data subject rights

The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) through self-service tools in the product and, where those are insufficient, by responding to written requests from the Controller within 10 working days.

8. Personal data breach notification

The Processor will notify the Controller without undue delay, and in any case within 72 hours of becoming aware, of any personal data breach affecting the Controller's data. The notification will describe the nature of the breach, likely consequences, measures taken, and the Processor's contact point for further information.

9. Return and deletion on termination

On termination of the Service the Controller may export all personal data in a structured, machine-readable format for up to 30 days. After the export window the Processor will delete all personal data from its systems, save for backups retained on a rolling basis which are overwritten within 30 further days.

10. Audits

The Controller may, on reasonable notice and no more than once per year, request evidence of compliance with this addendum. The Processor will respond by providing current certifications, penetration test summaries, and written answers to reasonable questions. On-site audits will be arranged only where the above is insufficient to satisfy a specific regulatory requirement.

11. Governing law

This addendum is governed by the laws of Ireland and is subject to the exclusive jurisdiction of the Irish courts, save for mandatory provisions of the Controller's local data protection law.