Data Processing Agreement

Version 1.1

1. Scope and Applicability

This Data Processing Agreement ("DPA") supplements the ServerMind Terms of Service and Privacy Policy.

Important clarification: In most cases, ServerMind (ExelionTech EOOD) acts as an independent data controller for account data, billing records, and limited technical telemetry. ServerMind does not process customer operational data stored within on-premise installations.

This DPA applies only to the extent that ServerMind processes personal data as a data processor on behalf of the Customer (data controller), as defined under GDPR (Regulation 2016/679). This may occur in limited scenarios, such as when Customer personal data is incidentally included in support interactions or diagnostic data shared with ServerMind.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1)
• "Processing" means any operation performed on personal data, as defined in GDPR Art. 4(2)
• "Controller" refers to the Customer, who determines the purposes and means of processing
• "Processor" refers to ServerMind (ExelionTech EOOD), when processing personal data on behalf of the Controller
• "Subprocessor" means any third party engaged by the Processor to process personal data on behalf of the Controller

3. Data Processing Details

4. Obligations of the Processor

Where ServerMind acts as a Processor, ServerMind shall:

• Process personal data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service, unless required by EU or member state law
• Ensure that persons authorized to process personal data are bound by confidentiality obligations and process data on a need-to-know basis
• Implement appropriate technical and organizational security measures (GDPR Art. 32)
• Not engage another processor without prior written authorization from the Controller
• Assist the Controller in fulfilling data subject access requests (DSARs) and other GDPR obligations (Arts. 15-22)
• Assist the Controller in data protection impact assessments (DPIAs) where required under GDPR Art. 35
• Delete or return all personal data upon termination of the Services, at the Controller's choice, including any copies, unless retention is required by EU or member state law
• Make available all information necessary to demonstrate compliance and allow for audits

5. Security Measures

ServerMind implements technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of processing systems, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls with MFA enforcement
• Pseudonymization of identifiers where technically feasible
• Audit logging of all administrative actions
• Regular security assessments and vulnerability management
• Incident response procedures with defined escalation paths
• Measures to restore availability and access to personal data in a timely manner following an incident
• Data center physical security (provided by Amazon Web Services)

6. Subprocessors

Independent controllers: Paddle acts as an independent data controller in its capacity as Merchant of Record. Paddle is not a subprocessor of ServerMind and processes payment data under its own privacy policy and legal basis.

The Controller authorizes the use of the following subprocessors:

ServerMind will notify the Controller at least 30 days before adding or replacing a subprocessor. The Controller may object to a new subprocessor by providing written notice within 14 days. If the objection cannot be resolved, the Controller may terminate the affected Services.

ServerMind ensures that subprocessors are bound by data protection obligations no less protective than those in this DPA.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), ServerMind ensures appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914)
• Adequacy decisions where applicable
• Supplementary technical and organizational measures where required by the CJEU Schrems II ruling

8. Data Breach Response

ServerMind will notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach. The notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects and records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

9. Audit Rights

The Controller has the right to audit ServerMind's compliance with this DPA. Audits shall be conducted:

• With reasonable advance notice (minimum 30 days)
• During normal business hours
• No more than once per year, unless a data breach or regulatory investigation requires an additional audit
• Subject to confidentiality obligations regarding ServerMind's proprietary information

Unless otherwise required by law or regulatory authority, audits shall be conducted at the Controller's expense.

ServerMind may provide audit reports, certifications, or third-party audit results as an alternative to on-site audits where appropriate.

10. Term and Termination

This DPA is effective for the duration of the Customer's use of the Services. Upon termination:

• ServerMind will delete or return all personal data within 30 days, at the Controller's instruction, including any copies held by ServerMind or its subprocessors
• ServerMind may retain data where required by EU or member state law, subject to appropriate safeguards and limited to the minimum necessary
• Sections 4, 5, 7, 8, 9, and any provisions which by their nature should survive termination, shall survive

11. Contact

For DPA-related inquiries:

• Privacy contact: [email protected]
• Legal: [email protected]

To request a signed copy of this DPA, contact [email protected].