Data Processing Addendum
Last modified: April 21st 2026
This Data Processing Addendum and its Annexes ("DPA") is incorporated by reference into the Saidot Master Terms of Service and forms part of the Agreement.
Background
1.1 For the purposes of providing access and making available the Services, Saidot may collect, process, and gain access to the Personal Data of individuals on behalf of the Customer. From a data protection perspective, the Customer will be the Data Controller, and Saidot will be the Data Processor.
1.2 This DPA specifies the data protection obligations of the Parties for the provision of Services. This DPA applies to all activities performed by Saidot in connection with the Terms of Service in which Saidot, as the Data Processor, comes into contact with the Personal Data of individuals.
Definitions
Unless otherwise defined below, all capitalised terms in this DPA shall have the meaning given to them in the Agreement:
2.1 “Applicable Data Protection Law” means the European Union’s General Data Protection Regulation (2016/679) (“GDPR”) and to the extent applicable the data protection and privacy laws in relevant jurisdictions.
2.2 “Data Controller” means the natural or legal person, public authority, agency or other body which either alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
2.3 “Data Processor” means the natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
2.4 “Data Subject” means the natural person to whom personal data relates.
2.5 “Data Transfer” means the transfer of personal data outside the European Economic Area (the “EEA”).
2.6 “Personal Data” means any information relating to an identified or identifiable natural person.
2.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Saidot and/or its Sub-Processor in connection with the provision of the Services.
2.8 “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, encompassing the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data. The terms “Process”, “Processes”, and “Processed” will be interpreted correspondingly.
2.9 “Sub-Processor” means any processor engaged by Saidot to assist in fulfilling its obligations with respect to the provision of the Services under the Terms of Service.
Relationship of the parties; Processing of Data
3.1 The parties acknowledge that the customer, for the purposes of this DPA, acts as the Data Controller and Saidot as the Data Processor.
3.2 Customer appoints Saidot as a processor to process personal data described in Appendix 2 for the purpose of providing Services to the Customer and complying with Saidot’s obligations under the agreement as further described in Appendix 2 (or as otherwise reasonably instructed in writing by Customer and to the extent consistent with the terms of the Agreement).
3.3 The Customer is responsible for ensuring compliance with Applicable Data Protection Laws within its use of the Services and when providing instructions for the processing of Personal Data. The Customer shall ensure that the processing of Personal Data in accordance with the Customer’s instructions will not cause Saidot to breach the Applicable Data Protection Laws.
3.4 Saidot shall not retain, use, or disclose the personal data for any purpose other than for the purpose described in this DPA or as otherwise permitted by the Applicable Data Protection Law.
Transfer of personal data
The Parties agree that Saidot may transfer Personal Data outside the EEA as necessary to provide the Services. In such a case, Saidot will ensure that it has taken such measures as are necessary to ensure the transfer is in compliance with the Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient (i) in a country that the European Commission has decided provides adequate protection for personal data, or (ii) that has executed standard contractual clauses adopted or approved by the European Commission.
Security
Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Saidot shall maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Personal Data. Additional information about the technical and organisational security measures undertaken by Saidot can be found in Annex 1.
Subprocessing
6.1 Customer acknowledges and agrees that Saidot may (1) engage sub-processors to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data.
6.2 A list of Saidot’s sub-processors can be found in Appendix 3. Saidot shall update the list of sub-processors in Appendix 3 at least ten (10) business days prior to such change (except in situations where shorter notice is required due to an emergency). Customer can request e-mail updates on the changes and updates to the list of sub-processors by sending a request about this to Saidot Support at customersupport@saidot.ai. Customer may object to Saidot’s appointment of a sub-processor by informing Saidot in writing within ten (10) business days of receipt of the aforementioned e-mail notice by Saidot, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of sub-processor may prevent Saidot from offering the Services to the Customer.
6.3 In the event that Customer objects to the engagement in accordance with 6.2 of this DPA, and Saidot is unable to provide a commercially reasonable alternative within a reasonable period of time, not exceeding thirty (30) calendar days, the Customer may, upon submitting a written notice to Saidot, discontinue or suspend the use of the affected Service. The suspension or termination does not relieve the Customer of any fees owed to Saidot for the use of the Services prior to the suspension or termination.
6.4 Saidot will enter into an agreement with the sub-processor that imposes data protection obligations comparable to those imposed on Saidot under this DPA with respect to the protection of personal data.
6.5 Saidot will remain liable for any breach of this Data Processing Agreement caused by an act, error, or omission of its sub-processor.
Data subject rights
Saidot shall, taking into account the nature of the processing, apply appropriate technical and organisational measures to provide reasonable and timely assistance to Customer to enable Customer to respond to requests from data subject to exercise their rights under Applicable Data Protection Law as well as enable Customer to respond to any other correspondence, enquiry or complaint received from a data subject, regulator or other third-party in connection with the Personal Data processed for the purposes of providing the Services. Where Saidot directly receives any such request, correspondence, enquiry or complaint regarding such Personal Data, Saidot will, without undue delay, inform the Customer of such contact.
Personal data breach
In the event Saidot becomes aware of a Personal Data Breach, Saidot shall, without undue delay, inform Customer of the Personal Data Breach and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under Applicable Data Protection Law. Saidot shall further take such reasonably necessary measures and actions to mitigate the effects of the Personal Data Breach (to the extent the mitigation is within Saidot’s reasonable control) and shall keep Customer informed of all material developments in connection with the Personal Data Breach.
Deletion or return of Personal Data
Upon termination of the Services, Saidot returns or deletes the Customer’s Personal Data unless return or destruction is impracticable or prohibited by law. In such a situation, Saidot shall continue to appropriately protect such Personal Data in its possession, custody, or control.
10. Actions and Access Requests; Reviews
10.1 Taking into account the nature of the processing and the information available to Saidot, Saidot shall provide Customer with reasonable cooperation and assistance (at Customer’s expense) to enable Customer to comply with its obligations to conduct any data protection or transfer impact assessments that it is required to undertake under Applicable Data Protection Law and/or to consult competent supervisory authorities prior to processing where required by Applicable Data Protection Law.
10.2 Saidot shall deal promptly and adequately with any enquiries from the Customer about the processing of Personal Data in accordance with this DPA. Customer shall, with reasonable notice to Saidot, have the right to review all information reasonably necessary to demonstrate Saidot’s compliance with its obligations under this DPA.
Annex I – Technical and organisational measures
This Annex I sets out the technical and organisational measures implemented by Saidot to ensure a level of security appropriate to the risk posed by the processing of Customer Personal Data. Saidot also holds ISO 27001 certification, demonstrating the implementation of an information security management system that meets internationally recognised standards.
Data protection and security measure | Description of Saidot Controls |
Measures for data security, incl. pseudonymisation and encryption of personal data | Saidot has secure protocols and methods in place to ensure the security of all data. Saidot ensures both in-transit and at-rest encryption of all customer data, incl. personal data. Saidot uses recommended data security practices by its cloud vendor, Azure, and integrated services, ArangoDB, and Airtable to protect data and encryption secrets. Furthermore, Saidot ensures customer data is logically separated by organisation. Within each organisation, data is further segmented by workspaces (Spaces) to maintain clear boundaries and enforce access controls at both the organisational and sub-organisational levels. This layered approach ensures that each customer’s data remains isolated and secure. |
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services | The Agreement between Saidot and Customer contains strict confidentiality obligations. Saidot ensures that any person it authorises to process Personal Data has committed themselves to confidentiality concerning Personal Data or are under an appropriate statutory obligation of confidentiality. Saidot has established procedures for the appropriate management of IT systems to ensure the confidentiality, integrity, availability, and resilience of processing systems and Saidot Services. Saidot Cloud Services are hosted on Microsoft Azure with high availability enabled and a zone-redundant configuration, ensuring that services remain operational in the event of a localised infrastructure failure. Customer data is backed up on a regular basis. Saidot maintains documented recovery time objective (RTO) and recovery point objective (RPO) targets, ensuring that service restoration and data recovery can be achieved within defined timeframes in the event of a significant incident. Saidot maintains both a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) to ensure a structured and coordinated response to disruptions. The effectiveness of these plans is validated through regular tabletop exercises covering disaster recovery and incident response scenarios. These plans are maintained in accordance with Saidot's ISO 27001-certified information security management system. In addition to this, Customer content can be accessed by Saidot upon the Customer’s explicit request. Saidot has established procedures for the appropriate management of IT systems to ensure the confidentiality, integrity, availability, and resilience of processing systems and Saidot Services. Saidot is an ISO27001-certified company. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in cases of physical or technical incidents | Automated daily full backups of production data are taken. Backups are securely stored and encrypted to enable fast recovery in the event of incidents. Daily automated backups are securely stored in Microsoft Azure data centers located in Ireland. |
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | A periodic review of applied security measures is performed within Saidot. Further tabletop exercises for incident management are performed regularly to ensure organisational preparedness. |
Measures for user identification and authorisation | Saidot follows industry best practices for authentication of users accessing Services, including Multifactor Authentication where applicable, Role-Based Access, and Least Privileged Access. |
Measures for the protection of data during transmission | Communication interfaces with and within the Cloud Services as well as towards integrated services, enforce the use of secure protocols to protect data in transit under all circumstances. Saidot ensures both in-transit and at-rest encryption of all customer data, incl. personal data. |
Measures for the protection of data during storage | Data at rest stored in relational and graph DB services are encrypted by AES-256 encryption. Encryption keys/secrets are stored in respective services following practices provided by the service to protect encryption keys. |
Measures for ensuring physical security of locations at which personal data are processed | As Saidot Services are hosted in the cloud, all Saidot processing occurs in physical data centers in EU/EEA (Ireland) managed by Azure, further details available at https://learn.microsoft.com/en-us/compliance/assurance/assurance-datacenter-security. |
Measures for ensuring events logging | All access to Services, being personal or programmatical is logged in Azure Monitor. Monitoring of security logs is managed by the engineering team. Log activities are reviewed as needed and escalated when appropriate. Critical events and incidents are delivered to selected mail recipients as well as to a dedicated Slack channel so engineering and management teams can react quickly if needed. |
Measures for ensuring system configuration, including default configuration | Saidot adheres to DevOps principles regarding system configuration, applying an Infrastructure as Code (IaC) approach to ensure that all environments, including their default configurations, are defined, versioned, and reproducible. The configuration of all environments is stored in Saidot's version control system. Changes to system configuration are reviewed through pull requests and deployed automatically via CI/CD pipelines upon approval, ensuring consistent and auditable configuration management. |
Measures for internal IT and IT security governance and management | Saidot has in place protocols for the management of IT security, consisting of IT management frameworks, data security controls, procedures for access management and control, incident response and recovery. Additionally, Saidot has in place procedures for the appropriate management of IT systems to ensure the confidentiality, integrity, availability and resilience of processing systems and Saidot Services. |
Measures for ensuring data minimization | The processed Personal Data Saidot collects when registering to the Service has been minimised to what is necessary for Saidot to identify the individual and communicate with them. When using the Services, the Customer has control over what data is introduced into the Cloud Services. Accordingly, Saidot and Customer operate under a shared responsibility model. |
Measures for certification/assurance of processes and products | Saidot has achieved ISO 27001 certification, demonstrating a formally documented and audited approach to information security management. This encompasses a defined scope, security policy and objectives, systematic risk assessments and treatment plans, and clearly assigned security roles and responsibilities. In practice, Saidot maintains records of staff competence and security awareness, regularly monitors and measures the performance of security controls, and conducts both internal audits and management reviews to ensure the system remains effective. Issues are tracked and resolved through a structured process of corrective action and continuous improvement. Specific controls in place cover the inventory and responsible use of information assets, a defined process for handling security incidents, compliance with relevant legal and contractual obligations, and documented procedures for all operational processes. Additional controls address secure configuration management, protection of system logs, and ensuring staff understand their security responsibilities. |
Measures for ensuring data quality | Saidot implements data quality measures at multiple stages of data processing. Initially, at the API endpoints, schema-first design is applied to GraphQL endpoints. Secondly, at the database layer, data is validated against the database schema prior to insertion. Finally, data quality is ensured through rigorous testing to maintain high standards of code used in the processing of data. |
Measures for ensuring limited data retention | All personal data is deleted from the Services following service termination. Saidot follows the applicable data protection law and retains data for a period of 6-12 months following termination. |
Measures for ensuring accountability | Saidot has implemented measures to ensure accountability throughout the organisation, including the adoption of data protection and information security policies, recording and reporting personal data breaches, and designating roles and responsibilities for the various data privacy and information security duties. |
Measures for data subject rights | Saidot has established processes and measures for the protection of data subjects’ rights. Details of the collection and use of personal data, including the rights of the data subjects, can be found in Saidot's Privacy Policy at Saidot Privacy Policy. |
Measures for allowing data portability and ensuring erasure | The processed Personal Data Saidot collects when registering for the Service has been minimised to what is necessary for Saidot to identify the individual and communicate with them. Incidentally, most scenarios for transferring Personal Data from Saidot do not apply. However, Saidot will address all data portability requests to meet Customer needs. |
Technical and organizational measures of sub-processors | Saidot enters into Data Processing Agreements with its Sub-Processors that include data protection obligations principally equivalent to those in this DPA. |
Annex II - Details on the processing of Personal Data
This Annex II sets out the details of processing, including the subject matter, nature, and purpose of processing, the duration of processing, and the categories of personal data and data subjects to which the processing relates.
Category | Description |
|---|---|
Nature and purpose of processing | Saidot will process Customer’s Personal Data as strictly necessary and required to provide the Services and otherwise in accordance with Customer’s instructions. The nature of processing includes, without limitation, the following processing activities: receive, collect, assess, retrieve, record, store, organise, structure, adapt, alter, redact, use, align, erase, destroy, and delete Customer Personal Data, as well as share, disclose or otherwise make available Customer Personal Data to listed sub-processors. |
Duration of processing: | Saidot will process Customer’s Personal Data as long as required (i) to provide Services to Customer; or (ii) by applicable law, including Applicable Data Protection Law. |
Categories of data Subjects | Customer’s employees, consultants, contractors, and/or agents. |
Categories of personal data | The Personal Data processed is personal data provided by the Customer and processed by Saidot in the course of providing the Services. The processed personal data contains identification data such as name and email addresses, telephone numbers, profile pictures (optional), usernames, aliases, roles, and other authentication and security credential information. |
Sensitive data or special categories of data | The personal data processed will not include sensitive personal data. Customer is prohibited from providing sensitive personal data or special categories of data to Saidot. |