Data Processing Agreement
How this Agreement is entered into
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Swipy Terms of Service or other written or electronic agreement between Swipy and the Customer governing the Customer's use of the Service (the "Principal Agreement"). It records the terms on which Swipy processes personal data on the Customer's behalf in connection with the Service.
By accepting the Principal Agreement, or by accessing or using the Service, the Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Law, in the name and on behalf of its authorized affiliates. If the individual accepting this DPA does not have authority to bind the Customer, or does not agree with these terms, they must not accept this DPA and must not use the Service.
Acceptance of the Principal Agreement constitutes acceptance of this DPA in electronic form for the purposes of Article 28(9) GDPR. Swipy records the version accepted and the date of acceptance for each Customer. Where the Customer requires a counter-signed copy, the parties may execute the signature block at the end of this DPA. Where this DPA incorporates the Standard Contractual Clauses (Clause 11), the Customer's acceptance also constitutes entry into those Clauses and their completed annexes.
1. Definitions
1.1 Terms used but not defined in this DPA have the meaning given in the Principal Agreement.
1.2 In this DPA:
"Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the GDPR as incorporated into UK law (the "UK GDPR") together with the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection ("FADP"), and, where applicable, the California Consumer Privacy Act as amended ("CCPA").
"Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR.
"Customer" means the party that has entered into the Principal Agreement and that, in respect of Customer Personal Data, acts as the Controller.
"Customer Personal Data" means Personal Data that Swipy processes on the Customer's behalf in the course of providing the Service — principally Personal Data submitted by visitors to websites the Customer builds and publishes using the Service (for example, through contact forms, scheduling or booking features, or similar submissions).
"EU Representative" and "UK Representative" mean the representatives appointed by Swipy under Article 27 GDPR and Article 27 UK GDPR respectively, as identified in Annex 4.
"Service" means the Swipy website-building platform made available at swipy.org and related services provided under the Principal Agreement.
"Sub-processor" means any third party engaged by Swipy to process Customer Personal Data.
"SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced.
"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under s.119A of the Data Protection Act 2018.
"Swipy" (the "Processor") means the operator of the Service, as identified in Annex 1.A, contactable at [email protected].
2. Roles and Scope
2.1 Roles. With respect to Customer Personal Data, the Customer is the Controller and Swipy is the Processor. This DPA applies only to Swipy's processing as a Processor.
2.2 Relationship to the Privacy Policy. Swipy's processing of Personal Data for which Swipy itself determines the purposes and means — such as the Customer's own account data, and limited technical and diagnostic data processed for the security, integrity, and improvement of the Service — is not governed by this DPA but by the Swipy Privacy Policy (swipy.org/privacy), under which Swipy acts as Controller.
2.3 Customer instructions. Swipy shall process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law to which Swipy is subject; in such a case, Swipy shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Principal Agreement, this DPA (including Annex 1), and the Customer's configuration and use of the Service constitute the Customer's complete and final documented instructions.
2.4 Lawfulness of instructions. The Customer is responsible for the lawfulness of Customer Personal Data and of the instructions it gives. The Customer warrants that it has a valid legal basis for the processing, that it has provided all required notices to and obtained any required consents from Data Subjects, and that its instructions comply with Data Protection Law.
2.5 Notice of infringing instruction. Swipy shall immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Law (without obligation to provide legal advice or to actively monitor the Customer's compliance). Swipy may suspend the affected processing until the instruction is confirmed, amended, or withdrawn.
2.6 GDPR territorial scope. The parties acknowledge that, where Swipy processes Customer Personal Data relating to the offering of goods or services to, or the monitoring of, individuals in the EU or UK, Swipy is directly subject to the GDPR and/or UK GDPR under Article 3(2), and Swipy shall comply with the obligations applicable to it as a processor on that basis.
2.7 Compliance. Each party shall comply with its respective obligations under Data Protection Law.
3. Swipy's Processing Obligations (Article 28(3) GDPR)
Swipy shall:
3.1 (a) Documented instructions — process Customer Personal Data only on the Customer's documented instructions, as set out in Clauses 2.3 and 2.5, including for transfers to a third country, unless required by law as described there;
3.2 (b) Confidentiality — ensure that persons authorized to process Customer Personal Data are bound by an appropriate duty of confidentiality (whether contractual or statutory) and process the data only as instructed;
3.3 (c) Security — take all measures required under Article 32 GDPR, as described in Clause 4 and Annex 2;
3.4 (d) Sub-processing — respect the conditions for engaging Sub-processors set out in Clause 5;
3.5 (e) Data subject rights — taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests to exercise Data Subject rights, as set out in Clause 6;
3.6 (f) Assistance — assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Swipy, as set out in Clauses 4, 7, and 8;
3.7 (g) Deletion or return — at the Customer's choice, delete or return all Customer Personal Data after the end of the provision of the Service, and delete existing copies unless law requires storage, as set out in Clause 9;
3.8 (h) Audits and information — make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, as set out in Clause 10.
4. Security
4.1 Swipy shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects. A description of these measures is set out in Annex 2.
4.2 The measures include, as appropriate: pseudonymization and encryption of Personal Data where appropriate; measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore availability and access to Personal Data in a timely manner after an incident; and a process for regularly testing, assessing, and evaluating the effectiveness of those measures.
4.3 Swipy may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection of Customer Personal Data.
5. Sub-processors
5.1 General authorization. The Customer grants Swipy general written authorization to engage Sub-processors to process Customer Personal Data, subject to this Clause 5. A current list of Sub-processors is available at swipy.org/subprocessors and includes, as at the Effective Date, the providers identified in Annex 3.
5.2 Flow-down terms. Swipy shall impose on each Sub-processor, by written contract, data protection obligations that are no less protective than those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures (Article 28(4) GDPR). Where the CCPA applies, Swipy shall ensure each Sub-processor is bound by the service-provider obligations in Clause 12. Where a Sub-processor fails to fulfil its data protection obligations, Swipy remains fully liable to the Customer for the performance of that Sub-processor's obligations.
5.3 Changes. Swipy shall give the Customer at least thirty (30) days' prior notice of the addition or replacement of any Sub-processor (for example by updating the list at swipy.org/subprocessors and/or by email where the Customer has subscribed to notifications), thereby giving the Customer the opportunity to object before the change takes effect.
5.4 Objection. If the Customer has a reasonable, data-protection-based ground to object to a new Sub-processor, the Customer shall notify Swipy in writing within fourteen (14) days of the notice. The parties shall discuss the objection in good faith and seek a mutually acceptable resolution (such as a configuration that avoids the Sub-processor). If no resolution is reached within the notice period, the Customer may, as its sole and exclusive remedy, terminate the affected part of the Service by giving written notice, with a pro-rata refund of any prepaid fees (if any) for the terminated portion covering the period after termination.
6. Data Subject Rights
6.1 Swipy shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in responding to requests from Data Subjects to exercise their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making).
6.2 Where Swipy receives a request directly from a Data Subject relating to Customer Personal Data, Swipy shall not respond to that request itself except on the Customer's documented instructions or as required by law, and shall promptly inform the Customer of the request, providing the details necessary for the Customer to respond.
6.3 To the extent the Service provides self-service functionality enabling the Customer to access, correct, delete, restrict, or export Customer Personal Data, the Customer agrees that use of that functionality satisfies Swipy's assistance obligations under this Clause to the corresponding extent.
7. Personal Data Breach
7.1 Swipy shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and shall use reasonable efforts to provide that notification within forty-eight (48) hours of becoming aware.
7.2 The notification shall, to the extent reasonably available to Swipy, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Where this information cannot be provided at once, it may be provided in phases without undue further delay.
7.3 Swipy shall take reasonable steps to mitigate the effects of and to minimize any damage resulting from the Personal Data Breach, and shall cooperate with the Customer and provide reasonable assistance to enable the Customer to meet its own obligations under Articles 33 and 34 GDPR. For the avoidance of doubt, the obligation to notify a Supervisory Authority within 72 hours under Article 33(1) rests with the Customer as Controller; Swipy's obligation is to notify the Customer under Clause 7.1.
7.4 Swipy's notification of or response to a Personal Data Breach shall not be construed as an acknowledgment by Swipy of any fault or liability.
8. Data Protection Impact Assessments and Prior Consultation
Taking into account the nature of processing and the information available to it, Swipy shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that the Customer reasonably considers required under Articles 35 or 36 GDPR, in each case solely in relation to the processing of Customer Personal Data by Swipy.
9. Deletion or Return
9.1 Upon termination or expiry of the Principal Agreement, or otherwise on the Customer's written request, Swipy shall, at the Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless law requires continued storage.
9.2 The Customer may export Customer Personal Data using the functionality of the Service prior to termination. Following a retention grace period of thirty (30) days after termination, during which the Customer may retrieve Customer Personal Data, Swipy shall delete it in accordance with Clause 9.1.
9.3 Customer Personal Data residing in routine backups that cannot be individually isolated is put beyond use upon deletion from production systems: it is retained solely for backup and disaster-recovery purposes, is not restored to production or otherwise used, and is deleted in the ordinary course as those backups are overwritten on a rolling basis within the period stated in Annex 2. Such data remains protected by this DPA until deleted.
9.4 On the Customer's written request, Swipy shall provide written confirmation that deletion has been completed in accordance with this Clause, subject to Clause 9.3 in respect of backups.
10. Audits
10.1 Swipy shall make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
10.2 The Customer's audit right may be satisfied, where available, by Swipy providing relevant third-party certifications, audit reports, or summaries (for example, of its hosting providers' certifications) and by responding to reasonable written security questionnaires.
10.3 Where the Customer reasonably requires an on-site or more detailed audit beyond Clause 10.2, the parties shall agree in advance on the timing, scope, duration, and reasonable conditions of the audit. Audits shall be conducted no more than once per twelve (12) month period (except where required by a Supervisory Authority or following a Personal Data Breach), on reasonable prior written notice, during business hours, and in a manner that does not unreasonably disrupt Swipy's operations or compromise the confidentiality or security of other customers' data. Each party bears its own costs. Where the processing is subject to the SCCs, the audit terms of the SCCs prevail to the extent of any conflict.
11. International Transfers
11.1 Hosting location and data localization. Swipy hosts Customer Personal Data in production within the EEA (DigitalOcean, Frankfurt FRA1 / Amsterdam AMS3). Swipy shall not transfer Customer Personal Data to, or store it in, a country outside the EEA, the UK, or Switzerland, and shall not engage a Sub-processor that does so, except where the transfer is subject to an appropriate safeguard under Chapter V of the GDPR (and the equivalent provisions of the UK GDPR and FADP).
11.2 Processor access from outside the EEA. Where Swipy, although directly subject to the GDPR under Article 3(2), accesses or processes Customer Personal Data from outside the EEA/UK, the parties acknowledge that Chapter V continues to apply to that processing. The parties shall give effect to an appropriate safeguard for such access. Until the European Commission adopts standard contractual clauses specifically designed for importers that are themselves subject to the GDPR under Article 3(2), the parties shall apply, by analogy and as a good-faith safeguard, the Controller-to-Processor module of the SCCs as set out in Clause 11.4, together with the supplementary measures in Annex 2, and Swipy shall document and maintain a transfer impact assessment, a summary of which is available to the Customer on written request.
11.3 Sub-processor transfers. Where a Sub-processor processes Customer Personal Data outside the EEA/UK/Switzerland, such transfers are governed by the SCCs, the UK Addendum, and the applicable Swiss mechanism, or by the Sub-processor's valid adequacy mechanism (including the EU–US Data Privacy Framework where the Sub-processor is certified), as identified in Annex 3.
11.4 Incorporation of the SCCs. Where this DPA requires the SCCs, they are incorporated by reference and completed as follows: the Controller-to-Processor module (Module Two) applies to the Customer-to-Swipy relationship, and the Processor-to-Sub-processor module (Module Three) applies to the onward Sub-processor relationship; the Customer is the data exporter and Swipy (or the relevant Sub-processor) is the data importer; the docking clause (Clause 7 of the SCCs) applies; the audit and Sub-processor terms of this DPA apply; in Clause 9 of the SCCs, Option 2 (general written authorization) applies with the time period in Clause 5.3 of this DPA; the optional independent dispute resolution body under Clause 11(a) of the SCCs is not adopted; Annexes I, II, and III of the SCCs are populated by Annexes 1, 2, and 3 of this DPA; the supervisory authority is that of the Customer's place of establishment in the EEA; and the governing law and forum default to Ireland for the EU SCCs unless Data Protection Law requires otherwise. For UK transfers, the UK Addendum applies with Tables 1–3 populated by this DPA's annexes and Table 4 permitting either party to end the Addendum as set out in Section 19 of the UK Addendum. For Swiss transfers, the SCCs apply with the FADP adaptations (references to the GDPR read as the FADP, the FDPIC as supervisory authority, and Swiss courts and data-subject rights preserved).
11.5 Conflict. In the event of any conflict between the SCCs/UK Addendum and this DPA, the SCCs/UK Addendum prevail with respect to the transfer they govern.
11.6 DPF fallback. Where Swipy relies on a Sub-processor's certification under the EU–US Data Privacy Framework (or its UK or Swiss extensions) as the transfer mechanism, and that framework ceases to provide a valid basis for transfers, the SCCs under Clause 11.4 (which are incorporated and completed in advance) shall apply automatically as the fallback safeguard without further action by the parties.
11.7 Government access. Swipy shall, and shall require its Sub-processors to: (a) notify the Customer without undue delay of any legally binding request from a public authority (including a law-enforcement or national-security authority) for disclosure of Customer Personal Data, unless prohibited by law; (b) where prohibited from notifying, use reasonable lawful efforts to obtain a waiver of that prohibition and to challenge or limit the request where it is unlawful or overbroad; (c) disclose only the minimum amount of Customer Personal Data necessary to comply; and (d) provide, on request and where lawful, transparency information about the requests it has received.
12. CCPA Terms
12.1 Service-provider status. To the extent the CCPA applies, Swipy acts as a "service provider" with respect to Customer Personal Data. Swipy shall not: (a) sell or share such Personal Data; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Principal Agreement, or as otherwise permitted by the CCPA; (c) retain, use, or disclose it outside the direct business relationship between the parties; or (d) combine it with Personal Data received from other sources, except as permitted by the CCPA.
12.2 Certification. Swipy certifies that it understands the restrictions in this Clause 12 and will comply with them.
12.3 Same level of protection. Swipy shall provide the same level of privacy protection to Customer Personal Data as is required of businesses by the CCPA.
12.4 Notification of inability to comply. Swipy shall notify the Customer without undue delay if it determines that it can no longer meet its obligations under the CCPA.
12.5 Remediation. The Customer may, upon notice, take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Data by Swipy.
12.6 Sub-processors. Swipy shall flow down the obligations in this Clause 12 to any Sub-processor that processes Customer Personal Data subject to the CCPA, by written contract.
13. Liability and Term
13.1 Liability. Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, and any reference to a party's liability means the aggregate liability of that party under the Principal Agreement and this DPA together. Nothing in this DPA or the Principal Agreement limits or excludes any liability that cannot be limited or excluded under Data Protection Law, including a Data Subject's rights as third-party beneficiary under the SCCs.
13.2 Term. This DPA takes effect on the Effective Date and continues for as long as Swipy processes Customer Personal Data under the Principal Agreement. Provisions that by their nature should survive termination (including Clauses 9, 10, 11, 13, and 14) shall survive.
13.3 Conflict. In the event of a conflict between this DPA and the Principal Agreement on the subject of data protection, this DPA prevails. In the event of a conflict between this DPA and the SCCs, the SCCs prevail with respect to the transfer they govern.
13.4 Changes. Swipy may update this DPA where required to reflect changes in Data Protection Law, guidance from Supervisory Authorities, or changes to the Service, provided that no such update materially reduces the protection afforded to Customer Personal Data. Swipy shall give the Customer reasonable prior notice of any material change.
14. Governing Law
This DPA is governed by the law specified in the Principal Agreement, except where Data Protection Law or the SCCs require otherwise. The courts specified in the Principal Agreement have jurisdiction, subject to the same exception.
Annex 1 — Details of Processing
A. List of parties
Controller / data exporter: the Customer, as identified in the Principal Agreement.
Processor / data importer: Swipy (swipy.org), operated by a private individual based in Ukraine (the "Operator"). The Operator's full legal name and address are provided to the Customer on written request to [email protected], and are deemed incorporated into this Annex and into Annex I.A of the SCCs for each Customer to whom they are provided. Contact for all data protection matters: [email protected].
B. Subject matter and duration
Subject matter: provision of the Swipy website-building Service, in the course of which Swipy processes Personal Data submitted to websites built and published by the Customer.
Duration: the term of the Principal Agreement, plus any retention grace and backup-deletion periods under Clause 9.
C. Nature and purpose of processing
Hosting, storage, collection via website features (contact forms, scheduling/booking, and similar submissions), transmission, display to the Customer, backup, and deletion — solely to provide and support the Service on the Customer's instructions.
D. Categories of Data Subjects
Visitors to and users of the websites the Customer builds and publishes using the Service (for example, prospective customers, enquirers, and persons booking appointments).
E. Categories of Personal Data
As determined and controlled by the Customer through its configuration of website features. Typically: name, email address, telephone number, message/enquiry content, appointment or booking details, and any other fields the Customer chooses to collect, together with technical data such as IP address and timestamps captured in the ordinary operation of the Service.
F. Special category data
The Service is not intended for the collection of special category data (Article 9 GDPR). The Customer shall not configure the Service to collect such data unless it has implemented the additional safeguards required by Data Protection Law and has so informed Swipy in writing.
G. Frequency of processing
Continuous, for the duration of the Principal Agreement.
H. Retention
As set out in Clause 9 and in the Customer's instructions.
Annex 2 — Technical and Organizational Measures
The following describes Swipy's technical and organizational measures. These measures also constitute the technical and organizational measures and supplementary measures for the purposes of Annex II of the SCCs.
Encryption and pseudonymization
- TLS for Personal Data in transit.
- Encryption at rest for the managed database storing Customer Personal Data.
- Pseudonymization or minimization of identifiers in logs and diagnostic data where appropriate.
Access control
- Role-based access on a least-privilege basis; administrative access restricted to authorized personnel.
- Individual authenticated accounts for personnel; multi-factor authentication for administrative access.
- Confidentiality obligations binding on all personnel with access.
Personnel
- Privacy and security awareness training for personnel with access to Customer Personal Data, on onboarding and periodically thereafter.
Infrastructure and hosting
- Hosting on DigitalOcean managed infrastructure in the EEA (Frankfurt (FRA1) / Amsterdam (AMS3)).
- Network controls (firewalls, restricted ports, private networking for database access).
Vulnerability and patch management
- Monitoring for security vulnerabilities and timely application of critical security patches to systems within Swipy's control.
Resilience, backup, and recovery
- Regular backups with the ability to restore availability and access to Personal Data in a timely manner after an incident.
- Backup rotation / overwrite period: ninety (90) days (the period referenced in Clause 9.3).
- Business-continuity and disaster-recovery arrangements proportionate to the Service.
Integrity and testing
- Change-management and deployment controls, including review before materially changing security measures.
- Logging and monitoring of production systems.
- Periodic review and testing of the effectiveness of these measures.
Incident management
- Documented process for detecting, investigating, and notifying Personal Data Breaches in line with Clause 7.
Annex 3 — Approved Sub-processors (as at the Effective Date)
| Sub-processor | Purpose | Location of processing | Transfer mechanism (if outside EEA/UK) |
|---|---|---|---|
| DigitalOcean, LLC | Cloud hosting and managed database | EEA (Frankfurt FRA1 / Amsterdam AMS3) | None required — processing within the EEA |
| Mailgun (Sinch) | Delivery of authentication and service emails | EU (EU sending region) | None required for EU-region processing; 2021 SCCs / EU–US Data Privacy Framework available as a safeguard for any incidental US parent access |
The current authoritative list is maintained at swipy.org/subprocessors.
Annex 4 — Article 27 Representatives
EU Representative (GDPR Article 27): Swipy will appoint an EU representative and update this Annex with the representative's name and EU-Member-State address before general availability of the Service. During the current limited-availability, free-of-charge beta, Data Subjects and Supervisory Authorities may direct all enquiries to Swipy at [email protected], and Swipy will respond directly.
UK Representative (UK GDPR Article 27): to be appointed on the same basis, with a name and UK address, before general availability of the Service. Enquiries in the interim: [email protected].