Skip to main content
SVDY Logo

Data Processing Addendum

For customers in regulated jurisdictions — primarily EU GDPR Article 28 controllers — we offer a counter-signable DPA that governs how svdy processes personal data on your behalf.

What's in the DPA

Standard svdy DPA covers the following clauses (modelled after the EDPB SCC + UK ICO ICA + ISO 27018 templates):

1. Roles + scope

Customer = controller, svdy = processor. Personal data scope: workers, time entries, leave records, process forms, audit logs.

2. Sub-processors

Authorisation for the 5 sub-processors listed at /trust/sub-processors. 30-day notice + objection mechanism for changes.

3. Security

AWS multi-AZ + AES-256 at rest + TLS 1.2+ in transit + role-based access control + audit logs. Annual penetration test once SOC 2 program kicks off (Q1 2027).

4. Data subject rights

Customer (controller) handles DSARs first via the admin UI (export / erase / rectify). svdy assists with non-self-service requests within 5 business days.

5. Breach notification

Within 72 hours of becoming aware, with subject + scope + remediation steps. Email to your designated DPO contact.

6. International transfers

EU → US transfers covered by the EU SCCs (2021 version). UK transfers covered by the UK Addendum to the SCCs.

7. Termination

On contract termination: customer can export data via admin UI for 30 days; then svdy hard-deletes within 60 days unless legal hold applies.

Request a counter-signable DPA

Email legal@svdy.com with your company name and the EU / UK / US entity that's the controller. We send back a pre-signed PDF within 2 business days. No charge — DPA is included in every paid plan.

Email legal@svdy.com

Pre-customer phase — we are working with our legal team to publish a downloadable PDF on this page. Once available, the SHA-256 hash will be posted alongside so you can verify integrity.