Data Processing Addendum
For customers in regulated jurisdictions — primarily EU GDPR Article 28 controllers — we offer a counter-signable DPA that governs how svdy processes personal data on your behalf.
What's in the DPA
Standard svdy DPA covers the following clauses (modelled after the EDPB SCC + UK ICO ICA + ISO 27018 templates):
1. Roles + scope
Customer = controller, svdy = processor. Personal data scope: workers, time entries, leave records, process forms, audit logs.
2. Sub-processors
Authorisation for the 5 sub-processors listed at /trust/sub-processors. 30-day notice + objection mechanism for changes.
3. Security
AWS multi-AZ + AES-256 at rest + TLS 1.2+ in transit + role-based access control + audit logs. Annual penetration test once SOC 2 program kicks off (Q1 2027).
4. Data subject rights
Customer (controller) handles DSARs first via the admin UI (export / erase / rectify). svdy assists with non-self-service requests within 5 business days.
5. Breach notification
Within 72 hours of becoming aware, with subject + scope + remediation steps. Email to your designated DPO contact.
6. International transfers
EU → US transfers covered by the EU SCCs (2021 version). UK transfers covered by the UK Addendum to the SCCs.
7. Termination
On contract termination: customer can export data via admin UI for 30 days; then svdy hard-deletes within 60 days unless legal hold applies.
Request a counter-signable DPA
Email legal@svdy.com with your company name and the EU / UK / US entity that's the controller. We send back a pre-signed PDF within 2 business days. No charge — DPA is included in every paid plan.
Email legal@svdy.comPre-customer phase — we are working with our legal team to publish a downloadable PDF on this page. Once available, the SHA-256 hash will be posted alongside so you can verify integrity.
