Data Processing Addendum.

This Data Processing Addendum (the “DPA”) supplements the Terms of Service between the organization using Naew (“Customer”) and Suan Digital LLC. It applies when we process personal data on Customer’s behalf. Customer is the controller; we are the processor. Defined terms not defined here have the meaning given in the GDPR (or UK GDPR for UK-only data).

We process personal data only to provide the service Customer has subscribed to. We do not process it for our own marketing and we do not sell it. The Terms, this DPA, and Customer’s configuration of the service are Customer’s documented instructions.

• Data subjects: Customer’s authorized users.
• Personal data: emails, org membership, role, audit-log entries, and anything Customer voluntarily includes in vendor records, notes, or uploaded invoices. Customer should not upload special-category data.

Customer authorizes the sub-processors listed at /legal/sub-processors, each bound by terms no less protective than this DPA. Before adding or replacing one with access to personal data, we update that page and notify customers who request advance notice at least 30 days before the change, with a right to object on reasonable grounds.

Technical and organizational measures - encryption, access controls, incident response - are at /legal/security. If we confirm unauthorized access to or acquisition of Customer personal data, we will notify Customer within 72 hours, with the nature of the incident, categories of data affected, likely consequences, and measures taken, to the extent then known.

Personal data is stored in the United States and in regions operated by our sub-processors. For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, the parties enter into the European Commission’s Standard Contractual Clauses (Module Two and, for onward transfers, Module Three), with the UK Addendum where applicable.

We will provide reasonable assistance with data-subject requests, DPIAs, and supervisory-authority consultations. Most data-subject requests can be fulfilled through the service’s own controls; for anything that needs us, email [email protected]. On request to [email protected], we share our most recent security documentation; an on-site audit is available once per year on 30 days’ notice, at Customer’s expense.

Within 30 days of termination, we will delete or return all Customer personal data still in our possession, unless retention is required by law. Backups are purged on the standard rotation, which does not exceed 90 days.