Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (DPA) supplements our Terms of Service and Privacy Policy, outlining our commitments as a data processor for customer data subject to GDPR or UK GDPR.
Effective March 4, 2026GDPR & UK GDPRController to Processor
Privacy policySubprocessors

1. Definitions

Key terms used in this addendum.

"Customer Data" means any personal data processed by eprojac on behalf of the Customer in the course of providing the Service.

"Data Protection Laws" means all laws and regulations applicable to the processing of personal data under the Agreement, including the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR).

The terms "controller", "processor", "data subject", "personal data", and "processing" shall have the meanings given to them in Data Protection Laws.

2. Processing of Customer Data

How we process data on your behalf.

eprojac shall process Customer Data only as a processor on the documented instructions of the Customer, including as set forth in the Terms of Service and this DPA, unless required to do so by applicable law.

The subject matter, duration, nature, and purpose of the processing are described in the Privacy Policy.

3. Security

Measures to protect your data.

eprojac implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

eprojac ensures that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Subprocessors

Third-party vendors we use.

The Customer provides general authorization for eprojac to engage subprocessors to process Customer Data. The current list of subprocessors is available at the Subprocessors page.

eprojac will notify the Customer of any intended changes concerning the addition or replacement of subprocessors, giving the Customer the opportunity to object to such changes.

5. Data Subject Rights

How we assist with user requests.

eprojac will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject's rights laid down in Data Protection Laws.

6. Transfers of Personal Data

Handling cross-border data.

Any transfer of Customer Data outside the UK or EEA to a third country lacking an adequacy decision shall be governed by the standard contractual clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as applicable, which are incorporated by reference into this DPA.

7. Deletion or Return of Data

What happens to data upon termination.

Upon termination of the provision of services relating to processing, eprojac shall, at the choice of the Customer, delete or return all Customer Data to the Customer, and delete existing copies unless applicable law requires storage of the personal data.