Data Processing Agreement

Last Updated: March 2026

This Data Processing Agreement ("DPA") forms part of the SupaSafe Terms of Service between Visatics Ltd. (company number 15339210), registered at 51 Audley Park Road, Bath, UK. BA1 2XL, trading as SupaSafe (the "Processor"), and the Subscriber (the "Controller"), collectively the "Parties".

This DPA applies where SupaSafe processes personal data on behalf of the Controller in the course of providing the SupaSafe database backup service. This DPA is entered into in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

Personal Data, Data Subject, Processing, Controller, Processor, Sub-processor shall have the meanings given to them in the UK GDPR.

Backup Data means the database backup copies created by SupaSafe on behalf of the Controller, which may contain personal data.

Services means the SupaSafe database backup service as described in the Terms of Service.

Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

2. Scope and Purpose of Processing

The Processor shall process personal data only to the extent necessary to provide the Services, specifically: creating scheduled backups of the Controller's Supabase database, storing encrypted backup data, providing backup restoration services, and maintaining backup metadata for service operation.

The nature of processing is automated database backup and storage. The categories of data subjects and types of personal data are determined entirely by the contents of the Controller's database and are not predetermined by SupaSafe. The duration of processing is for the term of the Controller's subscription plus any applicable retention period as set out in the Terms of Service.

3. Obligations of the Controller

The Controller warrants that it has the legal authority to provide the database data to SupaSafe for backup processing. The Controller is responsible for ensuring that any personal data contained in its databases has been collected and is processed in accordance with applicable data protection law, including having an appropriate legal basis for processing. The Controller shall inform SupaSafe without undue delay if it becomes aware of any circumstances that could affect SupaSafe's ability to comply with its obligations under this DPA.

4. Obligations of the Processor

SupaSafe shall process personal data only on documented instructions from the Controller, unless required to do so by applicable law, in which case SupaSafe shall inform the Controller of that legal requirement before processing (unless the law prohibits such notification). SupaSafe shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

SupaSafe shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Encryption in transit: All data is transmitted using TLS 1.2 or higher.

Standard encryption at rest: All backup data is encrypted at rest using AES-256 server-side encryption.

Zero-knowledge encryption (where enabled): Hybrid envelope encryption using AES-256-GCM for data encryption and RSA-4096 for key encryption, ensuring that SupaSafe cannot access the contents of encrypted backups.

Access controls: Strict access controls limiting personnel access to systems containing personal data.

Infrastructure security: Use of reputable, security-certified cloud infrastructure providers.

5. Sub-processors

The Controller provides general authorisation for SupaSafe to engage sub-processors for the provision of the Services. SupaSafe's current sub-processors are:

SupaSafe shall inform the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable data protection grounds, the parties shall discuss the concerns in good faith. If the matter cannot be resolved, the Controller may terminate the affected Services.

SupaSafe shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

6. International Data Transfers

Where personal data is transferred outside the United Kingdom in connection with the Services, SupaSafe shall ensure that appropriate safeguards are in place in accordance with UK data protection law. These may include the UK International Data Transfer Agreement (IDTA), an addendum to the EU Standard Contractual Clauses approved for UK use, or a transfer to a country recognised as providing an adequate level of protection.

SupaSafe shall inform the Controller of any sub-processor transfers outside the UK and the safeguards in place.

7. Assistance with Data Subject Rights

SupaSafe shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subjects' rights under the UK GDPR.

If SupaSafe receives a request from a data subject in relation to the Controller's data, SupaSafe shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by law.

8. Security Incident Notification

SupaSafe shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting the Controller's personal data. The notification shall include the nature of the incident, categories and approximate number of data subjects affected (where possible), likely consequences, and measures taken or proposed to address the incident.

SupaSafe shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

9. Data Protection Impact Assessments

SupaSafe shall provide reasonable assistance to the Controller where a data protection impact assessment is required under Article 35 of the UK GDPR, taking into account the nature of processing and the information available to SupaSafe.

10. Audit Rights

SupaSafe shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits shall be conducted with reasonable notice, during normal business hours, and in a manner that does not unduly disrupt SupaSafe's operations.

Where SupaSafe holds relevant third-party audit reports or certifications (such as SOC 2 reports from sub-processors), these may be provided to the Controller as an alternative to direct audit where reasonable.

11. Data Deletion and Return

Upon termination of the Services, SupaSafe shall, at the choice of the Controller, delete or return all personal data processed on behalf of the Controller, and delete existing copies unless applicable law requires retention. The Controller has 30 days following termination to request the return of backup data, after which SupaSafe shall permanently delete all backup data.

Where zero-knowledge encryption is enabled, SupaSafe shall delete the encrypted backup data. As SupaSafe does not hold the decryption keys, deletion of the encrypted data renders it permanently irrecoverable.

12. Term and Termination

This DPA shall remain in effect for the duration of the Controller's subscription to SupaSafe and for as long as SupaSafe processes personal data on behalf of the Controller. The obligations of confidentiality and data protection under this DPA shall survive termination.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.