Data Processing Agreement

Super Publishing Co.

This Data Processing Agreement (“DPA”) forms part of the agreement between:

(1) Customer (“Controller”)

and

(2) Super Publishing Co., a Delaware corporation, with its principal place of business at 8 The Green, Ste B, Dover, Delaware 19901, United States (“Processor”)

together the “Parties”.

This DPA applies to the extent Processor processes Personal Data on behalf of Controller when providing the Super.so services.

1. Definitions

Terms used in this DPA shall have the meaning given in Regulation (EU) 2016/679 (“GDPR”).

• Personal Data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on Personal Data.
• Subprocessor means any third party engaged by Processor to process Personal Data.
• Services means the Super.so website publishing and hosting platform.

2. Roles of the Parties

2.1 Controller acts as the data controller with respect to Personal Data processed in connection with the Customer’s use of the Services.

2.2 Processor acts as a data processor when processing Personal Data on behalf of Controller solely for the purpose of providing the Services and in accordance with Controller’s documented instructions.

2.3 Where Processor processes Personal Data for its own purposes, including but not limited to billing, payment processing, fraud prevention, security monitoring, compliance with legal obligations, service analytics, product improvement, or marketing, Processor acts as an independent data controller in accordance with its Privacy Policy.

3. Scope of Processing

Processor shall process Personal Data solely to provide the Services, except where Processor acts as an independent controller as described in Section 2.3.

Processing includes:

• hosting and publishing Customer websites
• storing Customer content and settings
• delivering pages to end users
• providing customer support
• maintaining security and service reliability

4. Details of Processing (Article 28(3))

Details are described in Annex 1.

5. Processor Obligations

Processor shall:

5.1 Instructions

Process Personal Data only on documented instructions from Controller, unless required by law.

5.2 Confidentiality

Ensure all persons authorized to process Personal Data are subject to confidentiality obligations.

5.3 Security Measures

Implement appropriate technical and organizational measures under Article 32 GDPR, including:

• encryption in transit
• access controls
• least privilege policies
• monitoring and incident response

(See Annex 2.)

5.4 Data Subject Requests

Processor shall assist Controller, to the extent technically feasible and taking into account the nature of the Services, in responding to requests from data subjects under Articles 15–22 GDPR.

Where such assistance requires disproportionate technical effort or manual intervention, Processor may charge reasonable fees reflecting the costs incurred.

5.5 Compliance Support

Assist Controller with:

• security obligations
• DPIAs (Article 35)
• consultations with regulators (Article 36)

to the extent applicable and reasonable.

5.6 Deletion or Return

Upon termination, Processor shall delete or return Personal Data within a reasonable time, unless retention is legally required.

5.7 Demonstrating Compliance

Processor shall make available information necessary to demonstrate compliance with this DPA.

6. Subprocessors

6.1 Controller grants Processor a general authorization to engage Subprocessors necessary to provide the Services.

6.2 Processor shall ensure that Subprocessors are bound by data protection obligations equivalent to those set out in this DPA and shall remain responsible for the performance of its Subprocessors.

6.3 Processor maintains an up-to-date list of Subprocessors available upon request.

6.4 Processor shall provide reasonable advance notice of any material changes to its Subprocessors. Controller may object to such changes on legitimate data protection grounds. Where an objection cannot be resolved, Controller’s sole remedy shall be to terminate the affected Services.

7. International Data Transfers

7.1 Processor may transfer Personal Data outside the European Economic Area only where such transfers are made in compliance with applicable data protection laws.

7.2 Where required, the Parties agree that the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Decision (EU) 2021/914, Module Two (Controller to Processor), are hereby incorporated by reference and shall apply.

7.3 Processor shall implement appropriate supplementary measures where required to ensure an adequate level of data protection.

8. Personal Data Breach Notification

Processor shall notify Controller without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Controller.

Such notification shall include, to the extent available, information regarding the nature of the breach, categories of data affected, and mitigation measures taken.

9. Audit Rights

9.1 Controller may audit Processor’s compliance with this DPA no more than once per calendar year and upon reasonable prior written notice.

9.2 Audits shall be conducted in a manner that does not unreasonably disrupt Processor’s operations, compromise the security of other customers’ data, or require access to source code or confidential technical information.

9.3 Processor may satisfy audit requests through the provision of third-party certifications, audit reports, or other documentation.

9.4 Controller shall bear all costs associated with any audit.

10. Liability

The total liability of either party under this DPA shall be subject to the limitations of liability set forth in the main Terms of Service, except for liability which cannot be limited under applicable data protection laws.

11. Governing Law

This DPA shall be governed by the law applicable to the main agreement.

12. Entire Agreement

This DPA forms part of the agreement between the Parties and prevails in case of conflict regarding data protection.

ANNEX 1 — Processing Details

Subject Matter

The provision of the Super.so website publishing and hosting platform, which allows Controllers to transform Notion pages into live websites.

Duration of Processing

The term of the subscription plus the period until all Personal Data is deleted from Processor’s systems in accordance with the DPA.

Nature and Purpose of Processing

• Hosting and delivery of website content to end-users.
• Providing technical support and troubleshooting.
• Maintaining the security and performance of the platform.
• Managing Customer accounts and billing.

Categories of Data Subjects

• Authorized Users: Employees, contractors, or agents of the Controller who use the Super.so dashboard.
• End-Users: Visitors to the websites published and hosted by the Controller via the Services.

Categories of Personal Data

• Account Data: Name, email address, and billing information.
• Technical Data: IP addresses, browser type, device information, and access logs.
• Content Data: Any Personal Data contained within the Notion pages or custom code provided by the Controller for publishing.

The Services are not intended to process special categories of personal data under Article 9 GDPR or personal data relating to criminal convictions under Article 10 GDPR.

ANNEX 2 — Security Measures (TOMs)

Confidentiality and Access

• All staff are bound by confidentiality agreements.
• Access to internal systems is restricted via Multi-Factor Authentication (MFA) and based on the principle of least privilege.

Encryption

• In Transit: All data is encrypted using TLS 1.2 or higher.
• At Rest: Sensitive data and backups are encrypted using industry-standard AES-256 encryption.

Infrastructure Security

• Services are hosted on secure cloud platforms (AWS/Vercel) with 24/7 physical security, biometric controls, and compliance certifications (e.g., SOC2).

Availability and Resilience

• Regular automated backups are performed and stored in redundant locations.
• Globally distributed infrastructure (CDN) ensures high availability and protection against local failures.

Data Integrity and Change Management

• Use of version control and isolated testing environments to ensure that platform changes do not compromise data security.
• Regular monitoring for vulnerabilities in third-party libraries and dependencies.

Incident Response

• Maintenance of internal procedures to detect, respond to, and remediate security breaches.
• Notification of affected Controllers without undue delay in accordance with the DPA.

ANNEX 3 — Approved Subprocessors (Example)

Infrastructure, Hosting & Security

• Amazon Web Services, Inc. — cloud infrastructure and data storage — USA / Global
• Vercel Inc. — hosting, edge compute, and content delivery — USA / Global
• Cloudflare, Inc. — CDN, DNS, and security services — USA / Global

Content & Source Data

• Notion Labs, Inc. — content storage and source data platform — USA

Payments & Billing

• Stripe, Inc. — payment processing and billing — USA
• PayPal, Inc. — payment processing — USA
• Intuit Inc. — accounting, invoicing, and tax compliance — USA

Domains & DNS Management

• Name.com — domain registration and DNS management — USA

Customer Support, Communications & Reporting

• Intercom, Inc. — customer support and messaging — USA
• SendGrid — transactional email delivery — USA
• Tally BV — customer feedback and survey data collection — EU
• Google LLC — internal documentation and internal operational data processing — USA
• Atlassian (Jira) — issue tracking and incident management — USA / Global
• Userback Pty Ltd — internal bug reporting — Australia

Analytics & Monitoring

• Baremetrics, Inc. — subscription and revenue analytics — USA
• Fathom Analytics — privacy-focused website analytics — Canada

Automation & Integrations

• Zapier, Inc. — workflow automation and data integration — USA

Error Tracking & Reliability

• Sentry — application error monitoring and diagnostics — USA

Professional Services

• INIZIO Internet Media s.r.o. — technical and operational support services — Czech Republic

Subprocessor Updates

Processor shall notify Controller of any material changes to this list in accordance with Section 6 of the DPA.

Signature

This DPA becomes effective upon acceptance of the Super.so Terms of Service or execution of the main agreement.