Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Smoke ("Data Processor") and the customer ("Data Controller") and governs the processing of personal data under applicable data protection law, including the GDPR.
1. Definitions
"Personal Data", "Data Subject", "Processing" and "Supervisory Authority" have the meanings given in the GDPR.
2. Scope and nature of processing
Smoke processes personal data solely to provide the services described in the Terms of Service and on documented instructions from the Data Controller.
3. Data Controller obligations
The Data Controller represents that it has a lawful basis for processing personal data and that it has provided all required notices to Data Subjects.
4. Data Processor obligations
Smoke will:
- Process personal data only on the Data Controller's documented instructions.
- Ensure that persons authorised to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR).
- Assist the Data Controller in responding to Data Subject requests.
- Delete or return personal data upon termination, at the Data Controller's choice.
- Make available all information necessary to demonstrate compliance.
5. Sub-processors
Smoke uses the following sub-processors. The Data Controller hereby provides general authorisation for these sub-processors:
| Sub-processor | Vendor | Purpose | Location |
|---|---|---|---|
| Google Analytics | Google LLC | Aggregate product usage & traffic | EU / EEA |
| Sentry | Functional Software | Error & crash monitoring | EU / EEA |
| Cloudflare | Cloudflare Inc. | Security, CDN & bot protection | EU / EEA |
| Stripe | Stripe Inc. | Payment processing & fraud checks | EU / EEA |
Smoke will notify the Data Controller of any intended changes to sub-processors and give the Data Controller the opportunity to object.
6. International transfers
Where personal data is transferred outside the EEA, Smoke relies on Standard Contractual Clauses or equivalent safeguards approved by the competent supervisory authority.
7. Data breaches
Smoke will notify the Data Controller without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach likely to result in a risk to the rights and freedoms of natural persons.
8. Governing law
This DPA is governed by the laws of the jurisdiction stated in the Terms of Service.
9. Contact
Questions regarding this DPA can be sent to privacy@smoke.com.