Data Processing Agreement

Last updated: April 5, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Sairin Technology (“Processor”, “we”, “us”), operating the Sheetora service at sheetora.app, and the entity or individual agreeing to these terms (“Controller”, “Customer”, “you”). This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Sheetora service.

1. Definitions

• Controller means the entity that determines the purposes and means of the processing of Personal Data (the Customer).
• Processor means the entity that processes Personal Data on behalf of the Controller (Sairin Technology).
• Data Subject means an identified or identifiable natural person whose Personal Data is processed.
• Personal Data means any information relating to a Data Subject that can be used to directly or indirectly identify that person.
• Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
• Sub-processor means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• Applicable Data Protection Law means all laws and regulations relating to data protection and privacy applicable to the processing of Personal Data, including the GDPR, UK GDPR, and CCPA as applicable.

2. Scope and Purpose

This DPA applies to the processing of Personal Data by Sairin Technology on behalf of the Customer in connection with the provision of the Sheetora SaaS analytics platform. The Processor shall process Personal Data only to the extent necessary to provide the Service as described in the Terms of Service and in accordance with the Controller's documented instructions.

3. Data Processing Details

3.1 Types of Personal Data

• Account information: Email address, display name, profile photo, and authentication credentials.
• Uploaded spreadsheet data: Any personal data contained within CSV and Excel files uploaded by the Customer for analysis. The nature of this data is determined entirely by the Controller.
• Usage data: Queries run, dashboards viewed, features used, session duration, IP address, browser type, and device information.
• Billing data: Billing email, payment token, card last-four digits, expiry date, and country (processed via LemonSqueezy as Merchant of Record).

3.2 Categories of Data Subjects

• Customer's employees and authorised users of the Service
• End users whose personal data may be contained within files uploaded by the Customer

3.3 Purpose of Processing

Personal Data is processed solely to provide the Sheetora SaaS analytics service, including: data ingestion and storage, dashboard generation, insight analysis, report creation, user authentication, billing, transactional communications, and service improvement.

3.4 Duration of Processing

Processing shall continue for the duration of the Customer's use of the Service and for such additional period as required to fulfil obligations under this DPA and applicable law.

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
• Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organisational security measures as described in Section 5.
• Assist the Controller, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
• Assist the Controller in ensuring compliance with obligations relating to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

5. Security Measures

The Processor implements and maintains the following technical and organisational measures to protect Personal Data:

• Encryption in transit: All data transmitted between users and the Service is encrypted using TLS (HTTPS).
• Encryption at rest: Stored credentials and sensitive tokens are encrypted using AES-256-GCM.
• Password security: User passwords are hashed using bcrypt with appropriate cost factors.
• Access control: Row-level security (RLS) policies enforce data isolation between workspaces and users. Role-based access control (RBAC) restricts administrative functions.
• CSRF protection: Cross-site request forgery protections are implemented on all state-changing operations.
• Audit logging: Administrative actions and security events are logged for monitoring and accountability.
• Rate limiting: API endpoints are protected against abuse through rate limiting.
• Multi-factor authentication: MFA support is available for user accounts to provide an additional layer of security.
• Webhook verification: Inbound webhooks are verified using HMAC signatures.

6. Sub-processors

The Controller provides general authorisation for the Processor to engage the following Sub-processors:

The Processor shall notify the Controller of any intended changes to Sub-processors (additions or replacements) at least 30 days in advance, giving the Controller the opportunity to object. If the Controller reasonably objects on data protection grounds, the Processor shall make reasonable efforts to provide an alternative or the Controller may terminate the affected Service.

7. International Data Transfers

Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction, including the United States and the European Union. Where such transfers occur, the Processor shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Addenda with Sub-processors that include equivalent protections
• Reliance on adequacy decisions where the destination country has been recognised as providing adequate data protection

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including the right of access, rectification, erasure, restriction of processing, data portability, and objection.

If the Processor receives a request directly from a Data Subject, it shall promptly notify the Controller and shall not respond to the request without the Controller's prior written instructions, unless required by applicable law.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting the Controller's Personal Data. The notification shall include:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's point of contact for further information
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects

10. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits, including inspections, upon reasonable notice. The Processor shall cooperate with such audits and provide access to relevant documentation, systems, and facilities.

Audits shall be conducted during normal business hours, with reasonable advance notice (at least 30 days), and no more than once per year unless required by a supervisory authority or in response to a Data Breach.

11. Term and Termination

This DPA shall be effective for the duration of the Service agreement between the Controller and the Processor. Upon termination or expiry of the Service agreement:

• The Processor shall, at the Controller's election, delete or return all Personal Data within 30 days of account deletion, except where retention is required by applicable law.
• Billing and payment records may be retained as required by applicable tax and accounting regulations (typically 7 years).
• Audit logs are retained for 90 days for security purposes and then deleted.

12. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Law where such limitation is not permitted.

13. Contact

For questions about this Data Processing Agreement or to exercise rights under this DPA, contact us:

• Email: dpa@sheetora.app
• Company: Sairin Technology — sairintechnology.com