Super Publishing Co.

This Data Processing Agreement (“DPA”) forms part of the agreement between:

(1) Customer (“Controller”)

and

(2) Super Publishing Co., a Delaware corporation, with its principal place of business at [●] (“Processor”)

together the “Parties”.

This DPA applies to the extent Processor processes Personal Data on behalf of Controller when providing the Super.so services.

1. Definitions

Terms used in this DPA shall have the meaning given in Regulation (EU) 2016/679 (“GDPR”).

• Personal Data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on Personal Data.
• Subprocessor means any third party engaged by Processor to process Personal Data.
• Services means the Super.so website publishing and hosting platform.

2. Roles of the Parties

2.1 Controller is the data controller.

2.2 Processor acts as data processor, processing Personal Data only on behalf of Controller.

Processor does not determine the purposes of processing.

3. Scope of Processing

Processor shall process Personal Data solely to provide the Services.

Processing includes:

• hosting and publishing Customer websites
• storing Customer content and settings
• delivering pages to end users
• providing customer support
• maintaining security and service reliability

4. Details of Processing (Article 28(3))

Details are described in Annex 1.

5. Processor Obligations

Processor shall:

5.1 Instructions

Process Personal Data only on documented instructions from Controller, unless required by law.

5.2 Confidentiality

Ensure all persons authorized to process Personal Data are subject to confidentiality obligations.

5.3 Security Measures

Implement appropriate technical and organizational measures under Article 32 GDPR, including:

• encryption in transit
• access controls
• least privilege policies
• monitoring and incident response

(See Annex 2.)

5.4 Data Subject Requests

Assist Controller, where reasonably possible, in responding to requests under Articles 15–22 GDPR.

5.5 Compliance Support

Assist Controller with:

• security obligations
• DPIAs (Article 35)
• consultations with regulators (Article 36)

to the extent applicable and reasonable.

5.6 Deletion or Return

Upon termination, Processor shall delete or return Personal Data within a reasonable time, unless retention is legally required.

5.7 Demonstrating Compliance

Processor shall make available information necessary to demonstrate compliance with this DPA.

6. Subprocessors

6.1 Controller grants Processor a general authorization to engage Subprocessors necessary to deliver the Services.

6.2 Processor shall:

• impose equivalent data protection obligations on Subprocessors
• remain liable for Subprocessor performance

6.3 Processor shall maintain an up-to-date Subprocessor list available upon request.

7. International Data Transfers

7.1 Processor may transfer Personal Data outside the EEA only where lawful safeguards exist.

7.2 Where required, the Parties agree that the EU Standard Contractual Clauses (SCCs) apply automatically.

7.3 Processor shall ensure supplementary measures where appropriate.

8. Personal Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller data.

Notification shall include:

• nature of the breach
• categories of data affected
• mitigation steps taken

9. Audit Rights

9.1 Controller may audit Processor’s compliance:

• no more than once per year
• upon reasonable notice
• via documentation, SOC2/ISO reports, or third-party audits

9.2 On-site audits only where strictly necessary and subject to confidentiality.

10. Liability

Liability shall follow the limitations in the main service agreement, except where prohibited by GDPR.

11. Governing Law

This DPA shall be governed by the law applicable to the main agreement.

12. Entire Agreement

This DPA forms part of the agreement between the Parties and prevails in case of conflict regarding data protection.

✅ ANNEX 1 — Processing Details

Subject Matter

Provision of Super.so website publishing and hosting services.

Duration

For the term of the Customer subscription.

Categories of Data Subjects

• Customer end users and visitors
• Customer account users

Categories of Personal Data

May include:

• names, emails
• IP addresses, device/browser metadata
• website content provided by Customer
• billing/contact information

Processing Activities

• storage
• hosting
• delivery of web pages
• technical support
• security monitoring

✅ ANNEX 2 — Security Measures (TOMs)

Processor maintains measures such as:

• TLS encryption in transit
• role-based access control
• MFA for internal access
• regular vulnerability patching
• backup and recovery processes
• logging and incident response procedures

✅ ANNEX 3 — Approved Subprocessors (Example)

Typical subprocessors may include:

• Cloud infrastructure providers (AWS, Google Cloud)
• CDN providers (Cloudflare)
• Payment processors (Stripe)
• Customer support tools (Intercom)

Updated list available upon request.

✅ Signature

This DPA becomes effective upon acceptance of the Super.so Terms of Service or execution of the main agreement.