Home
arrow_forward_ios
Accessibility Statement

The Legal Stuff

Terms of Use
Website Terms of Use
Global Privacy Policy
Cookie Policy
Subprocessors
Trademark Policy
Affiliate Program Agreement
Business Partner DPA
Reseller DPA
Accessibility Statement
Acceptable Use Policy
Data Processing Addendum
Last Modified: January 1, 2026
Any questions about the policy should be sent to legal@smartsuite.com

SmartSuite Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the SmartSuite customer agreement (the “Agreement”) between SmartSuite Holdings, Inc. (“SmartSuite” or “Processor”) and the customer identified in the Agreement (“Customer” or “Controller”), and applies to the extent SmartSuite processes Personal Data on Customer’s behalf in connection with the Services.

If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls.

1. Definitions

  • “Personal Data” has the meaning given in applicable Data Protection Laws.
  • “Processing” (and “Process”) has the meaning given in applicable Data Protection Laws.
  • “Data Protection Laws” means applicable laws and regulations relating to privacy and data protection, including (where applicable) the EU GDPR, UK GDPR, and Swiss data protection law.
  • “Personal Data Breach” has the meaning given in the EU GDPR (and equivalent meanings under other Data Protection Laws).
  • “Subprocessor” means a third party authorized by SmartSuite to Process Personal Data on Customer’s behalf.Other capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

2. Roles of the Parties

2.1 Controller and Processor

Customer is the Controller of Personal Data and SmartSuite is the Processor to the extent SmartSuite Processes Personal Data on Customer’s behalf.

2.2 Customer Instructions

SmartSuite will Process Personal Data only:

  • to provide, secure, maintain, and support the Services,
  • in accordance with the Agreement, this DPA, and documented instructions provided through Customer’s configuration and use of the Services,
  • and as required by applicable law.

3. Details of Processing

The subject matter, duration, nature and purpose of Processing, and the categories of Personal Data and data subjects are described in "Annex 1".

4. SmartSuite Personnel

SmartSuite will ensure that persons authorized to Process Personal Data are subject to appropriate confidentiality obligations.

5. Security Measures

5.1 Technical and Organizational Measures

SmartSuite will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure.

5.2 Security Information

A summary of SmartSuite’s security measures is described in "Annex 2" and may be supplemented by SmartSuite’s Trust Center and security documentation.

6. Subprocessing

6.1 Authorization

Customer provides a general authorization for SmartSuite to engage Subprocessors.

6.2 Subprocessor Obligations

SmartSuite will:

  • enter into a written agreement with each Subprocessor that imposes data protection obligations substantially similar to those in this DPA, and
  • remain responsible for the Subprocessor’s performance of its data protection obligations.

6.3 Subprocessor List and Updates

SmartSuite maintains a list of Subprocessors at the location identified in "Annex 3". SmartSuite may update the list from time to time.

6.4 Objections

If Customer reasonably objects to a new Subprocessor on data protection grounds, Customer may notify SmartSuite in writing within thirty (30) days after the Subprocessor list is updated. The parties will work in good faith to address the objection, which may include (where commercially reasonable) providing an alternative or allowing Customer to terminate the affected Services by written notice with a pro-rated refund of prepaid unused fees for the terminated portion (if any), as Customer’s sole and exclusive remedy.

7. International Data Transfers

7.1 Transfers

To the extent SmartSuite transfers Personal Data from the EEA, UK, or Switzerland to a country that does not provide an adequate level of protection, the parties agree that such transfers will be subject to appropriate safeguards.

7.2 Standard Contractual Clauses

Where applicable, the parties incorporate by reference:

  • the EU Standard Contractual Clauses (Module Two: Controller-to-Processor), and
  • the UK International Data Transfer Addendum (or other applicable UK transfer mechanism),as applicable to the transfer.

The Annexes to this DPA will serve as the annexes to those clauses, as applicable.

8. Assistance with Data Subject Requests

Taking into account the nature of Processing, SmartSuite will provide reasonable assistance to Customer to help Customer respond to requests from data subjects to exercise rights under Data Protection Laws, to the extent Customer cannot fulfill the request through the Services.

9. Personal Data Breach Notification

9.1 Notification

SmartSuite will notify Customer without undue delay after confirming a Personal Data Breach affecting Personal Data Processed under this DPA and, in any event, no later than seventy-two (72) hours after such confirmation.

9.2 Information and Cooperation

SmartSuite will provide information reasonably necessary for Customer to comply with applicable breach notification obligations and will use commercially reasonable efforts to investigate, mitigate, and keep Customer reasonably informed of material developments.

10. Deletion and Return

Upon expiration or termination of the Services, SmartSuite will make Customer Data (including Personal Data) available for export during the retrieval period set forth in the Agreement/Documentation (default: 30 days, unless otherwise specified).

After the retrieval period, SmartSuite will delete or de-identify Personal Data within a commercially reasonable time, except to the extent required for legal compliance or retained in backups for a limited period.

11. Audits and Compliance Information

11.1 Documentation

Upon Customer’s written request, SmartSuite will make available reasonable information necessary to demonstrate compliance with this DPA, which may include third-party audit reports, summaries, and security documentation.

11.2 Onsite Audits

Where required by Data Protection Laws and not otherwise satisfied by documentation and third-party reports, Customer may conduct an onsite audit no more than once per year, subject to:

  • reasonable advance notice;
  • scope limited to Personal Data Processing systems relevant to Customer;
  • SmartSuite’s reasonable security and confidentiality requirements; and
  • reimbursement of SmartSuite’s reasonable costs.

12. Liability

Liability under this DPA is subject to the limitations of liability set forth in the Agreement, except as prohibited by applicable law.

13. Miscellaneous

13.1 Order of Precedence

This DPA controls in the event of conflict with the Agreement regarding Processing of Personal Data.

13.2 Changes

SmartSuite may update this DPA from time to time. If an update materially reduces Customer’s rights, SmartSuite will not apply it to Customer during the then-current subscription term unless required for legal compliance.

13.3 Governing Law

This DPA will be governed by the governing law specified in the Agreement, unless Data Protection Laws require otherwise for SCC purposes.

Annex 1 — Details of Processing

  • Subject matter:
    Provision of the Services, including hosting, storage, processing, support, and related functionality.
  • Duration:
    For the term of the Agreement plus any retention period described in the Agreement/Documentation.
  • Nature and purpose:
    Hosting and processing Customer Data to provide the Services; account administration; support; security; performance of the Agreement.
  • Categories of data subjects:
    Customer employees, contractors, clients, vendors, or other individuals whose Personal Data is included in Customer Data.
  • Categories of Personal Data:
    As determined by Customer and Users, which may include (depending on use): name, contact details, identifiers, user account data, and any other Personal Data submitted to the Services.
  • Special categories of data:
    Not intended unless expressly agreed in writing (e.g., via addendum such as a BAA where applicable).
  • Processing operations:
    Collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure (as instructed), transmission, and deletion.

Annex 2 — Technical and Organizational Measures (Summary)

SmartSuite maintains a security program designed to protect Customer Data. Measures may include, as appropriate:

  • Encryption in transit (e.g., TLS) and encryption at rest (e.g., AES-256);
  • Logical access controls and least-privilege principles;
  • Monitoring and logging;
  • Backups and recovery procedures, including encrypted backups stored in separate secure locations;
  • Change management and vulnerability management practices.

(Additional details may be available via SmartSuite’s Trust Center and security documentation.)

Annex 3 — Subprocessors

SmartSuite maintains a list of Subprocessors (including core infrastructure and support providers) at:

SmartSuite’s Trust Center is available at: