Data Processing Addendum

Where Alpha Exotic Tech LLC processes personal data on behalf of a customer, the customer is the controller (or, where the customer is itself a processor for its clients, the processor) and Alpha Exotic Tech LLC is the processor(or sub-processor). We process personal data only on the customer’s documented instructions, which include the customer’s use of the service and this DPA. The DPA forms part of the agreement between you and us.

The DPA commits us to, among other things:

• process personal data only on your documented instructions, including for international transfers, unless required by law to do otherwise;
• ensure personnel authorized to process personal data are bound by confidentiality;
• implement appropriate technical and organizational security measures (Annex 2 below and our Security page);
• engage sub-processors only under written terms and a general authorization with a right to object (section 4);
• assist you, taking into account the nature of processing, with data-subject requests and with your obligations for security, breach notification, and data-protection impact assessments;
• delete or return personal data at the end of the services, except where storage is required by law;
• make available the information needed to demonstrate compliance and allow for and contribute to audits.

The processing we carry out on your behalf is described as follows:

You provide a general authorization for us to engage the sub-processors listed on our Sub-processors page, each under a written agreement imposing data-protection obligations no less protective than this DPA. We remain responsible for our sub-processors’ performance. We will notify customers with a DPA of any intended addition or replacement of a sub-processor with reasonable advance notice, giving you the opportunity to object on reasonable data-protection grounds.

We maintain an incident-response process and will notify you without undue delay after becoming aware of a personal-data breach affecting the personal data we process for you, with the information you reasonably need to meet your own notification obligations (including, where applicable, the 72-hour authority-notification timeline under the GDPR).

We implement and maintain the following measures (GDPR Article 32), described more fully on our Security page:

• PostgreSQL row-level security enforcing per-tenant isolation by agency
• an AES-256-GCM encrypted token vault under KMS-managed keys, storing OAuth tokens and never platform passwords
• encryption in transit (TLS 1.2+ with HSTS) and at rest
• role-based access control, least-privilege access, and a separate MFA-protected operator surface
• an append-only audit log keyed by tenant and correlation ID
• RFC 9700 OAuth (PKCE, short-lived tokens, refresh rotation), input validation, and SSRF / IDOR / CSRF defenses
• upload scanning and metadata (EXIF/GPS) stripping on media

To cover transfers of EU/UK personal data outside the European Economic Area or the United Kingdom — including to our sub-processors — the DPA incorporates the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supported by a transfer-impact assessment where required, and relies on the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework where applicable. See the international-transfers section of our Privacy Policy for more.

On termination of the services, we will, at your choice, delete or return the personal data we process on your behalf and delete existing copies, except where storage is required by law. Our deletion practices are described on our Data Deletion page.

For customers subject to the CCPA/CPRA, the DPA includes the required service-provider terms: we process personal information only for the business purposes you specify and to perform the services, we do not sell or share it, we do not retain, use, or disclose it outside the direct business relationship or for any purpose other than the services, and we do not combine it with personal information from other sources except as permitted by law. We certify that we understand and will comply with these restrictions.

Business and EU/UK customers who need a counter-signed DPA can request one by emailing legal@skedcast.com from an account administrator, including your account/organization name and your signing contact. We will provide our current DPA — incorporating the SCCs and the sub-processor list — for signature.