Plain-English summary
This addendum is for customers in the EU, UK, or any jurisdiction where data-protection law treats Svmmon as a processor of personal data on your behalf. It states how we handle that data, who we share it with, where it goes, and what happens if something goes wrong. Most individual creators do not need to sign anything separate — this published page is the standing agreement. Agencies and businesses that require a signed copy can email support@svmmonapp.com.
1. Definitions
"Customer" means the natural or legal person who has agreed to the Svmmon Terms of Service. "Personal Data" has the meaning given in Article 4(1) GDPR. "Processor" means Svmmon when processing Personal Data on the Customer's behalf. "Sub-processor" means a third party engaged by Svmmon that processes Personal Data — the live list is at /subprocessors.
2. Roles
The Customer is the Controller of the Personal Data they upload, generate, or otherwise route through Svmmon. Svmmon is the Processor. For the limited operational data Svmmon collects directly from the Customer (account email, billing data, security logs), Svmmon is the Controller — its use is governed by the Privacy Policy, not this addendum.
3. Subject matter & duration
Subject matter: provision of the Svmmon SaaS service. Duration: the term of the Terms of Service. Categories of data subjects: the Customer, the Customer's end-users, and any third parties whose data the Customer chooses to put into the system (e.g. a handle scraped from a public social-media page for research). Categories of Personal Data: account credentials, billing data, social-media handles, content created by or about the Customer, usage logs, IP addresses.
4. Processing instructions
Svmmon processes Personal Data only on documented instructions from the Customer — primarily the actions the Customer takes inside the product (uploading, generating, scheduling, deleting). Svmmon will not process Personal Data for any other purpose without separate written authorization.
5. Confidentiality & personnel
Svmmon ensures that personnel with access to Personal Data are under enforceable confidentiality obligations and have been trained on the data-handling requirements of this addendum.
6. Security measures
Svmmon implements appropriate technical and organizational measures: TLS 1.2+ in transit, AES-256 at rest, row-level security in the database, least-privilege access for engineers, quarterly review of vendor and access lists, encrypted backups, and structured incident response. Documented in our Privacy Policy.
7. Sub-processors
The Customer authorizes Svmmon to engage Sub-processors listed at /subprocessors. Svmmon will give at least 30 days notice of any new Sub-processor (via the /subprocessors page changelog plus an email notice to billing-account email addresses) and the Customer has the right to object on legitimate grounds. Svmmon imposes data-protection terms on every Sub-processor at least as protective as those in this addendum.
8. International transfers
Svmmon is established in the United States. Personal Data is transferred from the EU/EEA, UK, and Switzerland to the US under the EU Standard Contractual Clauses (SCCs, 2021/914 Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, which are incorporated by reference into this DPA. Where a Sub-processor is in a third country, the same SCCs apply onward.
9. Data subject requests
Svmmon will help the Customer respond to access, rectification, erasure, restriction, portability, and objection requests from data subjects. Most of these can be served by the Customer directly via the in-product Settings > Privacy controls (export, delete). Where Svmmon receives a request directly from a data subject of the Customer, Svmmon will forward it without responding.
10. Personal data breach
Svmmon will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Customer's data. The notice will describe the nature of the breach, categories and approximate numbers of data subjects, the likely consequences, and the measures taken or proposed to address it.
11. Audit
Svmmon will respond to the Customer's reasonable audit requests and make available the information reasonably necessary to demonstrate compliance with this addendum, including a description of the technical and organizational security measures in place and any relevant Sub-processor documentation Svmmon has available. The Customer may request an on-site audit no more than once every 12 months, on 30 days notice, subject to reasonable confidentiality and security restrictions.
12. Deletion or return
On termination of the Terms of Service, the Customer can export all data from Settings > Privacy. After 30 days from termination, Svmmon will delete all Personal Data from production systems and from backups within 90 days, unless legally required to retain (e.g. tax records under our Privacy Policy).
This 30-day-plus-90-day window is the post-contract-termination deletion timeline that applies to a business Customer's account data when the Terms of Service end. It is distinct from an individual's account-deletion request, which is governed by the Privacy Policy (soft-deleted for 7 days, then purged, with residual backup copies removed within 90 days).
13. Order of precedence
In case of conflict between this DPA and the Terms of Service or Privacy Policy, this DPA controls with respect to processing of Personal Data of EU, UK, or Swiss data subjects. In case of conflict between this DPA and the SCCs / UK Addendum, the SCCs / UK Addendum control.
14. Governing law
This DPA is governed by the laws of the State of Florida, USA, except where mandatory provisions of EU, UK, or Swiss data-protection law apply. EU consumer protection law overrides this choice-of-law clause for EU consumer contracts.
Contact
Data protection enquiries: support@svmmonapp.com