Data Processing Agreement

4.1 Documented instructions

4.1.1 Setorio shall Process Personal Data only on documented instructions from the Customer, including transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which Setorio is subject. The Customer's documented instructions consist of: (a) the Agreement; (b) this DPA; and (c) any subsequent written instructions agreed by the Parties.

4.1.2 Setorio shall promptly inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

4.2 Confidentiality

4.2.1 Setorio shall ensure that any person authorised to Process Personal Data is bound by an appropriate obligation of confidentiality, whether by statute, employment contract or written confidentiality undertaking.

4.3 Security of Processing

4.3.1 Setorio shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The measures in place at the Effective Date are described in Annex B.

4.3.2 Setorio may update its security measures from time to time, provided the level of security is not materially diminished.

4.4 Sub-processors

4.4.1 The Customer grants Setorio a general written authorisation to engage Sub-processors for the Processing of Personal Data, subject to this Section 4.4.

4.4.2 The Sub-processors engaged at the Effective Date are listed in Annex C.

4.4.3 Setorio shall maintain an up-to-date list of Sub-processors at setor.io/dpa#sub-processors. Setorio shall notify the Customer of any intended changes by updating that list and providing notice through the Service or by email at least thirty (30) days before the change takes effect.

4.4.4 The Customer may object to an intended new Sub-processor on reasonable data protection grounds within fifteen (15) days of notification by giving written notice to dpa@setor.io. If Setorio is unable to make a commercially reasonable change to avoid using the objected-to Sub-processor, the Customer may, as its sole remedy, terminate the Agreement with respect to the affected services by written notice.

4.4.5 Setorio shall enter into a written contract with each Sub-processor imposing data protection obligations no less protective than those in this DPA. Setorio remains fully liable to the Customer for the performance of each Sub-processor's obligations.

4.5 Assistance to the Customer

4.5.1 Taking into account the nature of the Processing, Setorio shall assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR.

4.5.2 If Setorio receives a request from a Data Subject relating to Personal Data Processed on behalf of the Customer, Setorio shall promptly forward the request to the Customer and shall not respond to the Data Subject directly except to confirm receipt or to direct the Data Subject to the Customer.

4.5.3 Setorio shall assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the Processing and the information available to Setorio.

4.6 Personal Data Breach notification

4.6.1 Setorio shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data.

4.6.2 The notification shall, to the extent possible at the time, describe: (a) the nature of the Personal Data Breach; (b) the categories and approximate number of Data Subjects and records concerned; (c) the likely consequences; and (d) the measures taken or proposed to address the breach. Where information is not available at the time of initial notification, Setorio shall provide it in subsequent updates without undue delay.

4.6.3 Setorio's notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgement by Setorio of any fault or liability with respect to the Personal Data Breach.

4.7 Audits

4.7.1 Setorio shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.

4.7.2 Setorio shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to the conditions in Sections 4.7.3 and 4.7.4.

4.7.3 Audits shall be limited to once per calendar year (except where required following a Personal Data Breach or by a Supervisory Authority), conducted on at least sixty (60) days' prior written notice, during normal business hours, in a manner that does not unreasonably interfere with Setorio's operations, and subject to confidentiality obligations.

4.7.4 The Customer bears the cost of any audit it requests, except where the audit reveals a material breach of this DPA by Setorio, in which case Setorio bears the reasonable documented costs of the audit.

A.1 Subject matter

Processing of Personal Data necessary for Setorio to provide the Service to the Customer, namely a software-as-a-service platform for client subscription management, billing and a client portal.

A.2 Duration

For the duration of the Agreement, plus the retention periods set out in Section 6 of this DPA.

A.3 Nature and purpose

The nature of the Processing consists of: collection, storage, organisation, retrieval, consultation, transmission, disclosure to authorised recipients, restriction and erasure of Personal Data through the Service. The purpose is to enable the Customer to manage subscriptions, send invoices, communicate with its clients, and operate a branded client portal.

A.4 Types of Personal Data

• Identification data of the Customer's clients and their authorised users: name, email address, business name, profile information.
• Communication and authentication data: login credentials (hashed), authentication tokens, IP address, browser metadata, language preferences.
• Subscription and billing data: subscription plan, billing address, VAT number, invoice history, payment status. Card data itself is processed directly by Stripe and is never stored by Setorio.
• Content uploaded by the Customer or its clients through the portal: project files, comments, messages, requests, and any documents they choose to share.
• Usage data: timestamps of portal access, actions performed, feature usage.

A.5 Categories of Data Subjects

• The Customer's clients (typically businesses or individual professionals).
• Authorised users of the Customer's clients (e.g. team members, contacts, end-users invited to the portal).
• The Customer's own team members and authorised users of the Customer's workspace.

A.6 Frequency of Processing

Continuous, for the duration of the Agreement.

B.1 Encryption

• All Personal Data is encrypted in transit using TLS 1.2 or higher.
• All Personal Data is encrypted at rest using AES-256 (Supabase managed encryption).
• Database backups are encrypted at rest.

B.2 Access control

• Role-based access control with least-privilege principle for all production systems.
• Multi-factor authentication required for all administrative access by Setorio personnel.
• Row-level security (RLS) policies in the application database to enforce workspace-level data isolation.
• All access to production systems is logged and reviewed periodically.

B.3 Network and infrastructure security

• Production hosting on Vercel (EU region) and Supabase (eu-west-2). Both providers are ISO/IEC 27001 certified.
• Web application firewall and DDoS protection at the edge.
• Automated dependency vulnerability scanning.
• Secrets and credentials managed through Vercel environment variables and never committed to source control.

B.4 Application security

• Authentication via Supabase Auth with secure password hashing (bcrypt).
• Session tokens issued via JWT with short expiry and rotation.
• Input validation, output encoding, and parameterised queries to mitigate injection attacks.
• Cross-Site Request Forgery (CSRF) protection on state-changing endpoints.
• Content Security Policy (CSP) headers and other security headers configured at the application level.

B.5 Logging, monitoring and incident response

• Application errors and exceptions captured by Sentry (EU region).
• Product analytics captured by PostHog (EU instance) without Personally Identifiable Information in event properties.
• Automated alerting on anomalies, failed authentication attempts and error spikes.
• Documented incident response procedure including the seventy-two (72) hour breach notification commitment in Section 4.6 of this DPA.

B.6 Backups and resilience

• Automated daily database backups with point-in-time recovery.
• Backups retained for a maximum of thirty (30) days.
• Geographically redundant storage within the EU.

B.7 Personnel

• All personnel with access to Personal Data are bound by written confidentiality obligations that survive termination of their engagement.
• Periodic security and privacy awareness training.

B.8 Data minimisation and retention

• Personal Data is collected only to the extent necessary for the purposes set out in Annex A.
• Personal Data is deleted in accordance with Section 6 of this DPA.