Last updated: 29 April 2026

Parties

This Data Processing Addendum (the “DPA“) is entered into between:

• Hojt Communication AB, a Swedish private limited company, organisation number 559017-1459, of Höjeågatan 243, 23433 Lomma, Sweden (“Processor“, “Adamiro“, “we“); and
• the Customer identified in the relevant order form, account registration, or click-through acceptance flow (“Controller“, “Customer“, “you“).

It forms an integral part of, and is governed by, the Adamiro Terms of Service (the “Agreement“). It applies whenever Adamiro processes Customer Personal Data on Customer’s behalf in connection with the Service.

By accepting the Agreement, the Customer enters into this DPA on its own behalf and, to the extent required by Data Protection Laws, on behalf of its Authorised Affiliates.

1. Definitions

Capitalised terms not defined here have the meaning given in the Agreement or in the GDPR.

• “Customer Personal Data” means Personal Data that Customer or its end users submit to or generate through the Service, and that identifies or relates to identifiable natural persons.
• “Data Protection Laws” means the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR“), the Swedish Supplementary Data Protection Act (lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning), the ePrivacy directive as implemented in member-state law, and any other applicable privacy laws.
• “Personal Data Breach” has the meaning given in GDPR Art. 4(12).
• “Sub-processor” means a third party engaged by the Processor to process Customer Personal Data on the Processor’s behalf.
• “SCCs” means the standard contractual clauses approved by the European Commission in Decision 2021/914.

2. Subject matter, duration, nature, and purpose

The categories of data subjects and types of personal data are set out in Annex 1.

3. Roles and instructions

3.1 Roles. Customer is the Controller; Adamiro is the Processor. Where Adamiro engages Sub-processors, those Sub-processors act as sub-processors under Customer’s authority granted under section 7.

3.2 Documented instructions. Adamiro will process Customer Personal Data only on Customer’s documented instructions, which consist of:

(a) the Agreement (including this DPA and the Privacy Policy); (b) Customer’s configuration choices in the Service; (c) any subsequent written instructions Customer gives, provided they are consistent with the Service’s documented capabilities; and (d) instructions Adamiro is required to follow under EU or member-state law, in which case Adamiro will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.3 Notice if instructions infringe. Adamiro will inform Customer without undue delay if, in its opinion, an instruction infringes Data Protection Laws.

4. Personnel and confidentiality

Adamiro ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations of comparable scope to those in the Agreement and have received appropriate training on data protection.

Access to Customer Personal Data is limited to personnel who need it for the purpose described in section 2.

5. Security (Art. 32)

Adamiro implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The current measures are described in Annex 3. Adamiro may update the measures from time to time, provided the updated measures are not materially less protective.

6. Personal data breaches

6.1 Notification. Adamiro will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data.

6.2 Content of notification. The notification will include, to the extent then known:

(a) the nature of the breach, including categories and approximate numbers of data subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach and to mitigate its possible adverse effects; and (d) a contact point for further information.

Where information is not yet available, Adamiro will provide it in phases as the investigation progresses.

6.3 Cooperation. Adamiro will reasonably cooperate with Customer’s own breach-handling and notification obligations under Data Protection Laws (including, where applicable, GDPR Art. 33-34).

6.4 No admission. A breach notification under this section is not an acknowledgement by Adamiro of fault or liability.

7. Sub-processors

7.1 General authorisation. Customer grants Adamiro a general authorisation to engage the Sub-processors listed in Annex 2 and to add or replace Sub-processors subject to the conditions below.

7.2 Notice of changes. Adamiro will publish updates to Annex 2 (and the corresponding table in the Privacy Policy) and notify Customer of material changes (new Sub-processor categories, new countries of processing) at least 30 days in advance, by email or in-app notice.

7.3 Right to object. Customer may object to a new Sub-processor on documented data-protection grounds within 30 days of notice. The parties will discuss the objection in good faith. If it cannot be resolved within a further 30 days, either party may terminate the affected portion of the Service with a pro-rata refund of pre-paid fees.

7.4 Flow-down. Adamiro contracts with each Sub-processor on terms that include data-protection obligations no less protective than this DPA’s relevant provisions, in particular relating to Art. 32 security, breach notification, and Art. 28(3) processor obligations.

7.5 Liability. Adamiro remains liable to Customer for the performance of each Sub-processor as if Adamiro itself had performed.

8. International transfers

8.1 EU/EEA default. Customer Personal Data is processed in the EU/EEA where reasonably possible.

8.2 Transfers outside the EU/EEA. Where Customer Personal Data is transferred to a country outside the EU/EEA that is not the subject of an adequacy decision, the parties rely on the Standard Contractual Clauses (Module 2: Controller-to-Processor) approved in EU Commission Decision 2021/914, with the relevant docking clause for onward transfers to Sub-processors (Module 3 between Adamiro and the Sub-processor).

8.3 Supplementary measures. Adamiro applies supplementary measures where required by the EDPB recommendations, including encryption in transit and at rest, access logging, and contractual restrictions on government access requests beyond what is strictly required by applicable law.

8.4 Annex. The transfer details required by the SCCs (parties, description of transfer, categories of data, and competent supervisory authority) are set out in Annex 4.

9. Assistance with data subject rights

Adamiro will, taking into account the nature of the processing, implement appropriate technical and organisational measures to assist Customer in fulfilling Customer’s obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

If Adamiro receives a request directly from a data subject relating to Customer Personal Data, Adamiro will not respond to it (other than to acknowledge receipt and direct the requester to Customer) and will forward it to Customer without undue delay.

10. DPIA and prior consultation (Art. 35-36)

Adamiro will provide Customer with reasonable assistance, taking into account the nature of the processing and the information available to Adamiro, with:

(a) data protection impact assessments under GDPR Art. 35; and (b) any prior consultation with the supervisory authority under GDPR Art. 36.

11. Audits (Art. 28(3)(h))

11.1 Information. Adamiro will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including:

(a) the most recent third-party audit reports or certifications held by Adamiro or its Sub-processors (such as ISO 27001, SOC 2 Type II) where available; (b) responses to a reasonable security questionnaire, no more than once per 12 months, except after a Personal Data Breach.

11.2 On-site audit. Where the information in section 11.1 is insufficient to demonstrate compliance, Customer may, on at least 30 days’ written notice, conduct an on-site audit no more than once every 12 months. Audits must:

(a) be conducted during business hours and in a manner that does not unreasonably disrupt Adamiro’s operations; (b) be subject to confidentiality obligations no less strict than the Agreement; (c) not extend to data of other Adamiro customers; (d) be carried out by Customer or by an independent qualified auditor chosen by Customer that is not a competitor of Adamiro.

Customer bears its own costs and reimburses Adamiro’s reasonable costs of supporting the audit.

11.3 Supervisory authority. Nothing in this section limits a supervisory authority’s audit powers under Data Protection Laws.

12. Return or deletion on termination

12.1 On termination of the Agreement or, if earlier, on Customer’s written request, Adamiro will, at Customer’s option:

(a) return all Customer Personal Data in a structured, commonly used machine-readable format (the Service offers JSON exports); or (b) delete all Customer Personal Data, including from backups in accordance with Adamiro’s documented backup-rotation period.

12.2 Exceptions. Adamiro may retain Customer Personal Data to the extent required by EU or member-state law (including Swedish accounting law for invoicing data), in which case Adamiro will continue to protect it under this DPA and limit further processing to that purpose.

12.3 Anonymisation. Anonymised Service-improvement data captured under the Privacy Policy section 3.4 (once that pipeline ships) is not Customer Personal Data and is not subject to return or deletion under this section. Customer may opt out and request retroactive removal as described in the Privacy Policy.

13. Liability

The parties’ liability under or in connection with this DPA is subject to the limitations and exclusions in section 15 (Limitation of liability) of the Agreement, taken as a whole and not separately for each agreement or instrument.

14. Order of precedence

In the event of a conflict between this DPA, the Agreement, and any other document forming part of the contractual relationship, the order of precedence is:

1. The Standard Contractual Clauses (where they apply).
2. This DPA.
3. The Agreement (Terms of Service).
4. The Privacy Policy.
5. Any other order form or written agreement, unless that document expressly states it overrides specific provisions of this DPA.

15. Governing law and jurisdiction

This DPA is governed by the substantive laws of Sweden and is subject to the dispute-resolution provisions of section 18 of the Agreement.

Annex 1 — Description of processing

A. Categories of data subjects

B. Categories of Customer Personal Data

C. Frequency

Continuous, for as long as Customer uses the Service.

D. Nature of processing

See section 2 of this DPA.

E. Purpose

See section 2 of this DPA. Adamiro will not process Customer Personal Data for its own purposes except to the extent permitted by the Agreement (including the anonymised improvement use described in the Privacy Policy section 3.4).

F. Duration

For the duration of the Agreement, plus any wind-down period under section 12.

Annex 2 — Sub-processors

This list must match the table in Privacy Policy section 9 at all times. The current list as of the version date of this DPA is:

Open items before publishing: – Confirm Annex 2 still matches the equivalent table in the Privacy Policy section 9 at the time of the next sub-processor change. – If/when an analytics tool is added (Plausible, Matomo, GA4 etc.), add it as a row here with country and transfer mechanism, and mirror the change in the Privacy Policy.

Annex 3 — Technical and organisational measures

The measures below describe Adamiro’s standing security posture. They form part of this DPA. Adamiro may update them, provided updates are not materially less protective.

1. Pseudonymisation and encryption

• TLS 1.2+ in transit on all customer-facing endpoints.
• At-rest encryption for production databases and backups (AES-256 or provider-managed equivalent).
• Vector-store collections encrypted at rest where the provider supports it.
• Secrets (API keys, database credentials, Stripe / OpenAI / Anthropic keys) stored in a secrets manager, never in source code.
• Where the model-training pipeline is enabled (Privacy Policy section 3.4), pseudonymisation is applied at capture and there are no foreign keys back to user identities.

2. Confidentiality, integrity, availability, resilience (Art. 32(1)(b))

• Confidentiality — least-privilege role-based access; named admin accounts; multi-factor authentication required for production access; staff confidentiality undertakings.
• Integrity — application-level input validation; SQL parameter binding; staging-to-production deploy pipeline with manual verification before production deploy (per DEVELOPMENT_PIPELINE.md); change control via Git with code review.
• Availability — daily database backups retained for 30 days; monitoring on production endpoints; defined recovery procedures.
• Resilience — backup restore drills annually; hosting diversification across primary provider and Stripe/n8n cloud.

3. Restoration of availability (Art. 32(1)(c))

• Documented disaster-recovery runbook.
• Backups stored separately from production. Recovery point objective (RPO): 24 hours. Recovery time objective (RTO): 24 hours for the database tier; 72 hours for full Service restoration including configuration and integrations. Targets reviewed annually.

4. Process for testing and evaluating effectiveness (Art. 32(1)(d))

• Code review on every production change.
• Dependency monitoring with automated alerts on critical CVEs.
• Periodic security review of the codebase, including the regular /security-review pass.
• Biannual external security review or penetration test (target cadence — not yet achieved; tracked in the internal security backlog, see honesty note below).

5. Access control

• Authentication. Customer-side: passwords stored as Argon2 / bcrypt hashes; MFA available; password complexity enforced. Internal: SSO with mandatory MFA for production access.
• Authorisation. Role-based access control inside the Service; separation of duties between developer, deploy, and admin roles.
• Logging. Login, privileged action, and data-export events are logged and retained for at least 12 months.

6. Network and physical security

• Production hosted on a Swedish shared-hosting account operated by Hojt Communication AB (LiteSpeed-based PHP/MySQL host located in Sweden). Staging on the same provider under a separate account.
• No on-premise customer-data storage at offices.
• Office systems require disk encryption and screen lock.

7. Personnel security

• Confidentiality obligations in employment / contractor agreements.
• Access provisioning on a need-to-know basis.
• Off-boarding checklist removes production access within one business day.
• Security and privacy training on hire and annually thereafter.

8. Incident management

• Incident response runbook including breach-notification flow under GDPR Art. 33.
• Designated incident-response contact: security@adamiro.com.
• Post-incident review and corrective-action tracking.

9. Sub-processor management

• Written contracts including GDPR Art. 28 and Art. 32 obligations.
• Annual review of sub-processor security posture (third-party audits, certifications).
• Sub-processor list maintained in Annex 2.

10. Vulnerability disclosure

• Good-faith vulnerability disclosure programme at security@adamiro.com.
• No legal action against researchers acting in good faith.

Honesty note. Several measures above are commitments to a target cadence we have not yet achieved (biannual external pentests, formal ISO 27001 certification, third-party SOC 2 audit). They are listed because they are the standing commitment going forward; concrete delivery dates are tracked in the internal security backlog at docs/PROJECT_BACKLOG.md. RPO/RTO targets have been formalised in section 3 above.

Annex 4 — Standard Contractual Clauses transfer details

Where the SCCs apply, the following details fill in the SCC annexes.

Module 2 (Controller-to-Processor)

Technical and organizational measures

As set out in Annex 3.

Change log