Data processing addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Customer”, controller) and Samarkand Industries OÜ (“Samarkand”, processor) for the processing of personal data through Estøkad. It implements Article 28 GDPR. Defined terms not given specific meaning here have the meaning ascribed in the Regulation.

1. Subject matter, duration, nature and purpose

Samarkand processes personal data on Customer’s behalf to provide the Estøkad platform — content storage, retrieval, editorial workflow, search, analytics, and ancillary features — for the duration of the subscription plus the 90-day post-termination export window.

2. Categories of data subjects and personal data

Customer determines the categories. Typical examples: Customer’s end-users, employees, contractors, subscribers, leads, and any other natural persons whose data Customer chooses to publish through Estøkad. Data categories: identifiers, contact details, account metadata, content authored, and any further data Customer pushes via the API or Studio.

3. Documented instructions

Samarkand processes personal data only on Customer’s documented instructions, except where EU or Estonian law requires otherwise. Customer’s instructions are: (a) the configuration of the Customer’s workspace in the Studio, (b) the API requests Customer or its authorised users issue, and (c) any additional written instructions Customer provides via legal@samarkandindustries.com.

4. Confidentiality

Samarkand ensures that personnel authorised to process personal data are bound by confidentiality. Access is granted on a need-to-know basis and revoked when the role changes.

5. Security measures (Article 32)

Samarkand implements appropriate technical and organisational measures, including:

• Encryption in transit (TLS 1.2+) and at rest (KMS-managed keys per region).
• Tenant isolation enforced at the database, object-storage, and audit-log layers.
• Append-only audit log with hash chaining and daily Merkle roots.
• Per-country residency for customer content, no cross-region replication.
• Background-checked engineering team, MFA enforced on all production access.
• Quarterly penetration tests, annual third-party audit.

6. Sub-processors

Customer authorises Samarkand to engage the sub-processors listed in the workspace’s sub-processor register (/settings/compliance/sub-processors in the Studio). Samarkand will notify Customer of new sub-processors at least 30 days before they begin processing personal data; Customer may object on reasonable grounds.

7. Data subject rights

Samarkand assists Customer in fulfilling its obligations to respond to data-subject requests. Direct access to data is available through the Studio and the API; for requests we cannot route automatically, contact privacy@samarkandindustries.com.

8. Personal-data breach notification

Samarkand notifies Customer of any personal-data breach affecting Customer’s data without undue delay and in any case within 24 hours of becoming aware. Notifications go to the workspace owner email plus security@ address on file.

9. International transfers

Customer content stays in the EU region the Customer chose. Where any sub-processor operates outside the EEA, the relevant EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) are in place. The full mapping is in the sub-processor register.

10. Audits

Samarkand makes available the information necessary to demonstrate compliance with this DPA, including the most recent SOC 2 Type II report and annual penetration-test summary, on Customer’s request to legal@samarkandindustries.com. On-site audits are available to Enterprise- and Sovereign-tier customers, on reasonable notice and at the auditor’s expense.

11. Return or deletion

On termination of the subscription, Customer has 90 days to export all personal data via the exit plan. After 90 days, Samarkand deletes the data from production systems; backup rotations purge it within 30 additional days.

12. Liability and law

This DPA is governed by Estonian law. Liability is governed by the Liability section of the Terms of service. The competent court is the Harju County Court.