Data Processing Agreement

Terms used in this DPA have the meaning given in GDPR Article 4 unless otherwise defined. “Personal Data” means data that SMBs.com Processes on behalf of Controller, excluding (i) data SMBs.com is itself the Controller of (e.g., your account email), and (ii) data that is Controller's own end-user / customer information uploaded to the Service. The bulk SMB directory data displayed in the Service is data for which SMBs.com is a joint or independent Controller, not a Processor.

SMBs.com Processes Personal Data only on documented instructions from Controller (typically: the operation of features as configured in Controller’s account). Each party is responsible for its own compliance with applicable law in respect of its own role.

SMBs.com ensures that persons authorized to Process Personal Data are bound by appropriate confidentiality obligations (employment contract, NDA, or equivalent).

Controller authorizes SMBs.com to engage sub-processors. The current list:

• Vercel Inc. — hosting (US)
• Neon (Databricks) — managed Postgres (US East)
• Twilio SendGrid — transactional + marketing email (US)
• Stripe Inc. — payment processing (US)

SMBs.com will notify Controller of any new sub-processor at least 30 days before that sub-processor begins Processing Personal Data, by updating the sub-processor list and emailing Controller’s account contact. Controller may object on reasonable data-protection grounds; if the parties cannot agree within 30 days, Controller’s sole remedy is termination.

SMBs.com implements appropriate technical and organizational measures including:

• encryption in transit (TLS 1.2+) and at rest
• access controls (role-based, principle of least privilege)
• secret management (passwords / API keys hashed or vaulted)
• vulnerability management and timely patching
• logging + monitoring for unauthorized access
• regular backups (Neon point-in-time recovery)
• employee training on data protection

SMBs.com will notify Controller without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data Breach, providing reasonable information to enable Controller to meet its own notification obligations.

SMBs.com will, taking into account the nature of Processing and the information available, provide reasonable assistance to Controller in fulfilling its obligations under GDPR Articles 32–36 (security, DPIAs, prior consultation) and in responding to data-subject requests under Articles 12–23.

Controller may, upon at least 30 days’ written notice and not more than once per 12-month period (except after a Personal Data Breach), request an audit. SMBs.com may satisfy this obligation by providing relevant third-party certifications (e.g., its sub-processors’ SOC 2 reports) and answering reasonable written questions.

For transfers of EU/UK/Swiss Personal Data to the United States, the parties incorporate the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum by reference. SMBs.com will rely on supplementary measures (encryption in transit and at rest, access controls) to ensure an essentially equivalent level of protection.

On termination of the Services, SMBs.com will, at Controller’s option, return or delete Personal Data Processed on Controller’s behalf, except where storage is required by applicable law (in which case SMBs.com will continue to protect such data in accordance with this DPA).

The liability provisions of the Terms of Service apply to this DPA. Nothing in this DPA limits any liability that cannot be limited under applicable law.

In case of conflict between this DPA and the Terms, this DPA prevails with respect to the Processing of Personal Data subject to GDPR or analogous laws. In case of conflict between this DPA and the SCCs / UK Addendum, the SCCs / UK Addendum prevail.

This DPA is automatically incorporated into your Terms of Service. If your organization requires a counter-signed copy, email dpo@smbs.com with company name, billing address, and signatory contact — we’ll send a counter-signed copy within 5 business days.