Studio/Legal/DPA

Data processing
agreement.

Effective07 May 2026
DocumentSG-LEGAL-005
StandardsGDPR Art. 28 · UK · Swiss · CCPA
ProcessorSOLGREEN OÜ

Data Processing Agreement

Between: SOLGREEN OÜ ("SOLGREEN" or "Processor"), a private limited company incorporated in the Republic of Estonia (registry code 16360195) with registered office at Tartu mnt 67/1-13b, 10115 Tallinn, Estonia;

and: [Customer Legal Name] ("Customer" or "Controller") .

(Each a "Party" and together the "Parties".)

Effective Date: The date of the last signature below, or, if earlier, the effective date of the underlying services agreement.

1. Background and Order of Precedence

Plain English: This DPA sits underneath the main Statement of Work and Terms of Service. Where this DPA conflicts with the Terms on data protection, this DPA wins.

1.1 The Parties have entered, or will enter, into one or more Statements of Work or other engagement documents (the "Principal Agreement") under which SOLGREEN provides services to Customer (the "Services").

1.2 In performing the Services, SOLGREEN may process Personal Data on behalf of Customer. This Data Processing Agreement ("DPA") sets out the Parties' obligations with respect to that Personal Data.

1.3 In the event of any conflict or inconsistency between the terms of this DPA and the Principal Agreement, this DPA prevails with respect to its subject matter. Capitalized terms not defined in this DPA have the meanings given to them in the Principal Agreement or in Applicable Data Protection Law.

2. Definitions

Plain English: Standard data-protection vocabulary.

In this DPA:

  • "Applicable Data Protection Law" means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (b) the United Kingdom GDPR and the Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus); (e) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"); and (f) any other applicable data protection laws.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Special Categories of Personal Data", "Sensitive Personal Information", and "Sub-processor" have the meanings given to them under Applicable Data Protection Law.
  • "EU SCCs" means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs (Version B1.0) issued by the UK ICO under section 119A of the Data Protection Act 2018.
  • "Swiss Addendum" means the supplementary clauses recognized by the Swiss FDPIC for transfers under the FADP.
  • "Customer Personal Data" means Personal Data Processed by SOLGREEN on behalf of Customer in performance of the Services.
  • "Restricted Transfer" means a transfer of Customer Personal Data from a jurisdiction where the transfer is restricted absent a Chapter V GDPR (or equivalent) safeguard.

3. Roles and Scope of Processing

Plain English: For data we process on your behalf, you're the Controller and we're the Processor. The full description of what we process is in Annex 1.

3.1 With respect to Customer Personal Data Processed under this DPA, Customer is the Controller and SOLGREEN is the Processor. Where Customer is itself a processor for an upstream controller, SOLGREEN acts as a sub-processor and the obligations in this DPA flow through accordingly.

3.2 The subject matter, duration, nature, and purpose of the Processing, the categories of Data Subjects, and the categories of Customer Personal Data are set out in Annex 1 (Description of Processing).

3.3 SOLGREEN will Process Customer Personal Data only on documented instructions from Customer (including those set out in the Principal Agreement, this DPA, or otherwise documented in writing). If SOLGREEN believes an instruction infringes Applicable Data Protection Law, it will inform Customer (unless prohibited by law).

4. SOLGREEN Obligations as Processor

Plain English: We process your data only on your instructions, keep it confidential, secure it, help you respond to data-subject requests, tell you about breaches, and cooperate with audits.

SOLGREEN will:

4.1 Process only on instructions. Process Customer Personal Data only as set out in this DPA or otherwise documented in writing by Customer.

4.2 Confidentiality. Ensure that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations or are under a statutory obligation of confidentiality, and have received appropriate data protection training.

4.3 Security measures. Implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, as set out in Annex 2 (Technical and Organizational Measures), in compliance with Article 32 GDPR.

4.4 Sub-processors. Comply with the conditions in Section 6.

4.5 Assistance with data-subject rights. Take appropriate measures, insofar as possible, to assist Customer in fulfilling Customer's obligations under Articles 12–22 GDPR. Where SOLGREEN receives a request directly from a Data Subject relating to Customer Personal Data, SOLGREEN will (a) not respond substantively (other than to confirm receipt and direct the Data Subject to Customer where appropriate), and (b) forward the request to Customer without undue delay.

4.6 Assistance with controller obligations. Assist Customer in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of Processing and information available.

4.7 Return or deletion. At Customer's choice, return or delete all Customer Personal Data after the end of the Services, unless Applicable Data Protection Law requires storage. Backups subject to standard rotation will be deleted in the ordinary course (typically within 90 days), and during that period remain subject to confidentiality and security obligations.

4.8 Records and audits. Make available to Customer all information necessary to demonstrate compliance, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, on reasonable prior notice (at least 30 days), no more than once per twelve-month period (except where required by a regulator or following a Personal Data Breach), under reasonable confidentiality obligations, and at Customer's expense (unless the audit reveals material non-compliance).

4.9 No selling, sharing, or retention beyond purpose (CCPA/CPRA service-provider/contractor certification). SOLGREEN will not (a) sell or share Customer Personal Data within the meaning of CCPA/CPRA; (b) retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Services or as otherwise permitted by Applicable Data Protection Law; or (c) combine Customer Personal Data with personal information that SOLGREEN receives from or on behalf of any other person, except where permitted by CCPA/CPRA. SOLGREEN certifies that it understands and will comply with these CCPA/CPRA "service provider" / "contractor" obligations.

4.10 AI-related restrictions. SOLGREEN will not (a) use Customer Personal Data to train, retrain, or fine-tune any AI/ML model except as expressly authorized by Customer in writing for the relevant engagement; (b) submit Customer Personal Data to any AI vendor that does not contractually commit to refrain from training on inputs/outputs, except with Customer's prior written consent; (c) deploy AI systems that produce decisions with legal or similarly significant effects on individuals without human oversight, in accordance with GDPR Article 22 and EU AI Act Articles 5, 25, and 50.

5. Customer Obligations as Controller

Plain English: You confirm you have a lawful basis for the data you ask us to process, and you've given the appropriate notices to your end-users.

Customer will:

5.1 Comply with Applicable Data Protection Law in its capacity as Controller, including by establishing a valid lawful basis, providing required notices to Data Subjects, and obtaining required consents.

5.2 Provide complete and accurate documented instructions to SOLGREEN.

5.3 Ensure that the Personal Data provided to SOLGREEN was lawfully collected and that the disclosure to SOLGREEN is lawful.

5.4 Refrain from instructing SOLGREEN to Process Personal Data in a manner that would cause SOLGREEN to violate Applicable Data Protection Law.

6. Sub-processors

Plain English: We use four standing subprocessors (Railway, Cloudflare, Resend, GitHub). Engagement-specific ones (e.g., AI vendors) are named in the SOW. The list is at solgreen.ee/subprocessors. You can subscribe to be notified 30 days before any change; if you object on data-protection grounds, we'll work it out or you can terminate the affected SOW.

6.1 General authorization. Customer grants SOLGREEN general authorization to engage Sub-processors for the Processing of Customer Personal Data, subject to the conditions in this Section.

6.2 Public list. SOLGREEN maintains and keeps current a public list of Sub-processors at https://solgreen.ee/subprocessors, including for each: name, purpose, country of processing, transfer mechanism, and DPA reference.

6.3 Notice of changes. SOLGREEN will provide at least thirty (30) days' notice of any addition or replacement of a Sub-processor that will Process Customer Personal Data, by updating the public list and (if Customer has subscribed) by email.

6.4 Right to object. Customer may, on reasonable data-protection grounds, object to a new Sub-processor by notifying SOLGREEN in writing within fifteen (15) days of the notice. The Parties will discuss the objection in good faith. If unresolved within thirty (30) days, Customer may terminate the affected SOW without penalty (other than for Services already performed).

6.5 Flow-through obligations. SOLGREEN will impose on each Sub-processor data-protection obligations no less protective than those in this DPA. SOLGREEN remains liable to Customer for the acts and omissions of its Sub-processors as if performed by SOLGREEN itself.

7. International Data Transfers

Plain English: When data leaves your home jurisdiction to come to us in Estonia (or to one of our subprocessors in the US), we use the EU SCCs (with Module Two or Three), the UK IDTA, or the Swiss Addendum.

7.1 Restricted Transfers. To the extent that the Processing constitutes a Restricted Transfer, the relevant transfer mechanism in this Section applies.

7.2 EU SCCs (Module 2 — Controller to Processor). Where Customer is a Controller of Personal Data subject to the GDPR and SOLGREEN acts as Processor, the EU SCCs (Module 2) are incorporated by reference, with:

  • Clause 7 (Docking): Optional clause is included.
  • Clause 9 (Sub-processor authorization): Option 2 (general authorization), 30 days' notice (per Section 6).
  • Clause 11 (Redress): The optional independent dispute resolution body is not included.
  • Clause 17 (Governing law): The law of the Republic of Estonia.
  • Clause 18 (Forum and jurisdiction): The courts of Estonia (Harju Maakohus).
  • Annex I.A (Parties): Customer is data exporter; SOLGREEN is data importer. Contact details on the signature page.
  • Annex I.B (Description of transfer): As set out in Annex 1.
  • Annex I.C (Competent supervisory authority): Andmekaitse Inspektsioon (AKI) where SOLGREEN's establishment is the relevant point, or otherwise per Clause 13.
  • Annex II (Technical and organizational measures): As set out in Annex 2.
  • Annex III (List of Sub-processors): As maintained at https://solgreen.ee/subprocessors.

7.3 EU SCCs (Module 3 — Processor to Processor). Where Customer is a Processor on behalf of an upstream Controller and SOLGREEN acts as a Sub-processor, EU SCCs Module 3 applies on the same basis, mutatis mutandis.

7.4 UK Transfers — UK Addendum. For Restricted Transfers from the UK, the UK Addendum is incorporated by reference. Table 1 (Parties) and Table 3 (Appendix Information) are completed using the EU SCCs annexes above. Table 2 selects the EU SCCs as the approved EU SCCs.

7.5 Swiss Transfers — Swiss Addendum. For Restricted Transfers from Switzerland, the Swiss Addendum is incorporated, with the FDPIC as competent supervisory authority, references to GDPR construed as references to the FADP, and the courts of Switzerland as the forum where required by Swiss law.

7.6 Onward Transfers from Estonia. For onward transfers from SOLGREEN in Estonia to Sub-processors outside the EEA (currently: Railway, Cloudflare, Resend, and GitHub, all in the United States), SOLGREEN flows the same EU SCCs / UK Addendum / Swiss Addendum mechanism through to the Sub-processor.

7.7 Transfer Impact Assessments. SOLGREEN has conducted, and will keep under review, Transfer Impact Assessments for the United States as a destination jurisdiction (covering Railway, Cloudflare, Resend, GitHub) and for any engagement-specific sub-processor jurisdictions. A summary is available to Customer on request under reasonable confidentiality terms.

7.8 Supplementary measures. In addition to the contractual mechanisms above, SOLGREEN applies the supplementary measures in Annex 2.

8. Personal Data Breach Notification

Plain English: Within 24 hours of confirming a breach we notify you with what we know.

8.1 SOLGREEN will notify Customer without undue delay, and in any event within twenty-four (24) hours of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

8.2 The notification will include, to the extent reasonably available at the time:

  • Description of the nature of the Breach
  • Likely consequences
  • Measures taken or proposed to address it
  • Contact details for the SOLGREEN incident coordinator

8.3 SOLGREEN will provide a post-incident report within fourteen (14) days, including root-cause analysis, remediation, and updates as new information emerges.

8.4 SOLGREEN will reasonably cooperate with Customer's investigation and notification obligations to supervisory authorities (including AKI), Data Subjects, and other affected parties.

8.5 Notification under this Section is not, in itself, an acknowledgement of fault or liability.

9. Liability

Plain English: Liability flows from the Principal Agreement's liability provisions. Where the SCCs apply on their own terms, those govern that piece of liability.

9.1 The liability of each Party under this DPA is subject to the exclusions and limitations in the Principal Agreement, save that nothing in this DPA or the Principal Agreement excludes or limits either Party's liability where prohibited by Applicable Data Protection Law.

9.2 Where the EU SCCs (or the UK Addendum or Swiss Addendum) apply on their own terms, the liability provisions in those clauses govern as between Data Subjects and the Parties; the Parties' inter se allocation remains subject to Section 9.1.

10. Term and Termination

10.1 This DPA takes effect on the Effective Date and continues until SOLGREEN has ceased Processing Customer Personal Data and has returned or deleted the same in accordance with Section 4.7.

10.2 Sections that by their nature should survive termination (Sections 4.2, 4.7, 8, 9, and 11) survive termination.

11. General

11.1 Notices. Notices must be in writing and sent to: (a) for SOLGREEN — legal@solgreen.ee, with a copy to the postal address above; (b) for Customer — the email and postal address listed on the signature page.

11.2 Governing law. Subject to Section 7 (which incorporates the SCCs governed by the law of Ireland or Estonia as applicable), this DPA is governed by Estonian law.

11.3 Severability. If any provision is held invalid, the remaining provisions remain in effect.

11.4 Amendments. This DPA may be amended only by a written instrument signed by both Parties, except that SOLGREEN may unilaterally update the Sub-processor list and Annex 2 in accordance with Sections 6 and 4.3.

11.5 Counterparts; electronic signature. May be executed in counterparts, including by electronic signature.

Annex 1 — Description of Processing

(A) Subject matter SOLGREEN's Processing of Customer Personal Data in performance of the Services described in the applicable Statement of Work.

(B) Duration For the duration of the SOW and any retention period set out in Section 4.7 or the Principal Agreement.

(C) Nature and purpose Provision of software development and AI automation services, which may include (depending on the SOW): web platforms and mobile applications, AI automation workflows and autonomous agents, operator consoles, RAG systems, design systems, APIs, and strategy / discovery work.

(D) Categories of Data Subjects

  • Customer's end-users and website visitors
  • Customer's employees who interact with SOLGREEN in the engagement
  • Customer's prospective customers and leads
  • Other, as specified in the SOW

(E) Categories of Personal Data

  • Identifiers (name, email, IP address, device ID)
  • Internet/network activity (pages viewed, click-stream data)
  • Commercial information (purchase history if shared)
  • Professional information (job title, company, role)
  • Inferences (audience-segment assignments, where AI-driven segmentation is part of the deliverable)
  • Other, as specified in the SOW

(F) Special Categories / Sensitive Personal Information None expected. Customer will not provide Special Categories of Personal Data or Sensitive Personal Information without prior written agreement and additional safeguards.

(G) Frequency of transfer Continuous during the term of the Services.

(H) Retention As set out in Section 4.7 of this DPA, the Principal Agreement, and Customer's documented instructions.

Annex 2 — Technical and Organizational Measures

SOLGREEN implements the following measures, in compliance with Article 32 GDPR. SOLGREEN may update these measures provided that the updated measures provide a level of security at least equivalent to those below.

Pseudonymization and Encryption

  • Personal Data encrypted in transit (TLS 1.2+ with strong cipher suites)
  • Personal Data encrypted at rest (AES-256 or equivalent)
  • Key management via reputable cloud KMS with role-based access
  • Pseudonymization where appropriate

Confidentiality

  • Need-to-know access; role-based access controls (RBAC)
  • Multi-factor authentication on all administrative accounts and accounts with access to Personal Data
  • Time-bounded access for engagement-specific work; access revoked at engagement end
  • Workspace and document-level segregation between client engagements
  • Confidentiality and data-protection clauses in all employment and contractor agreements

Integrity

  • Tamper-evident audit logs of access to Personal Data
  • Monthly access-log reviews and engagement close-out audits
  • Change-management controls on production systems

Availability

  • Documented business-continuity and disaster-recovery procedures
  • Encrypted backups with defined retention and rotation
  • Subprocessor selection includes uptime SLAs and SOC 2 Type II / ISO 27001 (or equivalent)

Resilience

  • Incident-response plan with defined roles and notification timelines
  • Annual tabletop exercises
  • Vulnerability management with timely patching of high- and critical-severity vulnerabilities

Personnel Measures

  • Mandatory privacy and security training upon onboarding and annually
  • Documented joiner / mover / leaver process
  • Background checks where permitted by law

Vendor Management

  • Sub-processor due diligence (security questionnaire, certifications, DPA, transfer-mechanism review)
  • Contractual obligations no less protective than those in this DPA
  • Quarterly review of Sub-processor list

AI / Machine-Learning Specific Measures

  • AI vendors selected to commit not to train, retrain, or fine-tune models on Customer Personal Data
  • Where technically not feasible, prior written Customer consent required
  • Logging of AI-Tool usage and data flows
  • Alignment with EU AI Act Articles 5 (prohibited practices), 25 (value-chain responsibilities), 50 (transparency)
  • Human-in-the-loop on AI outputs prior to delivery

Annex 3 — Sub-processors

The list of Sub-processors authorized as of the Effective Date is maintained at https://solgreen.ee/subprocessors and is incorporated by reference into this DPA. As of 2026-05-07 the standing list is:

Sub-processor Purpose Country
Railway Corp. Application hosting United States
Cloudflare, Inc. DNS, CDN, edge security United States (global edge)
Resend, Inc. Transactional email United States
GitHub, Inc. (Microsoft) Source-code repository United States

Engagement-specific Sub-processors (e.g., AI vendors) are named in the relevant SOW and added to the public list while the engagement is active.

Signature Page

SOLGREEN OÜ [Customer Legal Name]
Signature: ____________ Signature: ____________
Name: Name:
Title: Title:
Date: Date:
Email for legal notices: legal@solgreen.ee Email for legal notices:
Postal: Tartu mnt 67/1-13b, 10115 Tallinn, Estonia Postal: