SigSlayer Enterprise Addendum
(Data Processing Addendum + EU Standard Contractual Clauses)
Effective Date: 2025-12-22
Last Updated: 2025-12-14
This Enterprise Addendum (“Addendum”) forms part of the SigSlayer Terms of Service (“Agreement”) between SigSlayer, a sole proprietorship (enskild firma) established in Sweden (“SigSlayer,” “Processor,” or “Data Importer”), and the customer entity accepting the Agreement (“Customer,” “Controller,” or “Data Exporter”).
This Addendum applies only to the extent SigSlayer processes Personal Data on behalf of Customer.
In the event of a conflict, this Addendum governs solely with respect to data protection and privacy matters.
PART A — DATA PROCESSING ADDENDUM (DPA)
1. Definitions
- “Applicable Data Protection Laws” means GDPR, UK GDPR, and any implementing national laws.
- “Personal Data” has the meaning set forth in GDPR Article 4.
- “Processing” has the meaning set forth in GDPR Article 4.
- “Subprocessor” means any third party engaged by SigSlayer to process Personal Data.
2. Roles of the Parties
- Customer acts as Data Controller
- SigSlayer acts as Data Processor
SigSlayer processes Personal Data only on documented instructions from Customer, including use of the Service.
3. Subject Matter and Duration of Processing
Subject Matter:
Processing of Personal Data contained in security questionnaires, documents, and related materials uploaded to the Service.
Duration:
For the term of the Agreement and any applicable retention periods.
4. Nature and Purpose of Processing
Processing activities include:
- Collection
- Storage
- Structuring
- Analysis
- AI-assisted transformation and generation
- Retrieval and export
The purpose of processing is the provision, operation, and improvement of the SigSlayer Service.
5. Categories of Data Subjects
Customer determines the data subjects and may include:
- Employees
- Contractors
- Customers
- Vendors
- Other individuals referenced in Customer documentation
6. Types of Personal Data
May include (as determined by Customer):
- Names
- Business contact details
- Job titles and roles
- System access and responsibility descriptions
- Identifiers included in security documentation
SigSlayer does not require or encourage the submission of special category data, but may process it if Customer uploads such data.
7. Customer Obligations
Customer represents and warrants that it:
- Has a lawful basis for processing and disclosing Personal Data
- Has provided all required notices to data subjects
- Will not provide unlawful or non-compliant instructions
- Is responsible for the accuracy, quality, and legality of Personal Data
8. SigSlayer Obligations
SigSlayer shall:
- Process Personal Data only as necessary to provide the Service
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational safeguards
- Not sell Personal Data
- Not use Customer Personal Data to train shared or public AI models
9. Security Measures
SigSlayer implements safeguards aligned with SOC 2 principles, including:
- Logical access controls
- Authentication and authorization mechanisms
- Encryption in transit and at rest (where applicable)
- Logical tenant isolation
- Monitoring and logging
- Incident response procedures
Additional security information may be provided upon request.
10. Subprocessors
Customer authorizes SigSlayer to engage Subprocessors.
SigSlayer shall:
- Impose data protection obligations on Subprocessors
- Remain responsible for Subprocessor performance
- Maintain a current list of Subprocessors at
/legal/subprocessors
11. Assistance with Data Subject Requests
SigSlayer shall reasonably assist Customer in responding to data subject requests, taking into account the nature of the processing.
Requests must be submitted via support channels.
12. Personal Data Breach
SigSlayer shall:
- Notify Customer without undue delay after becoming aware of a Personal Data Breach
- Provide reasonable information to support compliance obligations
- Take steps to mitigate the effects of the breach
13. Deletion or Return of Data
Upon termination of the Agreement:
- Customer Content will be deleted in accordance with SigSlayer’s retention practices
- Backup retention follows standard security procedures
- No obligation exists to retain data unless required by law
14. Audits
Customer may request reasonable information to verify compliance.
SigSlayer may satisfy audit requests through:
- SOC 2 reports
- Written security summaries
- Third-party attestations
On-site audits require mutual written agreement.
15. Liability
Liability arising under this Addendum is subject to the limitations set forth in the Agreement.
PART B — EU STANDARD CONTRACTUAL CLAUSES (SCCs)
16. Applicability
The EU Standard Contractual Clauses apply only to the extent Customer transfers Personal Data subject to GDPR to SigSlayer outside the EU/EEA.
17. Incorporation of SCCs
The parties agree that:
- Module Two (Controller → Processor) applies
- Customer is the Data Exporter
- SigSlayer is the Data Importer
The SCCs are incorporated by reference as adopted by the European Commission under Decision (EU) 2021/914.
18. SCC Annexes
Annex I — Parties
- Data Exporter: Customer
- Data Importer: SigSlayer (Sweden)
Annex II — Technical and Organizational Measures
- Access controls
- Encryption
- Tenant isolation
- Monitoring and logging
- Incident response
- Vendor risk management
Annex III — Subprocessors
- As listed at
/legal/subprocessors
19. Conflict
In the event of a conflict between this Addendum and the SCCs, the SCCs prevail solely with respect to international data transfers.
PART C — GENERAL
20. Order of Precedence
- EU Standard Contractual Clauses
- This Enterprise Addendum
- Terms of Service
21. Governing Law
This Addendum is governed by the laws of Sweden, except where the SCCs require otherwise.
22. Acceptance
This Addendum is deemed accepted upon Customer’s acceptance of the Terms of Service or execution of an Order Form.
Contact
SigSlayer
Sweden
Email: legal@sigslayer.com