Skip to main content

Legal

Data Processing Addendum

Last updated: May 27, 2026. Version 1.0.0

Plain English summary

  • This DPA applies to Enterprise customers and is signed individually as part of the Enterprise contract.
  • It establishes Sovyren as a data processor under GDPR Article 28.
  • Non-enterprise customers are covered by our standard Privacy Policy.
  • Contact contact@sovyren.com to request a signed DPA.

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Enterprise subscription agreement between the customer ("Controller") and Sovyren ("Processor"). Terms not defined here have the meanings given in the main agreement or in the EU General Data Protection Regulation (GDPR).

1. Scope and roles

The Controller determines the purpose and means of processing. The Processor processes personal data on behalf of the Controller solely to provide TableWork. The subject matter, nature, purpose, type of personal data, and categories of data subjects are as described in Schedule A of this DPA.

2. Processor obligations

The Processor shall: process personal data only on documented instructions from the Controller; ensure that persons authorized to process personal data are bound by confidentiality; implement appropriate technical and organizational security measures per Article 32 GDPR; assist the Controller with data subject rights requests; assist with security breach notifications; delete or return all personal data at the end of services; and provide all information necessary to demonstrate compliance.

3. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors as listed at /legal/sub-processors. The Processor provides 30 days' advance notice before adding or replacing a sub-processor. The Controller may object to a new sub-processor by terminating the affected processing within the notice period.

4. International transfers

Where personal data is transferred outside the EU/EEA, the Processor implements appropriate safeguards including Standard Contractual Clauses as approved by the European Commission.

5. Security

Technical and organizational measures include: encryption of data in transit (TLS) and at rest (AES-256-GCM for sensitive fields); access controls including multi-factor authentication; row-level security on all database tables; regular backup procedures with restore testing; incident response procedures with 72-hour breach notification to the Controller.

6. Contact

To request a signed DPA: contact@sovyren.com
Sovyren, Naperville, IL, United States