Data Processing Addendum
Last updated: June 2026
This Data Processing Addendum (the "DPA") forms part of the agreement between you (the "Customer") and SGEN (the "Processor") and governs SGEN's processing of personal data on the Customer's behalf when the Customer uses the platform.
Parties and roles
When the Customer builds a site on SGEN and a visitor submits a form, responds to a consent banner, or checks out through a store, SGEN processes personal data on the Customer's behalf. As between the parties, the Customer is the Controller and SGEN is the Processor.
Where the Customer is an agency or otherwise processes personal data on behalf of its own clients, the Customer acts as a Processor and SGEN acts as a Sub-processor. The Customer warrants that it has authority and instructions from its clients to engage SGEN on these terms. The multi-site dashboard does not change these roles; it is the surface through which the Customer instructs SGEN.
- Document: SGEN Data Processing Addendum
- Processor: [PLACEHOLDER legal entity name] of [PLACEHOLDER registered address], [PLACEHOLDER jurisdiction of incorporation]
- Effective date: [PLACEHOLDER date]
- Version: [PLACEHOLDER v1.0]
The precise legal entity name, registered address, and signing authority will be confirmed before this DPA is finalized.
1. Definitions
Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), the UK GDPR and the Data Protection Act 2018, and the underlying Terms of Service between the parties (the "Agreement"). "Data Protection Laws" means all such laws applicable to the processing under this DPA. The full list of named laws will be confirmed with counsel before publication.
2. Subject matter and duration
The subject matter of the processing is SGEN's provision of the platform under the Agreement. The processing continues for the duration of the Customer's subscription and any post-termination wind-down period, after which the return or deletion clause below applies. The wind-down period interacts with the backups retention window described in the return or deletion clause.
3. Nature and purpose of processing
SGEN processes personal data only to provide and support the platform. The processing operations include:
- Hosting and serving the Customer's site(s), and storing and backing up site content and the personal data submitted to those sites.
- Form submissions: receiving, storing, and making available to the Customer the personal data that the Customer's site visitors submit through native form modules. SGEN does not determine the purpose of those forms; the Customer does.
- First-party analytics: generating privacy-focused, first-party usage analytics in the dashboard, without a third-party tracking tag by default.
- Consent processing: displaying the consent banner, gating tracking scripts on the visitor's decision, and recording each decision in a per-session, read-only consent log.
- Payments facilitation: passing checkout and billing data to the Customer's connected payment processor. SGEN facilitates payments; Stripe and PayPal are the payment processors and act under their own terms (see the sub-processors clause and Annex B).
SGEN does not sell personal data and does not process it for SGEN's own independent purposes outside the Agreement. This statement will be confirmed against actual product analytics and marketing practice before it is asserted in the final document.
4. Types of personal data and categories of data subjects
The categories of personal data and data subjects are set out in Annex A. In summary, SGEN processes:
- Customer-account data: the names, emails, and credentials of the Customer's personnel, and the roles assigned to them via role-based access control.
- Site-visitor data: personal data that the Customer's visitors submit or generate, including form-submission contents, first-party analytics and usage data, and consent records. The Customer controls what its forms ask for.
- Payment-related data: order and billing metadata handled to facilitate checkout. Primary card data is handled by Stripe and PayPal and is not stored in the clear by SGEN.
SGEN does not intend to process special categories of personal data (GDPR Article 9). Because the Customer controls its own form fields, it must not submit special-category data through standard forms without a lawful basis and without instructing SGEN accordingly.
5. Processing instructions
SGEN processes personal data only on the Customer's documented instructions, including with regard to international transfers, unless required to act by law (in which case SGEN informs the Customer first, where legally permitted). The Customer's instructions are constituted by the Agreement, this DPA, and the Customer's configuration and use of the platform, for example the forms it builds, the analytics it enables, the consent rules it sets, and the payment processor it connects.
If SGEN believes an instruction infringes Data Protection Laws, it will inform the Customer.
6. Sub-processors
The Customer provides general authorization for SGEN to engage sub-processors to deliver the platform (hosting and infrastructure, CDN, and payment processors), subject to this clause. SGEN will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for its sub-processors' performance.
SGEN will give the Customer prior notice of any intended addition or replacement of a sub-processor, giving the Customer the opportunity to object on reasonable data-protection grounds. The notice period and notice channel will be confirmed before publication: [PLACEHOLDER 30 days' notice via the sub-processor page].
The confirmed first-party payment integrations are Stripe and PayPal. The complete current list, including the hosting, infrastructure, and CDN providers behind the Foundation Pack, is maintained in Annex B and on the sub-processor page. The infrastructure vendor names in Annex B are placeholders and will be replaced with the real, current list before publication; a partial list will not be published as if it were exhaustive.
7. Security measures
SGEN implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, consistent with GDPR Article 32. The baseline measures are the native measures that run on every site, including the free Sandbox tier:
- Foundation Pack on every plan: managed hosting, SSL/TLS in transit, a global CDN, a Web Application Firewall in front of every site, and platform-level security patching.
- Access control: role-based access control via Users and Roles, so Customer personnel see only what their role permits.
- Auditability: the per-session consent log is read-only. Each decision is recorded with timestamp, page, and accept or decline outcome and cannot be edited, which is what makes it an audit artifact.
Encryption at rest, backup encryption, key management, pseudonymization, the vulnerability-management cadence, and personnel-confidentiality commitments will be completed in Annex C with the real, current measures before publication. SGEN will not assert measures it does not in fact have.
SOC 2 and ISO are in progress. SGEN does not claim certification and does not display a SOC 2 or ISO badge. Personnel are bound by confidentiality.
8. Assistance with data-subject rights
Taking into account the nature of the processing, SGEN will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligation to respond to data-subject requests to exercise rights of access, rectification, erasure, restriction, portability, and objection (GDPR Articles 12 to 23).
In practice, the Customer can action many requests directly: form-submission records, analytics data, and consent records tied to a data subject are accessible through the dashboard, and the Customer can export or delete them. Where the Customer needs SGEN's help to locate or extract data it cannot reach itself, SGEN will assist. The response timeline for SGEN's assistance will be confirmed before publication: [PLACEHOLDER within 10 business days].
9. Personal data breach notification
SGEN will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide the information the Customer reasonably needs to meet its own breach-notification obligations. Under GDPR Article 33, the controller is generally required to notify its supervisory authority within 72 hours of becoming aware.
The exact processor-to-controller notification window, the notice channel, and the minimum content of a breach notice will be confirmed before publication: [PLACEHOLDER without undue delay and in any event within 48 hours of becoming aware].
10. Audit and demonstration of compliance
SGEN will make available to the Customer the information reasonably necessary to demonstrate compliance with GDPR Article 28 and this DPA. The mechanism for satisfying audit rights, for example providing the SOC 2 report once obtained, completing a security questionnaire, or permitting an on-site audit on reasonable notice and at the Customer's cost (no more than once per year except where required by a supervisory authority), will be finalized with counsel. The scope, frequency, cost-bearing, and confidentiality terms will be specified.
11. Return or deletion of data on termination
On expiry or termination of the Agreement, SGEN will, at the Customer's choice, return or delete all personal data processed on the Customer's behalf, and delete existing copies, unless retention is required by law.
Residual copies persist in backups until they age out of the backups retention window (on-demand backups with retention). The backup-retention window that governs when residual copies are purged will be confirmed before publication: [PLACEHOLDER backups retained 30 days].
12. International transfers, liability, and governing law
International transfers. Where SGEN transfers the Customer's personal data outside the EEA or the UK, it will rely on an approved transfer mechanism: for EEA data, the EU Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914); for UK data, the UK International Data Transfer Addendum (IDTA). SGEN will implement any supplementary measures required. Whether the SCCs or the UK Addendum are required, and which module applies, depends on the location of SGEN's hosting infrastructure and sub-processors, which will be confirmed before publication.
EU/UK representative and DPO. SGEN's EU representative (GDPR Article 27), UK representative, and Data Protection Officer or privacy contact, if applicable, will be named before publication: [PLACEHOLDER privacy contact; EU representative to be confirmed].
Liability. The liability of each party under this DPA is subject to the limitations and exclusions of liability in the Agreement. The liability cap figure or formula will be inserted and confirmed to align with the Terms of Service cap: [PLACEHOLDER aggregate liability capped at fees paid in the prior 12 months].
Governing law and jurisdiction. The governing law and the courts of exclusive jurisdiction for this DPA, aligned with the Terms of Service, will be confirmed before publication: [PLACEHOLDER State of Delaware, USA].
Conflict and precedence. In the event of conflict between this DPA and the Agreement, this DPA prevails on data-protection matters.
Annex A: Details of processing
- Subject matter: provision of the SGEN website platform under the Agreement.
- Duration: term of the subscription, plus the wind-down period, plus the backups retention tail.
- Nature and purpose: hosting and serving sites; storing and backing up content and visitor data; receiving and storing form submissions; generating first-party analytics; processing consent decisions; facilitating payments to Stripe and PayPal.
- Categories of personal data: Customer-account data; site-visitor form-submission contents; first-party usage and analytics data; consent records; payment and order metadata.
- Special-category data: none intended. The Customer must not submit Article 9 data without a lawful basis and instruction.
- Categories of data subjects: the Customer's personnel and users; the Customer's site visitors and end-customers; for agencies, the agency's clients' personnel and visitors.
- Frequency: continuous, for the term.
Annex B: Sub-processors
The entire list below will be replaced with the real, current set before publication. The payment processors are confirmed; the infrastructure rows are placeholders. The live version is maintained on the sub-processor page linked from this DPA.
- Stripe: payment processing and facilitation. Confirmed first-party integration. Location: [PLACEHOLDER].
- PayPal: payment processing and facilitation. Confirmed first-party integration. Location: [PLACEHOLDER].
- [PLACEHOLDER hosting / infrastructure provider]: managed hosting and storage (Foundation Pack). To be confirmed.
- [PLACEHOLDER CDN / WAF provider]: CDN and Web Application Firewall (Foundation Pack). To be confirmed.
- [PLACEHOLDER email / transactional / support providers, if any]: notifications and support. To be confirmed.
Annex C: Technical and organizational measures
The baseline measures below are confirmed from the product. The remainder will be completed with real measures only before publication.
- Network and application security: WAF in front of every site; CDN; SSL/TLS in transit; platform-level security patching (Foundation Pack, every plan including Sandbox).
- Access control: role-based access control via Users and Roles.
- Auditability: read-only, per-session consent log (timestamp, page, outcome).
- To be completed: encryption at rest, backup encryption, key management, pseudonymization, logging and monitoring, vulnerability management, incident response, personnel screening and confidentiality, secure-development practices, and business-continuity and disaster recovery.
Questions and related documents
For questions about this DPA or to request a counter-signed copy, contact our team. The current sub-processor list and security posture are maintained on the Trust Center.
Related legal documents

