Data Processing Agreement
Version 1.0.0 · Effective 2026-06-13. Previous versions are available on request from privacy@sidekick.mu.
This Data Processing Agreement (“DPA”) is entered into between Beyond Digital Ltd (“Processor”, “Sidekick”) and the Customer (“Controller”) who has accepted the Terms of Service. It forms part of, and is incorporated into, those Terms.
This DPA governs the processing of personal data uploaded by the Controller into the Service (“Customer Personal Data”) and is intended to satisfy Article 28 of the GDPR and section 25 of the Mauritius Data Protection Act 2017.
1. Definitions
Capitalised terms not defined here have the meaning given in the Terms, the GDPR or the Mauritius DPA, as applicable.
2. Scope & roles
- The Controller determines the purposes and means of processing Customer Personal Data.
- The Processor processes Customer Personal Data only on documented instructions from the Controller, which are the Terms, this DPA, and the configuration options exposed in the Service.
- The Processor will inform the Controller if, in its opinion, an instruction infringes data-protection law.
3. Subject matter, duration, nature, purpose
| Subject matter | Provision of a cloud CRM and invoicing platform. |
| Duration | For the term of the subscription and any post-termination period needed to return or delete Customer Personal Data. |
| Nature & purpose | Storing, transmitting, displaying and (where AI features are used) submitting prompts about Customer Personal Data to configured AI sub-processors, in order to provide the Service to the Controller. |
| Categories of data subjects | The Controller’s clients, prospects, suppliers, signatories and any other natural persons whose data the Controller chooses to upload. |
| Categories of personal data | Identification (name), contact (email, phone, address), business identifiers (BRN, VAT), commercial-relationship data (quotes, invoices, payments, signatures), free-text notes, and any attachments uploaded by the Controller. |
| Special categories | The Service is not intended for “special-category” data (health, religion, biometric). The Controller agrees not to upload such data except where strictly necessary and with a valid lawful basis under Art. 9 GDPR / s.29 DPA. |
4. Processor obligations
- Confidentiality. Personnel authorised to process Customer Personal Data are bound by written confidentiality obligations.
- Security. The Processor implements the technical and organisational measures described in Annex II.
- Sub-processors. The Controller authorises the sub-processors listed in Annex III. The Processor will give at least thirty (30) days’ notice (by email or in-app) before adding or replacing a sub-processor; the Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve, failing which the Controller may terminate.
- Assistance. Taking into account the nature of processing, the Processor will assist the Controller with: data-subject requests (Articles 12–22 GDPR), security (Art. 32), breach notification (Arts. 33–34), DPIAs (Art. 35) and prior consultation (Art. 36).
- Breach notification. The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours, of becoming aware of a personal-data breach affecting Customer Personal Data.
- Return or deletion. Within thirty (30) days of the end of the subscription, at the Controller’s choice, the Processor will return or delete Customer Personal Data, except where retention is required by law.
- Audits. The Processor will make available all information necessary to demonstrate compliance with this DPA. The Controller may audit no more than once per twelve-month period on thirty (30) days’ notice, at the Controller’s cost, during business hours and without unreasonable disruption; SOC 2 / ISO 27001 reports (when available) may satisfy this obligation.
5. Controller obligations
- Establish and maintain a valid lawful basis for the processing carried out via the Service.
- Provide all required notices and obtain all required consents from data subjects.
- Not upload special-category data except as expressly authorised above.
- Respond to data-subject requests for which the Controller is responsible; the Processor will forward any request received directly.
6. International transfers
Where Customer Personal Data is transferred outside Mauritius or the EEA, the parties incorporate the relevant Standard Contractual Clauses (Decision (EU) 2021/914) by reference, with the Controller as data exporter and the Processor (and onward sub-processors as appropriate) as data importer. The Processor will, where required, obtain written authorisation from the Mauritius Data Protection Commissioner under s.36 DPA.
7. Liability
Each party’s liability arising from or related to this DPA is subject to the limitations and exclusions of liability in the Terms. Nothing in this DPA limits liability that cannot be limited by law.
8. Term & termination
This DPA enters into force on the Controller’s acceptance of the Terms and continues for the duration of the subscription and any post-termination period needed to complete the return or deletion of Customer Personal Data.
9. Governing law
Same as the Terms: laws of Republic of Mauritius, exclusive jurisdiction of Courts of Mauritius.
Annex I — Details of processing
As set out in Section 3 above.
Annex II — Technical and organisational measures
- Access control. Bcrypt-hashed passwords, server-side session tokens, optional email verification, rate-limiting on authentication endpoints.
- Tenancy isolation. PostgreSQL Row-Level Security enforced on every tenant table; query bugs fail closed (zero rows) rather than leak across tenants.
- Encryption. TLS 1.2+ in transit. Database and object storage encrypted at rest by Google Cloud.
- Backups. Cloud SQL automated daily backups with point-in-time recovery.
- Logging. Application and authentication events are logged with sufficient detail to investigate incidents; logs are retained for ninety (90) days.
- Vulnerability management. Dependencies are tracked; security advisories are patched on a risk-prioritised basis.
- Personnel. Production access is limited to authorised engineers under written confidentiality obligations.
- Incident response. Documented procedure for triage, containment, eradication, recovery and notification within statutory deadlines.
- Disposal. On deletion, application records are removed within thirty (30) days; backups age out within thirty-five (35) days.
- Sub-processor due-diligence. Every sub-processor is bound by a written processing agreement and assessed for adequacy before use.
Annex III — Approved sub-processors
| Sub-processor | Service | Location | Transfer mechanism |
|---|---|---|---|
| Google Cloud EMEA Ltd | Hosting, database, storage | EU (Belgium) | EU SCCs; UK IDTA |
| Postmark (ActiveCampaign LLC) | Email delivery | USA | EU SCCs; DPF where applicable |
| Anthropic, PBC | AI (Free tier) | USA | EU SCCs; no training on submitted data |
| OpenAI, LLC | AI (Starter / Growth) | USA | EU SCCs; no training on submitted data |
Last updated: 2026-06-13. A signed PDF version is available on request from privacy@sidekick.mu.