This Data Processing Agreement ("DPA") forms part of the Terms of Service between Elite Tech Global, LLC ("SafeSheet," "we," "us," or "our") and the business customer that uses the Service ("Customer," "you," or "your"). It governs our processing of Personal Data on your behalf in connection with the Service. Where this DPA conflicts with the Terms of Service on the subject of data protection, this DPA controls.
1. Definitions
"Personal Data," "Processing," "Controller," "Processor," and "Data Subject" have the meanings given in applicable data protection laws, including the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act as amended by the CPRA ("CCPA"). "Applicable Data Protection Laws" means the privacy and data protection laws that apply to our processing of Personal Data under this DPA. "Customer Personal Data" means Personal Data that we process on your behalf as part of Your Data under the Terms of Service.
2. Roles of the Parties
For Customer Personal Data, you act as the Controller (or "business" under the CCPA) and we act as the Processor (or "service provider" under the CCPA), processing Customer Personal Data only on your documented instructions. Where you are yourself a processor acting on behalf of a third-party controller, you appoint us as your subprocessor and confirm you have the authority to do so.
3. Scope & Purpose of Processing
We process Customer Personal Data only to provide, maintain, and secure the Service as described in the Terms of Service and this DPA, and as further instructed by you through your use of the Service. The subject matter is the provision of SDS and chemical compliance software; the duration is the term of your subscription plus the retention period in Section 8; the nature and purpose are hosting, storing, and processing Your Data to deliver the Service.
Categories of Data Subjects: your authorized users (account owners, admins, managers, and viewers) and any individuals identified within data you upload.
Categories of Personal Data: account and contact details (name, email, organization, role) and any Personal Data you choose to include in chemical records, SDS documents, or other content. The Service is not designed for and should not be used to process special categories of Personal Data.
4. Our Obligations
We will:
- process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case we will notify you unless the law prohibits it);
- ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
- implement and maintain the technical and organizational security measures described in Section 5;
- not "sell" or "share" Customer Personal Data (as those terms are defined under the CCPA), and not process it for any purpose other than performing the Service or as otherwise permitted by Applicable Data Protection Laws; and
- assist you, taking into account the nature of the processing, in meeting your obligations regarding data subject requests, security, breach notification, and data protection impact assessments.
5. Security Measures
We maintain technical and organizational measures appropriate to the risk, including: encryption of Customer Personal Data in transit (TLS); row-level security enforced at the database layer so that access is restricted to members of your organization; role-based access controls; authenticated access via Supabase Auth; private file storage with server-side validation of uploads; and audit logging. We review these measures periodically and may update them provided the level of protection is not materially reduced.
6. Subprocessors
You provide general authorization for us to engage the subprocessors listed below to process Customer Personal Data. Each subprocessor is bound by data protection obligations no less protective than those in this DPA, and we remain responsible for their performance.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, and file storage (on AWS infrastructure) | United States |
| Vercel | Application hosting, deployment, and analytics | United States |
| Lemon Squeezy | Payment processing and subscription management | United States |
| Resend | Transactional and lifecycle email delivery | United States |
We will give you reasonable prior notice of any intended addition or replacement of a subprocessor by updating this page and, on request, by email to the contact associated with your account. If you reasonably object to a new subprocessor on data protection grounds, you may notify us within 30 days; if we cannot address your objection, you may terminate the affected part of the Service.
7. Data Subject Rights & Breach Notification
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights. Much of this can be accomplished directly through the Service's access, export, and deletion features; for anything else, contact us at privacy@safesheet.app.
We will notify you without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and will provide information reasonably available to us to help you meet your own notification obligations.
8. Return & Deletion of Data
You may export Your Data at any time through the Service. Following termination of your subscription, we will retain Customer Personal Data for 90 days to allow for export, after which it will be deleted, except where retention is required by law. Deletion of Safety Data Sheet records may be subject to recordkeeping expectations described in the Terms of Service.
9. International Transfers
Where our processing involves the transfer of Customer Personal Data out of the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, such transfers are made pursuant to an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated into this DPA by reference where they apply.
10. Audits
On reasonable written request, and no more than once per year unless required by a supervisory authority or following a breach, we will make available information necessary to demonstrate compliance with this DPA. Where feasible, we will satisfy audit requests by providing documentation of our security measures and relevant third-party attestations rather than on-site access.
11. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
12. How to Execute This DPA
This DPA is incorporated into the Terms of Service and applies automatically to your use of the Service where Applicable Data Protection Laws require it. If your organization requires a counter-signed copy or has specific data protection requirements, contact us at privacy@safesheet.app.
13. Contact
Elite Tech Global, LLC
7533 S Center View Ct #5188, West Jordan, UT 84084
Email: privacy@safesheet.app