Data Processing Agreement

Last updated: May 12, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SiliconIslands AB ("Processor", "PlaceProfile") and you ("Controller", "Customer") for the PlaceProfile service.

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1)
• Processing: Any operation performed on Personal Data, as defined in GDPR Article 4(2)
• Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller

2. Roles and Responsibilities

The Customer is the Data Controller for venue data submitted to PlaceProfile. SiliconIslands AB acts as Data Processor, processing data only on the Customer's documented instructions and for the purpose of providing the Service.

3. Scope of Processing

Data subjects: Venue owners and authorized account users

Categories of data: Account information, venue details, playlist metadata, bot visit analytics

Purpose: Providing the PlaceProfile service, creating and hosting AI-readable venue profiles

Duration: For the duration of the service agreement plus the data retention period specified in our Privacy Policy

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (GDPR Article 32)
• Assist the Controller in responding to data subject rights requests
• Notify the Controller of any Personal Data breach without undue delay, and no later than 72 hours after becoming aware
• Delete or return all Personal Data upon termination of the service, at the Controller's choice
• Make available all information necessary to demonstrate compliance and allow for audits

5. Sub-processors

The Processor may engage sub-processors with the Controller's general authorization. Current sub-processors:

• Hetzner Online GmbH, Hosting and infrastructure (Germany, EU — data stays within the EEA)
• Cloudflare, Inc., CDN and DDoS protection (global, EU SCCs in place)
• Stripe, Inc., Payment processing (USA, EU SCCs in place)
• Mailgun (Sinch), Transactional email delivery (USA, EU SCCs in place)

The Processor will notify the Controller of any intended changes to sub-processors at least 30 days in advance, providing the Controller an opportunity to object.

6. International Transfers

Data is primarily stored and processed within the EU/EEA. Where transfer outside the EEA is necessary, the Processor ensures appropriate safeguards through EU Standard Contractual Clauses (SCCs) as approved by the European Commission.

7. Security Measures

The Processor implements and maintains:

• Encryption of data in transit (TLS 1.2+) and at rest
• Access controls and authentication mechanisms
• Regular security reviews and updates
• IP address hashing (SHA-256), raw IP addresses are never stored
• Incident detection and response procedures

8. Data Subject Rights

The Processor will assist the Controller in fulfilling obligations to respond to data subject requests for access, rectification, erasure, portability, restriction, and objection, as required by GDPR Articles 15-22.

9. Term and Termination

This DPA is effective for the duration of the service agreement. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by applicable law.

10. Governing Law

This DPA is governed by the laws of Sweden and subject to the jurisdiction of Swedish courts.

11. Contact

SiliconIslands AB
Tjörn (near Gothenburg), Sweden
Email: [email protected]