Data Processing Addendum

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between the Customer ("Data Controller") and SFADDON India LLP, Pune, Maharashtra, India ("Data Processor", "SFADDON"), and forms part of the SFADDON Terms of Service.

This DPA applies to all personal data processed by SFADDON on behalf of the Customer in connection with the provision of SFADDON services.

2. Nature and Purpose of Processing

SFADDON processes personal data solely to provide SFADDON services for the Customer's SAP SuccessFactors tenant. Processing activities include authenticating users and managing account sessions; storing and displaying service data, results, and summaries; delivering scheduled reports and notifications; and maintaining an audit trail of user actions.

SFADDON retains only the data its functionality requires; source data not required for the service is processed in memory and discarded after evaluation.

3. Categories of Personal Data

SFADDON processes the following as Data Processor: account data (name, work email, hashed password, MFA config, role); connection credentials (SF instance URL and API credentials, stored AES-256-GCM encrypted); service data (the records, results, and summaries the product requires to operate); and usage data (login timestamps, page visits, audit entries).

SFADDON does not process employee national IDs, compensation data, performance ratings, medical information, or other special category data from the Customer's SAP SuccessFactors tenant beyond what the service strictly requires.

4. Data Controller Obligations

The Customer warrants it has a valid legal basis for processing the personal data provided; has authority to connect its SAP SuccessFactors tenant to SFADDON; will notify SFADDON of changes to its processing requirements; and will ensure data subjects have been informed in accordance with applicable law.

5. Data Processor Obligations

SFADDON commits to: process personal data only on documented instructions; bind all personnel with access to confidentiality obligations; implement the security measures described in §7; assist the Controller in responding to data subject rights requests; make compliance information available; and delete or return all personal data within 30 days of termination.

6. Sub-processors

The Customer provides general authorisation for SFADDON to engage the following sub-processors. SFADDON will notify the Customer of any change with at least 30 days' advance notice. For the full list see the full subprocessors list.

7. Technical and Organisational Measures

• Encryption in transit: TLS 1.3 for all connections
• Encryption at rest: AES-256-GCM for all stored data and credentials
• Authentication: JWT dual-token auth; httpOnly secure cookies; TOTP MFA enforced for all accounts
• Access control: RBAC with principle of least privilege; CSRF protection on all mutating endpoints
• Audit logging: Immutable audit trail of all administrative and data-access actions
• Multi-tenant isolation: Tenant boundaries enforced at every API endpoint and database query

8. Data Breach Notification

In the event of a personal data breach, SFADDON will notify the affected Customer within 72 hours of becoming aware, providing the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.

9. Data Transfers

Where personal data is transferred outside the EEA, SFADDON relies on EU Standard Contractual Clauses, adequacy decisions, or the sub-processor's own recognised framework certifications.

10. Retention and Deletion

Personal data is retained for the duration of the active subscription and the retention period specified in the Customer's plan. Upon termination, all personal data is permanently deleted within 30 days unless the Customer requests an export prior to deletion.

11. Contact

For DPA-related queries: SFADDON India LLP · Pune, Maharashtra, India · privacy@sfaddon.com