# Data Processing Addendum (DPA) — Template

**Version:** April 2026
**Controller:** ______________________________ (the "Customer")
**Processor:** DynaNet Online Support Inc., trading as SuperRecall.ai ("SuperRecall")
**Master agreement:** SuperRecall.ai Terms of Service (https://superrecall.ai/terms)

This Data Processing Addendum ("DPA") forms part of the Master Agreement
between Customer and SuperRecall and applies to SuperRecall's processing of
Customer Personal Data on behalf of Customer in connection with the Services.
Capitalised terms used but not defined in this DPA have the meanings given to
them in the Master Agreement, the EU General Data Protection Regulation
(2016/679) ("GDPR"), the UK GDPR, or the California Consumer Privacy Act
("CCPA"), as applicable.

---

## 1. Roles of the parties

1.1 With respect to Customer Personal Data, Customer is the Controller and
SuperRecall is the Processor.

1.2 Each party will comply with the obligations applicable to it under
applicable Data Protection Laws.

## 2. Scope and purpose of processing

2.1 **Subject matter:** Provision of the SuperRecall.ai compliance and recall
monitoring SaaS platform.

2.2 **Duration:** The term of the Master Agreement, plus any post-termination
retention period required by the Master Agreement or applicable law.

2.3 **Nature and purpose:** Hosting, processing, transmitting, monitoring,
matching, classifying, alerting, reporting on, and storing Customer Personal
Data to deliver the Services.

2.4 **Categories of data subjects:** Customer's authorised users, customer
contacts, vendor and supplier contacts, and any other individuals whose
personal data Customer chooses to upload to the Services.

2.5 **Categories of personal data:** Names, business email addresses,
business phone numbers, job titles, employer, IP addresses, authentication
identifiers, audit log entries, and any other personal data Customer chooses
to submit to the Services.

2.6 **Special category data:** SuperRecall does not require special category
data to deliver the Services. Customer agrees not to submit special category
data unless expressly agreed in writing.

## 3. SuperRecall obligations

SuperRecall will:

a) process Customer Personal Data only on documented instructions from
Customer, including the Master Agreement, this DPA, and Customer's use of
the Services;

b) ensure persons authorised to process Customer Personal Data are bound by
appropriate confidentiality obligations;

c) implement and maintain the technical and organisational measures
described in **Annex A**;

d) assist Customer, taking into account the nature of the processing, in
fulfilling its obligations to respond to data-subject rights requests and
to conduct data-protection impact assessments and prior consultations;

e) notify Customer without undue delay, and in any event within 72 hours,
after becoming aware of a Personal Data Breach affecting Customer Personal
Data;

f) at Customer's choice, delete or return all Customer Personal Data after
the end of the provision of Services and delete existing copies, unless
applicable law requires storage; and

g) make available to Customer the information necessary to demonstrate
compliance with this DPA and allow for and contribute to audits, including
inspections, conducted by Customer or another auditor mandated by Customer.

## 4. Subprocessors

4.1 Customer provides general authorisation for SuperRecall to engage the
subprocessors listed at https://superrecall.ai/subprocessors, as updated
from time to time.

4.2 SuperRecall will impose data-protection obligations on each subprocessor
that are no less protective than those in this DPA.

4.3 SuperRecall will give Customer at least 30 days' prior notice of the
addition or replacement of a subprocessor by updating the subprocessors
page. Customer may object to a new subprocessor on reasonable
data-protection grounds within that 30-day window.

## 5. International data transfers

5.1 Where SuperRecall transfers Customer Personal Data originating in the
European Economic Area, the United Kingdom, or Switzerland to a country
that has not received an adequacy decision, the parties will rely on the
European Commission's Standard Contractual Clauses ("SCCs") (Module Two:
Controller-to-Processor) and the UK International Data Transfer Addendum,
which are deemed incorporated into this DPA by reference.

5.2 SuperRecall maintains a transfer-impact assessment for each transfer
mechanism and will provide a copy on Customer's reasonable request.

## 6. CCPA addendum

6.1 SuperRecall is a "Service Provider" under the CCPA and will not:
(a) sell or share Customer Personal Data; (b) retain, use, or disclose
Customer Personal Data outside the direct business relationship between
the parties; or (c) combine Customer Personal Data with personal
information SuperRecall receives from other sources, except as permitted
by the CCPA for a Service Provider.

## 7. Audits

7.1 Once per twelve-month period, Customer may, on reasonable prior notice
and during normal business hours, audit SuperRecall's compliance with this
DPA. Audits will be conducted in a manner that does not unreasonably
interfere with SuperRecall's operations.

7.2 SuperRecall may satisfy its audit obligations by providing the most
recent third-party audit report (e.g. SOC 2 Type II) and a completed
security questionnaire.

## 8. Liability

The liability of each party under this DPA is subject to the limitations
of liability set out in the Master Agreement.

## 9. Order of precedence

In the event of a conflict between this DPA and the Master Agreement with
respect to the processing of Customer Personal Data, this DPA controls.

---

## Annex A — Technical and Organisational Measures

- AES-256 encryption at rest; TLS 1.3 in transit
- Role-based access control with least-privilege defaults
- Single sign-on (SAML / OIDC) with mandatory multi-factor authentication for
  privileged accounts
- Tamper-evident audit logging with seven-year retention
- Annual third-party penetration testing
- Continuous infrastructure monitoring and intrusion detection
- Vendor security reviews for all subprocessors
- Documented incident response plan with 72-hour breach notification
- Annual security and privacy training for all personnel

## Annex B — Subprocessors

The current list of subprocessors is published at
https://superrecall.ai/subprocessors and is updated when new subprocessors
are added or replaced.

---

## Signatures

**Customer**

Signed: ______________________________
Name: ______________________________
Title: ______________________________
Date: ______________________________

**SuperRecall (DynaNet Online Support Inc.)**

Signed: ______________________________
Name: Kiral Desai
Title: Founder & CEO
Date: ______________________________

---

*This document is provided as a template for procurement and legal review.
For an executed DPA on SuperRecall letterhead, contact privacy@superrecall.ai.*