This Data Processing Addendum ("DPA") supplements the Terms of Service (the "Agreement") between the Customer ("Customer") and Segern, LLC, a Texas company located at 12600 Hill Country Boulevard, Ste R-130 #5033, Austin, TX 78738 ("Segern"). All capitalized terms not defined herein have the meanings set forth in the Agreement or Privacy Policy.
By using Segern’s Services, the Customer enters into this DPA on behalf of itself and, if required by law, its Affiliates. All business customers may opt into this DPA at any time, regardless of whether they are legally required to do so. To opt in, follow the instructions at Data Processing Addendum or contact [email protected]
1. Definitions
- Affiliate: Any entity directly or indirectly controlling, controlled by, or under common control with a party (so long as such control exists).
- Authorized Subprocessor: A third party that (a) needs access to Personal Data to assist Segern in providing the Services under the Agreement, and (b) is either listed in Exhibit B or subsequently appointed in accordance with Section 3.
- Customer Account Data: Personal data relating to Customer’s relationship with Segern (e.g., business contact/billing info, authorized-user information, account admin data).
- Customer Usage Data: Service usage/analytics data (e.g., logs, activity, error reports) collected and processed for service maintenance, improvement, system abuse/fraud, and security.
- Data Exporter: Customer.
- Data Importer: Segern.
- Data Protection Laws: All applicable laws relating to the processing of Personal Data, including without limitation the GDPR, UK GDPR, the Swiss Federal Data Protection Act, CCPA/CPRA, and any successors or amendments. Terms such as Data Subject, Personal Data, Personal Data Breach, processing, controller, processor, and supervisory authority have the meanings given in the GDPR.
- EU SCCs: Standard Contractual Clauses approved by European Commission Decision 2021/914 for personal data transfers to non-adequate countries.
- UK Addendum: The UK International Data Transfer Addendum to the EU SCCs issued by the UK ICO, as amended.
- Services: As defined in the Agreement and Privacy Policy.
2. Roles and Processing
2.1 Roles of the Parties. Customer acts as Controller (or Processor for its clients), and Segern acts as Processor (or Sub-processor) except where Segern processes Customer Account Data and Customer Usage Data as an independent data Controller.
2.2 Processing Purpose and Instructions. Segern processes Personal Data solely to provide the Services, on Customer’s documented instructions, or as required by applicable law.
2.3 Restrictions on Special Categories of Data. Customer must not provide Segern with special categories of Personal Data (as defined in the GDPR) or other sensitive data unless agreed in writing in advance. If Customer anticipates such processing, Customer must notify Segern and implement additional safeguards as required by law. Segern may suspend processing or terminate the Services if Customer provides such data without written agreement.
2.4 Customer Legal Basis and Responsibility.** Customer is responsible for establishing a lawful basis for processing and for ensuring that its own customers and Data Subjects are informed and—where required—have provided valid consent.
2.5 Return or Deletion of Personal Data. Upon termination of the Services or thirty (30) days after account closure, Segern will delete or return Customer Personal Data, except where continued storage is required by applicable law. If deletion/return is not feasible, Segern will block further processing and—upon request—certify deletion.
2.6 CCPA/CPRA Compliance. Segern acts as Service Provider for Customer Personal Data under the CCPA/CPRA, will not sell or share such data, and certifies it will retain/use/disclose Personal Data only to provide the Services or as required by law.
3. Sub-processors
3.1 General Authorization. Customer authorizes Segern to use the sub-processors listed in Exhibit B and to appoint additional sub-processors as reasonably needed to deliver the Services.
3.2 Notification and Objection Rights. Segern will provide at least thirty (30) days’ notice via email or website of any intended addition or replacement of a sub-processor. Customer may object within 30 days, in writing, on reasonable data protection grounds. If the objection cannot be resolved, the Customer may discontinue the affected Services.
3.3 Sub-processor Liability. Segern ensures that all sub-processors are contractually bound to data protection obligations equivalent to those in this DPA and remains liable to Customer for their performance. Upon request, and when reasonably required (e.g., on suspected breach or regulator request), Segern will audit sub-processor compliance and share summary audit results with Customer, subject to commercial confidentiality.
3.4 Access to Sub-processor Agreements. Copies of relevant data protection terms are available to Customer upon request, with commercially sensitive information redacted.
3.5 Up-to-Date List of Sub-processors. The current list of authorized sub-processors is always available at Sub-processors list.
4. Security
4.1 Technical and Organisational Measures. Segern implements the safeguards described in Exhibit C, including —but not limited to—encryption, access controls, logging, regular vulnerability scanning and penetration testing, backup/disaster recovery, incident response, secure deletion protocols, security training, and vendor vetting. See also Section 6 of our Privacy Policy.
4.2 Vendor Security Reliance. Where hosting, payments, analytics, or other key systems are provided by listed sub-processors, Segern relies on those vendors’ published and regularly audited security frameworks and certifications.
5. International Transfers
5.1 Data Transfers out of EEA, UK, Switzerland. Segern may transfer Personal Data internationally as needed to provide the Services. Where required for EEA/UK/CH transfers, the parties agree to apply the EU SCCs (appropriate Module) and, for the UK, the UK Addendum. Module Two (Controller → Processor) or Module Three (Processor → Processor) applies as context requires.
5.2 SCC/UK Addendum Specifics and Governing Law. By entering this DPA and/or by opting in as permitted above, the parties are deemed to execute the SCCs/UK Addendum as completed by reference in Exhibit B. For the SCCs, governing law and forum are the Data Exporter’s Member State (default: Irish law/courts). For other DPA disputes, Texas law applies. For Swiss transfers, references to the “EU” or “Member State” include Switzerland, and the competent authority is the Swiss FDPIC.
5.3 Supplementary Measures. As of the effective date, Segern has not received government requests for Customer Personal Data. Segern will promptly notify Customer of any such request unless legally prohibited and will not voluntarily disclose data.
6. Data Subject and Regulatory Requests
6.1 Data Subject Rights. If a Data Subject submits a request to Segern, Segern will promptly notify Customer. Customer is responsible for responding; Segern will assist as required by law and will not respond directly unless legally obliged or expressly authorized. For consumer or individual requests not associated with a business client, Segern will respond per its Privacy Policy.
6.2 Regulatory Consultation & DPIAs. Upon request, Segern will provide information and reasonable assistance for data protection impact assessments or supervisory authority consultations.
6.3 Data Localization & Regulatory Access. Where required by applicable law (e.g, outside US/EU/UK), Customer must notify Segern if data localization or unique regulator access is required. Such provisions will be addressed as an addendum to this DPA.
7. Audit Rights
7.1 Audit and Information Requests. Once per year (or more often if required by a Supervisory Authority), and subject to confidentiality, Segern will: (a) provide security documentation and relevant third-party audit reports; and (b) permit an on-site audit with reasonable notice and minimal disruption. Customer bears its own costs and must keep audit findings confidential.
8. Personal Data Breach
8.1 Notification. Segern will notify Customer without undue delay upon becoming aware of a Personal Data Breach involving Customer Data, providing known details and remediation steps, and will cooperate to mitigate effects.
9. Segern as Independent Controller
Segern processes Customer Account Data and Customer Usage Data as an independent controller for billing, communications, anti-fraud, improvement, legal, and compliance purposes. Segern may aggregate or de-identify such data for analytics or benchmarking but will not combine it in a manner that permits re-identification of Data Subjects.
10. Precedence, Liability, Indemnity & Force Majeure
10.1 Applicability of Exclusions and Limitations. Unless otherwise required by law, claims under this DPA are subject to the limitations in the Agreement.
10.2 Priority of Agreements. In case of conflict: (1) SCCs/UK Addendum; (2) this DPA; (3) the Agreement; (4) other contracts.
10.3 Limitation of Liability. In no event shall Segern (including Affiliates and sub-processors) be liable for indirect or consequential damages. Segern’s aggregate liability under this DPA shall not exceed the fees paid or payable by Customer under the Agreement in the twelve (12) months preceding the event. This cap does not apply to third-party regulatory fines or claims indemnified by Segern under this DPA.
10.4 Force Majeure. Neither party is liable for delays/failures caused by circumstances beyond reasonable control, provided reasonable efforts are taken to mitigate effects.
10.5 Customer Indemnity. Customer shall indemnify Segern for third-party claims/fines arising from:
- (a) Customer’s instructions,
- (b) breach of this DPA,
- (c) Customer’s noncompliance with data protection laws, or
- (d) data provided without a valid legal basis or provided in violation of the sensitive data prohibition in Section 2.3.
11. Governing Law
For SCC/UK Addendum enforcement, governing law and forum are the Data Exporter’s Member State. For all other DPA matters, Texas law and forum (as set in the Agreement) apply.
12. Term & Modification
This DPA is effective upon acceptance of the Agreement or formal opt-in, and remains in force as long as Segern processes Personal Data for Customer. Segern may amend this DPA as required by law, with notice to Customer; material changes require Customer acceptance unless mandated by law, or unless updates are necessary for compliance with mandatory Data Protection Laws, SCCs, or the UK Addendum. If a material change cannot be agreed, Customer may terminate the DPA and/or affected Services.
13. Contact
Questions regarding this DPA: [email protected] (subject: "Data Processing Addendum Request").
14. EU/UK Article 27 Representative
At this time, Segern has not designated an EU/UK Representative under Article 27, as our processing does not currently require one. We will update this Policy and provide contact information if our obligations change.
Because Segern lacks an establishment in the EEA or UK, it appoints the following representative for GDPR/UK GDPR Article 27 purposes:
Standard Contractual Clauses (SCCs) & UK Addendum
Where required for international transfer, the SCCs (appropriate Modules) and/or the UK Addendum are incorporated by reference. By entering this DPA (or opting in as described above), both parties are deemed to have executed them as so completed. Terms not defined herein have the meanings in the SCCs/UK Addendum.